Hacking Back: Not the right Solution

Abstract

Abstract: In cyberspace attackers enjoy an advantage over defenders, which has popularized the concept of defense-- offensive actions intended to punish or deter the adversary. This article argues active defense is not a practical course of action to obtain tactical and strategic objectives. Instead, defense, a proactive security solution, is a more appropriate option. ********** The ability to retaliate against attackers--irrespective of the legalities of such actions--appears to have gained traction in the United States government, but is it a practical response for achieving tactical and strategic objectives in cyberspace? Attribution limitations, collateral damage considerations, the Internet's global architecture, and potential event escalation make the challenges of engaging in active defense an ineffective course of action destined to achieve limited tactical successes at best; and it risks accelerating digital as well as physical conflict. Too many variables prevent active defense deterring or punishing adversaries in cyberspace. For that reason, this article advocates a more productive solution--aggressive defense--to frustrate attackers via nondestructive or damaging activities. A Note on Terminology There are no internationally accepted definitions for cyber attack and defense. In its 2011 Strategy for Operating in Cyberspace, the US Department of Defense defines active defense as: ... synchronized, real-time capability to discover, detect, analyze, and mitigate threats and vulnerabilities ... it operates at network speed by using sensors, software, and intelligence to detect and stop malicious activity before it can affect DOD networks and systems. (1) Using this designation as a baseline, the following definitions have been adopted for the purposes of this article: * Cyber Attack: Actions ranging from network exploitation for information collection/data theft to attacks designed to deny, degrade, disrupt, or destroy an information system, an information network, or the information resident on them. Examples include distributed denial-of-service attacks, the insertion of malware designed to destroy information systems, or the information resident on them such as Stuxnet or Shamoon. * Active Cyber Defense: A range of offensive damaging or destructive actions, such as counterhacking, that engage an adversary during or promptly after an initial attack. Active defense does not include nonviolent actions such as diplomatic or economic sanctions. Examples include counterhacking and technical countermeasures with weaponized payloads. * Passive Cyber Defense: A range of defensive actions taken to protect the confidentiality, integrity, and availability of information systems and networks through the use of layered network security devices, processes, and countermeasures to protect the integrity of the information assets in an enterprise. Examples include firewalls, intrusion detection systems, and host-based intrusion detection systems. * Aggressive Cyber Defense: A range of aggressive passive and active defensive actions to be used in concert with one another that identify, deceive, and frustrate attackers into giving up and moving elsewhere. Examples include severing connections between targeted computers and the attacking command and control servers, as well as redirecting hostile traffic to a benign target or destination. Active Cyber Defense The United States faces increasing threats capable of targeting private and public sectors from a diverse actor set. Director of US National Intelligence James Clapper identified as the top threat facing the United States, over traditional high profile threats such as terrorism and weapons of mass destruction. (2) Cyber crime, hacktivist-related distributed denial-of-service attacks, and espionage have prompted policymakers to develop deterrence strategies. …