While 87% of the 517 IT security professionals surveyed believe that cyber-war is a current reality rather than a future threat, 72% of respondents said that nation-states should be able to “hack back” when their infrastructure are targeted by cyber-criminals.
The Venafi survey sought feedback from IT professionals on the Active Cyber Defense Certainty (ACDC) Act, which was introduced in October 2018, while keeping in mind the current prohibition on retaliatory cyber-defense methods established in the Computer Fraud and Abuse Act.
““We’re always interested in the intersection of regulation (often by politicians that don’t appear to have a basic understanding of security) and security imperatives (as perceived by the people in the trenches),” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.
“We’ve been seeing more stories on hacking back and thought it would be interesting to understand if most security pros really think their organization should be able to do this. We felt this was particularly interesting in light of the controversy surrounding ACDC, and the mixed results that are likely to result for offensive hacking.”
“Cyber-war” as a term, though, is often used too loosely, according to Alex Hamerstone, GRC practice lead at TrustedSec. “War has a specific definition that involves a declaration. People often conflate offensive operations with war when they don’t really cross that line. However, infrastructure is different. Infrastructure is 100% a red line that you cannot cross without expectations of a significant response.
“I’m a bit surprised that only 72% say nations should be able to hack back. I think it’s a given that a country has the right to defend itself when it’s under attack. An attack on infrastructure can easily cross the line from digital to kinetic, putting human lives at risk both directly and indirectly.”
Because the potential impact on critical services like power, transportation and healthcare are so enormous, security needs to plan for both robust deterrence and response. “The capacity of the response is the primary deterrence. There is a lot of gray area and complexity here which a nation has to consider when deciding how robustly to respond. It’s easy for a situation to escalate beyond what is necessary. That said, nations should have the ability to ‘hack back’ to the fullest extent needed in order to defend their infrastructure and assets,” Hamerstone said.
Private entities, though, are not the same as nation-states, a point on which Hamerstone and Jeff Bardin, chief intelligence officer of Treadstone 71, agreed. “I have been in favor of active defense since at least 2010. There should be some sort of capability to strike back at attackers with a viable and capable force,” said Bardin.
“Many organizations are not capable of doing so, nor do they wish to take the risk. I see third-party mercenary-type organizations that would take this onto their ‘paid’ plates to accept the risk and execute a proportional attack. You cannot win at cybersecurity if all you do is defensive. You can never win a football game if all you do is play defense. Never win a basketball game if the other team is always on offense. You lose by definition.”