FBI Waking Up To The Fact That Companies With Itchy Trigger Fingers Want To Hack Back Hacking Attacks

from the dangerous-ideas dept

In February 2013, U.S officials met with bank executives in New York. There, a JPMorgan official proposed that the banks hit back from offshore locations, disabling the servers from which the attacks were being launched, according to a person familiar with the conversation, who asked not to be identified because the discussions were confidential.

Efforts to retaliate can make things worse, [Kevin Mandia] said, because attackers who aren’t purged from the network could escalate the assault or ramp up attacks on other companies targeted by the same group.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

It's no secret that some in the computer security world like the idea of being able to "hack back" against online attacks. The simplest form of this idea is that if you're a company under a denial-of-service attack, should you be able to "hack" a computer that is coordinating those attacks to stop them? More than two years ago, an LA Times article noted that some cybersecurity startups were marketing such services . Related to this, when the terrible CISPA legislation was being debated, one concern was that it would legalize such "hack backs" because, among other things, CISPA would grant immunity to companies "for decisions made based on cyber threat information." Some interpreted that to mean that companies would have immunity if they decided to hack back against an attacker.A new article from Bloomberg suggests that companies are still quite eager to get involved in hacking back , and the FBI (which supported CISPA) is investigating some such cases where it may have happened. However, companies like JP Morgan still love the idea:The article notes, of course, that such attacks likely violate the CFAA (Computer Fraud and Abuse Act) (which is why some want immunity for hack backs). But, it's a bad idea not just because it likely breaks the law, but because it's stupid and dangerous. First,determining who is behind a hack is quite difficult -- as we're seeing lately with all the recent skepticism about the FBI's claim that North Korea was responsible for the Sony Hack. Launching a counterattack against the wrong party can have serious consequences -- even more so when those counterattacks might target actual, rather than just a group of script kiddies.On top of that, the article notes, the hack back attempt could make the situation even worse:And, of course, the very real possibility that the wrong party is targeted in the hack back can create all sorts of collateral damage. Remember when Microsoft took down many thousands of sites by mistargeting a court order? Imagine that without any court even being involved.Finally, think through the obvious consequences of this. If you're a malicious hacker, it suddenly becomes a great opportunity. Pick two separate targets you want to harm -- then attack one and make it appear like the attack is coming from the other. Then sit back and watch the two of them duke it out while you laugh away.Hacking back is a vigilante Hollywood movie-style idea that pays no attention to the realities of the technology or the consequences of the actions. Hopefully companies are smart enough not to follow through -- and lawmakers prevent it from being protected by law.

Filed Under: cybersecurity, fbi, hack back, hackback, vigilantes

Companies: jp morgan