In the wake of discussions whether U.S. organizations should be allowed to strike back against nation-sponsored hackers, one congressman warned the dangers of cyber retaliation shouldn't be taken lightly.
“There have been discussions … of authorizing hack backs in limited form, and I want you to know, I’m firmly against that approach," Rep. Jim Langevin, D-R.I., said, referring a controversial bill, the Active Cyber Defense Certainty Act. The bill would allow companies limited forms of hacking back when they are hit by cyberattacks.
Langevin, speaking at the annual ICIT Forum in Washington, said allowing some hack-back actions could quickly lead to vigilante justice and result in collateral damage.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
As an example what could happen, Langevin mentioned the 2014 Sony Pictures hack, in which a hacker group with alleged ties to North Korean government breached the movie network’s computer systems and leaked internal emails and confidential information. Had Sony been allowed to hack back, “it could’ve very well led to an escalation that would’ve gone beyond the cyber domain and could have resulted in kinetic attacks or actions,” Langevin said.
“It’s very dangerous, it feels good to do some hacking back,” he continued, “but I really am worried when you get to the level of hacking back against nation-states that also … could use this response to cause kinetic effects or use kinetic weapons to respond.”
For criminal actions, the more appropriate response would be to continue with investigations and indictments, using established law enforcement mechanisms, the congressman said.
For actions by state actors, however, “we have to stop saying how a responsible country should behave and start behaving that way and also hold [attackers] accountable,” Langevin said. He cited how the Obama administration enforced sanctions against North Korea after the Sony hack and then ejected Russian diplomats in the wake of the Russian meddling in the 2016 U.S. election.
“Each of these steps has clearly contributed to what we as a nation view as acceptable actions in cyberspace and they make clear that we’re ready to act when countries violate certain norms,” Langevin said. “We now need other nations to do the same and if more countries respond in the same manner with nation-state hacking and we establish the norms and enforcement, these norms will become formalized.”
"It’s not a perfect solution,” he added, "but it’s a better path forward in establishing some rules for the road.”