“You might say this isn’t going to have a big effect on China or Russia or Iran,” Jeremy Rabkin said, “but it’s worthwhile if it just raises the profile of these concerns to the government.”
“If a company could say, “We know who’s doing this. Here are their names and addresses. By the way, here’s his sister, his girlfriend, here’s his mother – you now have all this information and you put it on a website. I think it would be harder for government to shrug this off in the way that it has,” he said.
Jeremy Rabkin, professor, George Mason School of Law
The two say that besides exposing foreign hackers’ personal information, the U.S. government could take other measures short of cyber retaliation – denying travel permits, denying access to the U.S. banking system, imposing commercial sanctions on firms that do business with the hackers or even suing companies that get trade secrets from hackers.
They say they know their proposal is not a “panacea,” but they say it is a starting point.
The timing of their paper is interesting, to say the least, since it was published by the Hoover Institution about a month before Wikileaks published a trove of emails from the Democratic National Committee (DNC) – an event that has even outspoken opponents of hacking back calling for the U.S. government to impose some kind of retribution against the hackers who stole the documents.
Russian hackers are widely suspected, although that is still being debated.
Whoever did it, hacking back opponents like Bruce Schneier, CTO of Resilient Systems, have called for retaliation. In a blog post, Schneier called it, “an attack against our democracy,” and said the U.S. should confront the perpetrators and, “make clear that we will not tolerate this kind of interference by any government.” He did not specify how he thought the U.S. should make it clear.
However, calling for government to retaliate against a state-sponsored attack is not an endorsement of the private sector doing the same thing, even at a “moderate” level.
Dmitri Alperovitch, cofounder and CTO of CrowdStrike, even though his firm’s outing of a Chinese hacking group was cited in the Rabkins’ paper as an example of what they advocate, was brief and blunt. “CrowdStrike does not hack back and does not support such activities,” he said.
Robert M. Lee, cofounder and CEO of Dragos Security and a former U.S. Air Force cyber warfare operations officer, was also unconvinced. He first objects to the use of the term “active defense” when describing hacking back. “Active defense is not hacking back,” he said. “It's a misunderstanding in the community that's been pushed out by media reports and isn't the actual strategy.”
Sign up for CIO Asia eNewsletters.