Retaliatory Hacking Has Returned – Will States Ever Learn?

In mid-June 2018, the United States Cyber Command (CYBERCOM) was officially given the authority to launch cyber attacks against foreign nations

The change in policy comes after the elevation of CYBERCOM to a full-fledge combatant command, after being initially established in 2009. As a result, the commander of CYBERCOM will report directly to the U.S. Secretary of Defense, rather than another combatant commander. Empowering CYBERCOM represents a more proactive approach to directly respond to those states that “host or sponsor malicious hacking groups” believed to be perpetrating hostile cyber attacks against U.S. interests.

The “hacking back” phenomenon has gained traction in the global community with other governments (including those of developing nations) to actively develop offensive cyber capabilities, presumably in order to engage in retaliatory cyber strikes against suspected offending state actors. Other governments such as Germany have openly expressed the desire to be allowed to conduct such operations. Frustration in the volume of cyber malfeasance have caused nations to assume that being able to “out hit” an aggressor in cyberspace will invariably cause the offending activity to stop and for the aggressor to look elsewhere for a victim.

This type of thinking does not translate well into a domain where actor attribution is difficult. Unless links can be definitively made to a legitimate and known state actor, and thereby understanding of that actor’s country’s cyber force structure and capability, striking back at the actor’s infrastructure or keyboard does not guarantee achieving the objective of the counterstrike. Observed offensive cyber attacks does not constitute the full range of tools and sophistication that actor may possess. Furthermore, since most states are scrambling to develop, refine, and deepen cyber capabilities to be leveraged against other states, the actors being targeted for counter strike generally are well-resourced, meaning, they likely have more tools in the arsenal. Furthermore, there is a range of challenges that need to be considered as stated in my paper on the topic of “hacking back.”

In addition to the obstacles presented there, states that continue to pursue a path of hoping to deter or punish cyber offenders must take into consideration the following points”

In order for a counter-strike to be effective in punishing and sending a message, the strike’s purpose and the orchestrator behind it must be made clear to the offending state. It is likely that the strike will not be made public prior to the attack in order to maximize its success. However, if the target state detects, stops, or at least mitigates the counter-strike and exposes it and the likely perpetrator behind it, that counter-strike state’s credibility as a cyber capable nation will be compromised. Any follow up action could be perceived as disproportionate, and solicit its own retaliation, thereby risking escalation.
Once tools are used against a target they are lost for good. In the example of the 2007 Stuxnet incident, the principles about how that attack was deployed was adopted by other hostile actors. There was even concern that Stuxnet malware could be used against the alleged developer state. Duqu malware, also believed to have been state developed, appeared in the wild after going dark in 2012, and was observed being leveraged against targets worldwide. Using such “one and done” weapons may achieve the counter-strike state’s objective, but ultimately surrenders it to the target state from which it can be analyzed and repurposed.

The loss of such weapons is a serious problem. The activities of the Shadow Brokers underscores a new problem facing nation states eager to flex their cyber muscles – the unintended exposure of the tools and exploits from a suspected intelligence agency to the greater Internet community. As has been observed with the Shadow Brokers, a volume of sophisticated tools and unknown exploits were released into the wild, causing significant material and financial damage to systems worldwide. Developers of the 2017 WannaCry ransomware attack used an exploit from this tool/exploit dump to inflict as much as $4 billion worldwide. It is important to stress that the tool that was supposed to be expressly used to likely support intelligence collection/surveillance activities ultimately impacted public and private entities across the globe. Similarly, the NotPetya outbreak leveraged two exploits in the Shadow Brokers leak to wreak havoc on Ukraine, and ultimately spread across the world. Certainly, these incidents call into question the responsibility a state bears in developing such tools and exploits when they escape its control and are used against civilian targets by any hostile actor.

As more states get into the “hacking back” mix (if one does it, presumably many more will follow), cyberspace – already a wild west of sorts – risks becoming a domain where states can act with impunity and without larger legal consequence. The only “evidence” needed to justify an attack will be what satisfies a state’s individual criteria, a sliding scale at best. Since cyberspace is rife with proxy use, hop sites, false flags, etc., state actors may engage in hacks that point the direction elsewhere, further muddying the waters. With ones and zeroes flying everywhere, cyber attacks may increase in severity rather than decrease.

Recent comments by U.S. Department of Defense officials provide excellent context to where the United States – and all states for that matter – stands with regards to cyber wars. Per their opinion, the United States “cannot win the global battle over cyber security due the overwhelming complexity of the issue and the rapidly changing landscape in cyberspace.” I would argue that no state can. While larger cyber issues such as state norms of behavior and Internet governance continue to evade international consensus, assigning culpability to states unable to responsibly manage the very tools/exploits they created should be considered in the conversation.

About the author

Emilio Iasiello has more than 12 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in peer-reviewed journals and blogs. Follow Emilio on Twitter

It’s not always malware

How to avoid paying the ransom with a robust four-step recovery plan

Your data is critical – do you have the right strategy in place for resilience?

Five Critical Ways to Protect Your Software Supply Chain

It’s not always malware

7 Ways AI Will Impact Learning and Development

Natural language processing for business: a practical guide

Five years on: the legacy of GDPR

How Assisted Reality Wearables can Enhance Healthcare Efficiency

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.