Pentagon cyber official warns U.S. companies against 'hacking back'

Pentagon cyber official warns U.S. companies against 'hacking back'
© Istock

A top cyber official at the Defense Department on Tuesday urged companies to refrain from “hacking back” when they are the victim of a cyberattack, saying it could negatively affect the already unclear rules of engagement in cyberspace.

B. Edwin Wilson, the deputy assistant secretary of defense for cyber policy, said at a Foundation for Defense of Democracies event that “industry, private citizens should have the ability to defend themselves.”

But he cautioned that there is a “unique nature in cyberspace in regards to offensive activity,” such as a company using cyber methods to retaliate against hackers who target their networks.


Wilson said that while there are some established norms for behavior in cyberspace, like the United Nations cyber agreements whose signatories include the United States, industries carrying out offensive attacks could be a “destabilizing influence.”

The concept of “hacking back” has gained steam in recent months. Sen. Sheldon WhitehouseSheldon WhitehouseLiability shield fight threatens to blow up relief talks Democrats call for McConnell to bring Voting Rights Act to floor in honor of Lewis Hillicon Valley: Russian hackers return to spotlight with vaccine research attack | Twitter says 130 accounts targeted in this week's cyberattack | Four fired, dozens suspended in CBP probe into racist, sexist Facebook groups MORE (D-R.I.) said during a congressional hearing earlier this year that Congress should allow companies to retaliate against cyberattacks.

"We ought to think hard about how and when to license hack-back authority so capable, responsible private-sector actors can deter foreign aggression," he said at the time.

Reps. Tom GravesJohn (Tom) Thomas GravesHouse holds moment of silence for John Lewis QAnon scores wins, creating GOP problem Hillicon Valley: Zuckerberg expresses 'disgust,' keeps policies | New doomsday cyber bills | QAnon follower favored for congressional seat MORE (R-Ga.) and and now Sen.-elect Kyrsten Sinema (D-Ariz.) introduced legislation last year that would allow companies and private citizens to use “active defense measures” against hackers. The bill was met with opposition from cybersecurity experts who pushed back against the proposal, saying it could escalate feuds in cyberspace and cause hackers to strike back even harder.

Congress has not passed the legislation.

At the state level, Georgia Gov. Nathan Deal (R) vetoed a bill this year that would have allowed firms to hack back.

Daniel Hoffman, a former chief of station at the CIA, suggested at Tuesday's event that the Pentagon could authorize some companies to take hack-back actions, allowing the government to regulate who is allowed to retaliate.

"I think the idea for me has some value, at the same time it can't be unregulated," Hoffman said. "So maybe that’s a middle ground."