For years, the United States has wrestled with this question: Should a private company be able to retaliate when its targeted by a cyberattack?
Sen. Sheldon Whitehouse, D-R.I., raised the specter of “hacking back” once more on Tuesday when he argued for a more transparent process in which a private company could approach the government for permission and guidelines on retaliation.
“If [a major CEO] wanted permission to figure out how to hack back, I don’t think he’d know what agency’s door to knock on to actually give him an answer,” Whitehouse said at a Judiciary Committee hearing on Tuesday. The Senator asked for written responses from the Department of Homeland Security and Office of the Director of National Intelligence about where a private sector actor could go to get an answer on the prospect of hacking back.
“We ought to think hard about how and when to license hack-back authority so capable, responsible private-sector actors can deter foreign aggression,” Whitehouse, the ranking Democrat on the Judiciary Committee’s subcommittee on crime and terrorism, said.
The issue has long been open in Washington, D.C. Last year, Reps. Tom Graves, R-Ga., and Kyrsten Sinema, D-Ariz., introduced a modified Active Cyber Defence Certainty (ACDC) Act that would allow American companies to “hack back” — Graves and Sinema prefer the term “active defense — against adversaries.
The idea has a long list of loud opponents. Even within the hearing, the CEO of the energy firm Southern Company, Thomas Fanning, said that retaliation and offense ought to be the government’s jobs.
Private sector proponents of hacking back have been intentionally quiet. Graves has continuously declined to reveal the private sector backers for his ACDC bill.
Rumors of active hacking back measures being taken by companies persist, but evidence of such activity is slim. To Whitehouse’s point, that’s due in significant part to the fact that there doesn’t seem to be an obvious place for private sector actors to talk to the federal government about the issue.
A bit of transparency and clarity on this point might open up a wider conversation. Critics worry it also might open up Pandora’s Box.
Last year, Bobby Chesney, a professor at the University of Texas School of Law wrote about some of the major potential downsides to hacking back.
“The catch is that it is hard to open the door wide enough to make a genuine difference for victims, without opening the door to a host of unintended problems under two big headings: mistaken attribution and unintended collateral impacts,” Chesney wrote. “Put more directly, it is not hard to see how the more aggressive forms of active defense might result in harm to innocent parties. Some amount of risk along those lines may be worth it, depending on the benefits also obtained; it’s just awfully hard to know for sure.”