The paper “ Mitigating Cyber-Attacks by Destructively Counter-Striking against Attackers” is a convincing variant of literature review on information technology. Lobby groups together with IT security professionals are calling for new regulations which could facilitate the private companies to effectively counter-strike or retaliate against cyber attackers. Hacking back is deemed as the most suitable way that governments and companies would mitigate cyber-attacks since the existing measures have proven to be unproductive. The proponents of counter-strikes emphasise that allowing companies to hack back would reduce the risk of being attacked repetitively and also make it possible to protect their key intellectual properties (IPs).
Many private companies, especially in America have implemented new cyber defence technology with the aim of upgrading the conventional cyber protection systems. Besides that, these companies have developed strategies that are more aggressive to reduce cyber attacks. The active defence also referred as ‘ counter-strikes’ or ‘ hack back’ is the process of reverse-engineering the cyber attackers’ efforts with the goal of stopping or reducing cybercrimes through the identification of attacks against the system as well as their origin. Counter-strikes are considered aggressive defensive actions, like getting back what has been stolen.
The objective of this piece is to demonstrate why private companies and governments can mitigate a cyber-attack by destructively counter-striking against attackers. The mitigative counter-strikes should entail liability rules for protecting third parties in case the process of hacking back harms a different party rather than the targeted attacker. This study will also demonstrate why counter-strike is a proactive policy for helping insulate critical services from damage and mitigate harm from potential attacks. AnalysisGiven that counter-strikes are by nature similar to hacking, Tang (2015) posits that the public is yet to agree on its legality.
The active defence legality relies on the circumstances’ exigency, but proponents maintain that it sufficiently it is justified as long as the users have proper intent. On the other hand, opponents maintain that counter-strikes not only an infringement of law but also morally and legally wrong. The majority of opponents argue that active defence without clear restrictions can lead to huge risks of misunderstanding or misattribution. Tang (2015) emphasises that the challenges associated with differentiating aggressive counter-strikes from the actions of actual hacking could result in serious legal issues.
However, this is not the case in the modern business world where demand for highly developed cyber protection technologies and the secure cyber environment has increased tremendously. A number of commentators, as cited by Tang (2015) have emphasised that active defence has to be espoused as a means for preventing cyber attacks, considering that the private companies are not receiving adequate help from their respective governments. While the government has failed to protect private individuals and companies from ever-increasing cyber-attacks, the private sector is justified to take actions.
A number of private organisations have implemented self-help strategies, but still, the government has not offered clear guidance regarding these strategies. Therefore, such actions could become risky. In Kesan and Hayes (2011) study, they observed that the weaknesses of other techniques used to address cyber attacks have necessitated the use of counter-strikes as a means of responding to as well as mitigating the harm brought about by cyber attacks. According to Kesan and Hayes (2011), the gap between There is a growing gap between cyber-attack capabilities and passive defence capabilities has created the need for using active defence systems to address such issues.
Whereas some consider counter-strikes as offensive actions for neutralising a looming threat, Kesan and Hayes (2011) consider them as the start of the detection stage. Active defence involves three different forms of technology: counter-strike, traceback, and IDS capabilities. In this case, counter strikes entail some means of transmitting data back at the cyber attacker with the aim of disrupting the attack. As mentioned by Kesan and Hayes (2011), counter-strikes have been utilised for many years not only by the government but also the private actors.
The mitigative counter-striking technology needs some regulations that would offer guidelines in how companies or government agencies can detect, trace, and destructively counter-strike the attacker. The United States’ government is currently utilising STRATCOM, whose objective is to neutralise all cyber threats that could put the DOD missions’ effectiveness at risk. For instance, when the DOD system is attacked by a DDoS attack through a botnet, the neutralisation responses could possible involves conquering the botnet by hacking the botnet controller or compromising the botnet controller by sending a DoS attack.
Although the majority of U. S. counter-striking capabilities are classified, private individuals or companies can use software to send destructive viruses to a cyber attacker.
Bradbury D (2015) Should we hack the hackers? The Guardian, Available from https://www.theguardian.com/technology/2015/mar/09/cybercrime-should-we-hack-the-hackers (accessed 18 May 2017).
Condron SM (2007) Getting It Right: Protecting American Critical Infrastructure in Cyberspace. Harvard Journal of Law & Technology 20: 401-422.
European Parliament (2011) Cyberdefense in the EU Preparing for cyber warfare? Brussels: European Parliamentary Research Service.
Georgiades E, Caelli W, Christensen S, and Duncan W (2013) Crisis on Impact: Responding to Cyber Attacks on Critical Information Infrastructures. The Journal of Information Technology & Privacy Law 31: 31-66.
Goodman SE, Hassebroek P, and Klein H (2003) Network Security: Protecting our critical infrastructures. Atlanta, Georgia: Visions of the Information Society.
Gross G (2015) Counterterrorism expert says it's time to give companies offensive cyber capabilities. PCWorld, Available from http://www.pcworld.com/article/2956112/counterterrorism-expert-says-its-time-to-give-companies-offensive-cybercapabilities.html (accessed 18 May 2017).
Homeland Security News Wire (2011) Active cyber-defence strategy best deterrent against cyber-attacks | Homeland Security News Wire. Homelandsecuritynewswire.com, Available from http://www.homelandsecuritynewswire.com/active-cyber-defense-strategy-best-deterrent-against-cyber-attacks (accessed 18 May 2017).
Hutchinson J (2013) Companies should ‘hack back’ at cyber attackers: security experts. Financial Review, Available from http://www.afr.com/technology/enterprise-it/companies-should-hack-back-at-cyber-attackers-security-experts-20130527-j0rqm (accessed 18 May 2017).
Iasiello E (2014) Hacking Back: Not the Right Solution. Parameters 44: 105-114.
Kesan JP and Hayes CM (2011) Mitigative Counterstriking: Self-Defense and Deterrence in Cyberspace. Harvard Journal of Law and Technology 429: 1-94.
Levy I (2016) Active Cyber Defence - tackling cyber attacks on the UK. National Cyber Security Centre, Available from https://www.ncsc.gov.uk/blog-post/active-cyber-defence-tackling-cyber-attacks-uk (accessed 18 May 2017).
Lohrmann D (2016) Can 'Hacking Back' Be An Effective Cyber Answer? Govtech.com, Available from http://www.govtech.com/blogs/lohrmann-on-cybersecurity/can-hacking-back-be-an-effective-cyber-answer.html (accessed 18 May 2017).
Lu W, Xu S, and Yi X (2013) Optimizing Active Cyber Defense. 4th International Conference on Decision and Game Theory for Security. New York: Springer, 206-225.
Lyngaas S (2015) Intel chiefs say cyber norms, deterrence strategy still elusive. FCW, Available from: from https://fcw.com/articles/2015/09/10/intel-cyber-norms.aspx (accessed 18 May 2017).
Marmon W (2009) MAIN CYBER THREATS NOW COMING FROM GOVERNMENTS AS “STATE ACTORS. European Institute, Available from https://www.europeaninstitute.org/index.php/136-european-affairs/ea-november-2011/1464-main-cyber-threats-now-coming-from-governments-as-state-actors (accessed 18 May 2017).
Messerschmidt J (2013) Hack back: Permitting Retaliatory Hacking by Non-State Actors as Proportionate Countermeasures to Transboundary Cyberharm. Columbia Journal of Transnational Law 52: 275-324.
Noble Z (2015) Time to consider the 'hack-back' strategy? FCW, Available from https://fcw.com/articles/2015/09/30/hack-back-strategy.aspx (accessed 18 May 2017).
Paganini P (2016) Hacking Back: Exploring a new option of cyber defense. InfoSec Resources, Available from http://resources.infosecinstitute.com/hacking-back-exploring-a-new-option-of-cyber-defense/ (accessed 18 May 2017).
Rabkin J, and Rabkin A (2016) Hacking Back Without Cracking Up. Lawfare, Available from https://www.lawfareblog.com/hacking-back-without-cracking-0 (accessed 18 May 2017).
Ravich SF (2015) Cyber-Enabled Economic Warfare: An Evolving Challenge. Washington, D.C.: Hudson Institute.
Raymond M, Nojeim G, and Brill A (2015) Private Sector Hack-Backs and the Law of Unintended Consequences. Center for Democracy & Technology, Available from https://cdt.org/insight/private-sector-hack-backs-and-the-law-of-unintended-consequences/ (accessed 18 May 2017).
Smeenk G, Wang J, Veldhoen D, Brink R, and Arnbak A (2017) China: China's New Cybersecurity Law Effective As Of 1 June 2017. Monday, Available from http://www.mondaq.com/china/x/595440/Security/Chinas+New+Cybersecurity+Law+Effective+As+Of+1+June+2017 (accessed 18 May 2017).
Tang A (2015) Hacking Back against Cyber Attacks. Chicago Policy Review, Available from http://chicagopolicyreview.org/2015/07/21/hacking-back-against-cyber-attacks/ (accessed 18 May 2017).
Tung L (2013) Is hacking in self-defense legal? The Sydney Morning Herald, Available from http://www.smh.com.au/it-pro/security-it/is-hacking-in-selfdefence-legal-20130927-hv1u8.html (accessed 18 May 2017).
Xu S, Lu W, and Li H (2015) A Stochastic Model of Active Cyber Defense Dynamics. Internet Mathematics, 11: 23–61.
Yağlı S, and Dal S (2014) Active Cyber Defense within the Concept of NATO’s Protection of Critical Infrastructures. International Journal of Social, Behavioral, Educational, Economic, Business, and Industrial Engineering 8L 909-913.
Zheng R, Lu W, and Xu S (2015) Active Cyber Defense Dynamics Exhibiting Rich Phenomena. Proceeding HotSoS '15 Proceedings of the 2015 Symposium and Bootcamp on the Science of Security. New York, NY: ACM, 1-12.