Why companies should never hack back

After major cyberattacks on the Colonial Pipeline and on meat supplier JBS, the idea of allowing companies to launch cyberattacks back at cyber criminals was proposed. This prompted a hot debate amongst government and industry leaders on the feasibility and risks of adopting a retaliatory stance.

The idea of hacking back is very tempting. It’s human nature to want justice when you’ve been wronged. However, while hack back is gaining traction as a hot topic with some legal minds and policymakers, this approach is shortsighted and very likely to have unintended consequences. Here are some reasons why retaliating against cyberattacks is a bad idea and what organizations should do instead to stay ahead of adversaries.

The dangers of hacking back

While the FBI’s partial recovery of the ransom paid by Colonial Pipeline showed that cybercriminals are not untouchable, launching cyber-attacks against them still carries enormous risks. From inadvertently targeting innocent bystander’s devices to escalating a cyber conflict – a lot can go wrong. The fact is, attribution is very difficult to accomplish, especially when it comes to advanced or highly sophisticated adversaries.

Even businesses with significant resources will find it difficult or even impossible to attribute cybercrime activities successfully and accurately. Attempting to hack back an adversary could have geopolitical implications that go well beyond the scope of the individual business and with the possibility of false-flag operations, a counterattack can spark a wider cyberwar.

Furthermore, these attacks will be purely retaliatory and the chances of getting data back are slim, so there is little to be gained. Allowing companies to openly retaliate will only normalize and rationalize the activity currently on display by bad actors, which will inevitably lead to escalation. Hacking back should be left for the government, while businesses can play a supporting role in cooperating with security guidelines and instructions, which was how the FBI succeeded against the DarkSide hacker group.

What companies should do instead

Since businesses cannot go on the offensive, they must double down on their defenses. Investing in a proactive cyber defense is a far better use of a business’s critical IT and security operations resources. Improving cyber hygiene through patch and configuration processes is the most effective way to reduce risk and exposure to attackers. Unfortunately, it takes a lot of time for the average organization to fix critical vulnerabilities.

Cybercriminals can exploit vulnerabilities in just seven days so organizations must be actively looking and remediating these vulnerabilities. Adopting a 24/72 threshold can be a good way to maintain urgency, which means fixing zero-day vulnerabilities within 24 hours and critical vulnerabilities in 72 hours.

With speed being the critical factor, incorporating automation technologies can help assist security teams in streamlining the patching and configuration process. By lowering their attack surface with proper cyber hygiene, remaining vigilant to new emerging vulnerabilities, and working with the authorities is the best course of action for businesses.

The best defense is not offense

Ransomware and cyberattacks will only increase in frequency and sophistication – unfortunately, threatening cybercriminals with retaliation is not feasible for companies. The dangers far outweigh the benefits and the threat of escalation has far greater consequences for businesses and for our country.

Maintaining cyber hygiene by patching vulnerabilities and leveraging automation tools will help lower the chances of a breach happening. Instead of allowing companies to let loose and hack back, the government should continue to bolster the nation’s security infrastructure and guide businesses to a better security posture.