Hacking Back Against Our Adversaries: The Debate Continues
By N. MacDonnell Ulsch, Skytop Contributor / October 27th, 2022
Mr. Ulsch is Founder and Chief Analyst of Gray Zone Research & Intelligence—China Series, a research initiative focused on unraveling China’s technology driven strategy of global economic supremacy. He is a well known international advisor on cybersecurity, operational risk, technology and geopolitical risk. He periodically advises the US Senate Committee on Foreign Relations on the China cyber and technology transfer threat. A former Senior Managing Director of PwC’s cybercrime practice, he has led incident investigations in 70 countries.
His research on the China threat covers the impact of legal and illegal technology transfer on China’s economic development strategy, US corporate regulatory risk pursuant to the China threat, China’s supply chain penetration, food processing and transport, technology investment, equity investment, Military-Civil Fusion as a cyber threat, and space-based revenue generating initiatives. More than 500 companies around the world read his LinkedIn China Polls, including every major bank in China.
His LinkedIn China Polls have received more than 200,000 views since June 2021 and he has more than 25,000 risk, audit, lawyers, and security followers on LinkedIn.
Mr. Ulsch is a strategy advisor to an East African presidential cabinet-in-exile on a counter-China Belt & Road Initiative, intended to increase the US presence and commitment to this transitioning nation-state.
Previously he was with the National Security Institute and under the Foreign Intelligence Surveillance Act he served as a cyber threat advisor to the US Central Intelligence Agency. His work there involved developing perspective on key US cyber adversary capabilities and attacks on the US commercial sector and the Defense Industrial Base. He served on the US Secrecy Commission, and worked with a well known US Senator on information security issues. Mr. Ulsch advised a US presidential campaign on cybersecurity issues.
He is Guest Lecturer on Cyber Warfare at the US Military Academy at West Point. He has also lectured at numerous university graduate and law schools. One of his books, Cyber Threat!, is used in a number of universities and law schools. Mr. Ulsch is a Research Fellow in the Master’s in Cybersecurity program at Boston College, which he helped establish and where he remains on the advisory board.
Mr. Ulsch has spoken internationally at events and is the author of two books: Cyber Threat: How to Manage the Growing Risk of Cyber Attacks (John Wiley & Sons, 2014) and Threat! Managing Risk in a Hostile World (The IIA Research Foundation, 2008). For many years, Mr. Ulsch has been a Distinguished Fellow of the Ponemon Institute. He is a Director of the Near East Center for Strategic Engagement and Contributor to the inteliscopx.com program Homeland Security Off the Record. His videos are posted on YouTube and other social media venues.
Mr. Ulsch is an Independent Director of a financial services company, serving on the audit and risk committee, with particular focus on cybersecurity and privacy issues.
The China Poll
Every week or so we run a poll about China. We hear from risk and privacy and security professionals, as well as lawyers, IT professionals and others. Over the last 16 months or so the China Poll has been viewed more than a quarter of a million times. So while we make no claim to statistical reliability or accuracy, we do see trends developing on how these professionals view the China problem.
China and Cyber Espionage
We know that China engages in cyber espionage. Though it denied this for years, China now openly acknowledges that it is a nation-state engaged, illegally, in breaking into the computer systems of governments and corporations. It steals technology and business secrets to support its strategic growth agenda. China uses these secrets to enhance its own technology development, which is, as the Chinese Communist Party has openly stated, suffering from deficient innovation. Advanced technology is used to make China more competitive. Take the case of United States Steel Corp., the victim of China’s People’s Liberation Army (PLA).
What started out as a strategic joint venture between China’s Baosteel and US Steel turned out to be a treasure trove of intellectual property, trade secrets and proprietary business information. The PLA’s threat through cyber espionage ran from approximately 2006 to 2014.
What was the impact of the PLA’s theft from US Steel? Consider that in 1999 China had a 13% market share of global steel demand. After it ravaged US Steel, by 2015 its market share swelled to 49%. And it is said that crime does not pay.
The Question of Hacking Back
Give them a taste of their own medicine?
This raises an often asked question: why don’t companies that are breached by China or Russia or North Korea or Iran electronic armies, for example, just hack back at the intruders? Give them a taste of what these cyber attacking nations are dishing out to everyone else. You hack into one of our companies and we’ll hack five of yours. If only it were that simple.
We asked that question in the China Poll this year. What we learned was surprising. The majority of poll respondents said they wanted to hack back at the cyber intruders. We were surprised by the results, and here’s why.
The Problems with Hacking Back
Hacking back is against United States law, for one thing. For a commercial enterprise or individual to hack back at another country or company can get you in a lot of hot water. Technically, you could be charged with conspiracy to commit computer fraud and abuse or accessing a protected computer without authorization. You could be charged with transmitting a program or code or command, for example, with the intent to damage a protected computer.
What if the hacker victim launched a counterattack against the presumed cyber attacker—and the victim attacked an innocent party, who then becomes a victim. And they decide to hack back. We then have two victims hacking back against each other while the true attacker remains unidentified.
Or what if that adversary country was in a joint venture with a US or other allied nation’s commercial industry? How would that look? You could be charged with economic espionage, trade secret theft or even aggravated identity theft, depending on the laws of the country in question. But legal sanctions are not the only reason why it is dangerous to hack back.
Obfuscating the Real Source
Hacking back can be dangerous
Skilled hackers have been known to redirect cyber attacks, a method to obfuscate the real source of an attack. Several years ago a cyber attack directed at a US military base appeared to be coming from a US university. If the military installation had hacked back, they would have targeted the wrong computer systems, unleashing a torrent of criticism resulting in a loss of confidence and potential litigation. China was behind this particular attack, but made it look like the attack originated at the university. This happens all of the time. That’s one thing about the dark veil of the shadowy Internet. Things are not always as they seem.
Risks of Hacking Back
Here are a few reasons not to hack back. First, as said, it is against the law, in the US and other countries. Second, there is a real possibility you could launch an offensive against the wrong party. Third, most IT security professionals are not skilled offensive hackers and likely lack the skills to engage in episodic or protracted cyber combat against a skilled nation-state adversary that trains for these attacks every day. Cyber security professionals and most cyber defense systems are most often trained and experienced in defensive operations to repel attackers. Fourth, your well-intentioned cyber transgressions may escalate your legal, financial, regulatory, reputation, governance, and ethics risk.
The Urge to Hack Back
Remember this: if your company spends $X to defend against cyber attacks and espionage, the attacking enemy may spend ten times or a hundred times that amount based on how badly they need what you have.
If you find yourself with the pressing urge to hack the hacker, it would be wise to borrow a line inspired by the Hippocratic Oath: first, do no harm. As has been said, discretion is often the better part of valor.
Who wouldn’t want to hack back!
The Law and Circumstances Against Hacking Back
It’s understandable. You get hacked, you want to fight back. But in reality, the law and circumstances are against you. Any justification to hacking back at your adversary, unless you are a trained government offensive cyber attack organization, would require several things. First, we would need to change our laws to accommodate breaking into our presumed adversary’s computer systems. Second, we would need to reorganize our entire approach to cyber security defense, including offensive cyber operations. This would require special in-house or eternal cyber forensic teams needed to accurately identify with a high level of certainty the true attack source. And this state of cyber readiness does not currently exist in corporate America or anywhere else amongst our allies in industry.
Best Left for the Professionals
Offensive cyber attack operations are best left for the professionals in the employ of specific government offensive cyber security forces. Ask any seasoned corporate general counsel or chief information security officer about the risks of hacking back. They will tell you the same thing: let the military and intelligence professionals with specialized training handle it. It’s not worth the risk.
Different Talents, Different Tools
Think of it like this. You have someone who is going to break into your home and steal your valuables. Now imagine you are the homeowner. The thief has a different motive than you. The thief needs tools that can be used to break into your home. You need tools to defend your property, and these tools are different from those of the criminal. A good defensive homeowner would not necessarily make an effective thief. Different talents. Different tools.
Let It Go
So while it is understandable why you would want to retaliate, let it go. Those in the China Poll who favored hacking back were likely frustrated by generally inadequate cyber defenses throughout industry and governments’ apparent reluctance to engage in a meaningful cyber war against our adversaries for fear of igniting a broader conflict. I get it. It is very frustrating.
Challenges Ahead
There are a lot of challenges ahead. Our cyber adversaries are growing, expanding their cyber reach and effectiveness, integrating new technologies into their cyber arsenal. Make no mistake: China and Russia are our primary cyber adversaries. Until we bring a unified, multinational cyber defense, based on economic, geopolitical and military consequences, we will make little progress in stemming the tide of cyber attacks against our infrastructure and commercial interests.
More Effective Management
Corporate hacking back is not the answer. The answer lies in more effective management of our adversaries founded upon greater government and industry and allied nation cooperation. Our enemies and adversaries won’t stop. The threat increases with every passing day. We even help our adversaries and enemies get access to the very technologies they use against us. This has to stop.
Cyber Threat Number One
China is cyber threat number one. China’s strategic grasp of minerals, markets, and Belt and Road Initiatives in developing nations ensure its strategic cyber attack capability and future. Its strategic acquisition and transfer of advanced technologies through means legal and illegal continue to enable and embolden its mission and agenda.