Pentagon cyber official warns U.S. companies against 'hacking back'

Pentagon cyber official warns U.S. companies against 'hacking back'
© Istock

A top cyber official at the Defense Department on Tuesday urged companies to refrain from “hacking back” when they are the victim of a cyberattack, saying it could negatively affect the already unclear rules of engagement in cyberspace.

B. Edwin Wilson, the deputy assistant secretary of defense for cyber policy, said at a Foundation for Defense of Democracies event that “industry, private citizens should have the ability to defend themselves.”

But he cautioned that there is a “unique nature in cyberspace in regards to offensive activity,” such as a company using cyber methods to retaliate against hackers who target their networks.


Wilson said that while there are some established norms for behavior in cyberspace, like the United Nations cyber agreements whose signatories include the United States, industries carrying out offensive attacks could be a “destabilizing influence.”

The concept of “hacking back” has gained steam in recent months. Sen. Sheldon WhitehouseSheldon WhitehouseHillicon Valley: Washington preps for Mueller report | Barr to hold Thursday presser | Lawmakers dive into AI ethics | FCC chair moves to block China Mobile | Dem bill targets 'digital divide' | Microsoft denies request for facial recognition tech Dems introduce bill to tackle 'digital divide' Senators press drug industry 'middlemen' over high prices MORE (D-R.I.) said during a congressional hearing earlier this year that Congress should allow companies to retaliate against cyberattacks.

"We ought to think hard about how and when to license hack-back authority so capable, responsible private-sector actors can deter foreign aggression," he said at the time.

Reps. Tom GravesJohn (Tom) Thomas GravesMnuchin tells Congress it's 'premature' to talk about Trump tax returns decision Live coverage: Barr faces House panel amid questions over Mueller report Overnight Defense: Dem chair rejects Pentagon request to use B for border wall | House fails to override Trump veto | Pelosi at AIPAC vows Israel won't be 'wedge issue' MORE (R-Ga.) and and now Sen.-elect Kyrsten Sinema (D-Ariz.) introduced legislation last year that would allow companies and private citizens to use “active defense measures” against hackers. The bill was met with opposition from cybersecurity experts who pushed back against the proposal, saying it could escalate feuds in cyberspace and cause hackers to strike back even harder.

Congress has not passed the legislation.

At the state level, Georgia Gov. Nathan Deal (R) vetoed a bill this year that would have allowed firms to hack back.

Daniel Hoffman, a former chief of station at the CIA, suggested at Tuesday's event that the Pentagon could authorize some companies to take hack-back actions, allowing the government to regulate who is allowed to retaliate.

"I think the idea for me has some value, at the same time it can't be unregulated," Hoffman said. "So maybe that’s a middle ground."