Pentagon cyber official warns U.S. companies against 'hacking back'

Pentagon cyber official warns U.S. companies against 'hacking back'
© Istock

A top cyber official at the Defense Department on Tuesday urged companies to refrain from “hacking back” when they are the victim of a cyberattack, saying it could negatively affect the already unclear rules of engagement in cyberspace.

B. Edwin Wilson, the deputy assistant secretary of defense for cyber policy, said at a Foundation for Defense of Democracies event that “industry, private citizens should have the ability to defend themselves.”

But he cautioned that there is a “unique nature in cyberspace in regards to offensive activity,” such as a company using cyber methods to retaliate against hackers who target their networks.

ADVERTISEMENT

Wilson said that while there are some established norms for behavior in cyberspace, like the United Nations cyber agreements whose signatories include the United States, industries carrying out offensive attacks could be a “destabilizing influence.”

The concept of “hacking back” has gained steam in recent months. Sen. Sheldon WhitehouseSheldon WhitehouseDemocrats brush off GOP 'trolling' over Green New Deal GOP Green New Deal stunt is a great deal for Democrats Pence met with silence after mentioning Trump in Munich speech MORE (D-R.I.) said during a congressional hearing earlier this year that Congress should allow companies to retaliate against cyberattacks.

"We ought to think hard about how and when to license hack-back authority so capable, responsible private-sector actors can deter foreign aggression," he said at the time.

Reps. Tom GravesJohn (Tom) Thomas GravesHouse passes border deal, setting up Trump to declare emergency Lawmakers introduce bill to fund government, prevent shutdown The Hill's Morning Report - Presented by the American Academy of HIV Medicine - Next 24 hours critical for stalled funding talks MORE (R-Ga.) and and now Sen.-elect Kyrsten Sinema (D-Ariz.) introduced legislation last year that would allow companies and private citizens to use “active defense measures” against hackers. The bill was met with opposition from cybersecurity experts who pushed back against the proposal, saying it could escalate feuds in cyberspace and cause hackers to strike back even harder.

Congress has not passed the legislation.

At the state level, Georgia Gov. Nathan Deal (R) vetoed a bill this year that would have allowed firms to hack back.

Daniel Hoffman, a former chief of station at the CIA, suggested at Tuesday's event that the Pentagon could authorize some companies to take hack-back actions, allowing the government to regulate who is allowed to retaliate.

"I think the idea for me has some value, at the same time it can't be unregulated," Hoffman said. "So maybe that’s a middle ground."