Why companies should never hack back

After major cyberattacks on the Colonial Pipeline and on meat supplier JBS, the idea of allowing companies to launch cyberattacks back at cyber criminals was proposed. This prompted a hot debate amongst government and industry leaders on the feasibility and risks of adopting a retaliatory stance.

hack back

The idea of hacking back is very tempting. It’s human nature to want justice when you’ve been wronged. However, while hack back is gaining traction as a hot topic with some legal minds and policymakers, this approach is shortsighted and very likely to have unintended consequences. Here are some reasons why retaliating against cyberattacks is a bad idea and what organizations should do instead to stay ahead of adversaries.

The dangers of hacking back

While the FBI’s partial recovery of the ransom paid by Colonial Pipeline showed that cybercriminals are not untouchable, launching cyber-attacks against them still carries enormous risks. From inadvertently targeting innocent bystander’s devices to escalating a cyber conflict – a lot can go wrong. The fact is, attribution is very difficult to accomplish, especially when it comes to advanced or highly sophisticated adversaries.

Even businesses with significant resources will find it difficult or even impossible to attribute cybercrime activities successfully and accurately. Attempting to hack back an adversary could have geopolitical implications that go well beyond the scope of the individual business and with the possibility of false-flag operations, a counterattack can spark a wider cyberwar.

Furthermore, these attacks will be purely retaliatory and the chances of getting data back are slim, so there is little to be gained. Allowing companies to openly retaliate will only normalize and rationalize the activity currently on display by bad actors, which will inevitably lead to escalation. Hacking back should be left for the government, while businesses can play a supporting role in cooperating with security guidelines and instructions, which was how the FBI succeeded against the DarkSide hacker group.

What companies should do instead

Since businesses cannot go on the offensive, they must double down on their defenses….