Thu, Sep 27, 2018

Hacking Back Against Cyberterrorists - Risks & Benefits Analysis for NATO's COE-DAT

In this article written for NATO's Center of Excellence (COE) - Defense Against Terrorism, Senior Managing Director Alan Brill partnered with Senior Managing Director, Global Cyber Risk Practice Leader Jason Smolanoff to examine the risks and benefits of hacking back against cyberterrorists.

Alan had explained in a December 2017 interview with Joan Goodchild of Information Security Media Group why he believes hacking back is a bad idea. This article, published in Defence Against Terrorism Review, expands on the topic from both a private and governmental perspective.

The issue is gaining momentum thanks to new legislation introduced in the U.S. Congress and the admission by Homeland Security Secretary Kirstjen Nielsen that the DHS is providing tools and resources to private companies to engage in “active defense” against cyber threats.

The full article is available via the COE-DAT website, and is reproduced below in full with permission:

DATR, 2017; 9: 35-46
ISSN 1307 - 9190

Hacking Back Against Cyberterrorists: Could you? Should you?1

Alan BRILL 2


Cyberterrorists have become adept at using cyber tools to modify or deface websites, steal information, and use social media. It is also expected that they will increasingly use the tools and techniques developed and used by cybercriminals, which are widely available. Add to this the nation-state-level tools released by sources like WikiLeaks, and it becomes obvious that cyberterrorists are gaining increasingly sophisticated and dangerous weaponry. When an organization – whether that organization is part of a nation’s critical infrastructure or not, and whether that organization is part of a nation’s public or private sector, is attacked, a natural reaction to that attack is a desire to identify the attacker and to launch a counterattack. This desire is no different in the war-fighting domain of cyberspace than in the real world. But is it a good idea? Are there differences between this kind of counterattack if carried out by a private sector organization or a government agency? In this article, the authors look at the potential advantages and risks associated with what’s called ‘hacking back’, and’ and conclude that the risk/reward equation can be complex and must be carefully considered before taking action.4


Unauthorized intrusions into computer-stored and computer-processed data, with theft of information, encryption, or destruction of data and release of stored data (WikiLeaks being an example) has, unfortunately, become commonplace, with victims in both the public and private sectors. Once an incident is identified, investigators often try to determine the identity – or at least the network location – of the hackers. What if a government or organization could launch a counterattack directed against the hacker? While such an action – called “hacking back” – might seem to be a simple matter of justice, the problem is more complex than it appears.

Imagine that you are the duty officer in your nation’s cyber incident reporting and response center, and you receive an urgent email message from the Chief Information Security Officer (CISO) of a power generation and distribution company that is an important part of your nation’s critical infrastructure.

The message states that the database containing crucial information about the company’s industrial control systems, the configuration of those systems, the hardware and software in use, and the security measures used to protect those crucial systems from attack and compromise was compromised, with sensitive information uploaded to servers believed to be under the control of the attackers. It further states that the CISO has traced back the source of the attack to a non-state actor, a terrorist group located in an unfriendly nation in your region.

The message states that the company is preparing to launch a cyber counterattack to attempt to both destroy the stolen data before it can be misused and to “teach them not to attack us in the future” by damaging the terrorist’s information technology infrastructure. (The use of hacker tools and techniques to reach into the infrastructure of an attacker is called “hacking back.”) They are finalizing their plans and the computer code necessary to carrying out the attack, and they expect to launch their counteroffensive in approximately one hour. What should you do?

Hacking Back

This scenario, while artificial, is not unrealistic. Hacking back against attackers has been an area of interest to both governments and private sector organizations in recent years. In the United States, for example, bills have been introduced in Congress to legalize private-sector hack-backs – effectively immunizing corporations from prosecution under U.S. law for what would otherwise be criminal hacking (potentially subjecting the corporation and its employees to criminal charges and imprisonment). Do such laws make sense? Are they workable when the internet is global, and attacks (and counterattacks) can traverse physical space and hardware of multiple nations as they travel through cyberspace?

From the viewpoint of terrorist organizations, the use of cyberspace is highly attractive. It is highly asymmetric. Great damage can potentially be caused by a few talented men or women. It also usually represents a form of attack that can be carried out remotely. There may well be no need to have people cross borders or take physical actions in the target nations.

Cyberattacks are also subject to various forms of obfuscation designed to obscure that true source of the attack. During a presidential campaign debate in September 2016, then Republican presidential candidate (now President of the United States) Donald J. Trump, acknowledged this. Discussing the hacking of the Democratic National Committee and of senior officials of then Democratic presidential candidate Hillary Clinton, while the U.S. intelligence community had concluded with “high confidence” that Russian military intelligence service operators were behind those attacks, candidate Trump said “Maybe it was. It could be Russia, could also be China, could also be lots of other people. Could also be someone sitting on their bed who weighs 400 pounds, okay?" 5
Obviously, because of data classification, we do not know the evidence that was behind the U.S. intelligence community’s evaluation. But Trump was certainly correct in saying – whether it was true in this particular case of not – that definitive attribution of an attack is very difficult.

Simply put, the internet was never designed to provide positive authentication or identification of the information that traverses it. This fact was made famous in a cartoon by Peter Steiner which appeared in The New Yorker magazine on July 5, 1993. In the cartoon, a dog sitting in front of a computer is talking to a dog sitting on the floor next to the desk. The dog sitting at the computer says “On the Internet, nobody knows you’re a dog.”6

The difficulty of attributing a cyberattack was extensively analyzed by Thomas Rid and Ben Buchanan in their paper, “Attributing Cyber Attacks,” which appeared in the Journal of Strategic Studies in 2014.7 What that article and many others that could be cited make clear is that from a technical and legalistic viewpoint, definitive attribution is difficult and may be impossible.
Consider that a hacker need not directly attack you. They can compromise an ineffectively protected computer in a public or private sector setting, and then can remotely control that computer to carry out their attack. Or they can establish a chain of compromised computers, putting multiple layers of machines – often in different countries, some of which may be hostile to the country in which the ultimate target exists – to make tracking down the real source of the intrusion much more difficult. They can also compromise machines to take over portions of their data storage so that stolen information can be stored in some unknowing third party’s computer network. They may move copies of the stolen data around the world to assure their ability to access it while disguising that they are the ones who stole it. In fact, they may never actually store the stolen information on one of their own machines.

Add to this another layer of complication: The hacker (or hacking group/collective) that is actually carrying out an attack against you may not be the group underlying the attack. It has become known that nation-states and non-governmental groups can “outsource” the actual technical operation of hacking to paid cybercriminals (or to supporters in nations unrelated to the actual location of the actual perpetrators) who carry out the attack, often, of course, using all of the tools of obfuscation at their command. Indeed, it is reasonable to believe that hackers (and those who sponsor such hacking) are fully aware of the potential actions their targets (or law enforcement acting on behalf of a target) may take to trace their activities. In fact, not only may an adversary take steps to make it difficult to attribute an attack to them, but in fact, may design the attack to cause suspicion to fall on actors or nations that actually have no involvement in the action.

This form of misdirection is not new. It is a version of “false flag” tactics in the age of cybercrime. This form of deception has likely existed since biblical times. In regard to cyberspace, it has been defined as follows: “Cyber false flags refer to tactics used in covert cyberattacks by a perpetrator to deceive or misguide attribution attempts including the attacker’s origin, identity, movement, and/or code/exploitation. It is typically very hard to conclusively attribute cyberattacks to their perpetrators and misdirection tactic can cause misattribution (permitting response and/or counterattack as a condicio sine qua non under international law) or misconception which can lead to retaliation against the wrong adversary.”8

Hacking back: Private sector considerations

Government and military organizations can use any lawful form of warfare, including those involving cyber operations. In fact, NATO has recognized cyberspace as a “domain of operations” [9] and nation-states must be prepared to deal with operations in that domain. It is also clear that private sector organizations must defend themselves against attacks. What is problematic is when private sector organizations consider launching offensive cyber operations.

For attacks targeting organizations in the private sector, there are a number of issues that mitigate against carrying out such operations. This is not to say that senior executives in the private sector who have been victims of cyberattacks would not be enthusiastic supporters of such actions, but that there are, regardless of their desires, potential roadblocks to doing so.

While this article is not intended to be a treatise on national or international law, it is important to understand that activities like hacking – and hacking back, may be regulated by law. For example, in the United States, federal law explicitly bans many of the retaliatory activities that companies might like to carry out (or, outsource to others to carry out.) The key law in the United States is the Computer Fraud and Abuse Act (codified at 18 U.S.C.1030). The main points of this law were well described by Charles Doyle, Senior Specialist in American Public Law at the Congressional Research Service.10 He identified seven major prohibitions set forth in this law:

  • Computer trespassing (e.g., hacking) in a government computer. 18 U.S.C. 1030(a)(3)
  • Computer trespassing (e.g., hacking) resulting in exposure to certain governmental, credit, financial, or computer-housed information. 18 U.S.C. 1030(a)(2)
    Damaging a government computer, a bank computer, or a computer used in, or affecting, interstate or foreign commerce (e.g., a worm, computer virus, Trojan horse, time bomb, a denial of service attack, and other forms of cyberattack, cybercrime, or cyberterrorism). 18 U.S.C. 1030(a)(5)
  •  Committing fraud, an integral part of which involves unauthorized access to a government computer, a bank computer, or a computer used in, or affecting, interstate or foreign commerce. 18 U.S.C. 1030(a)(4)
  • Threatening to damage a government computer, a bank computer, or a computer used in, or affecting, interstate or foreign commerce. 18 U.S.C. 1030(a)(7)
  • Trafficking in passwords for a government computer, or when the trafficking affects interstate or foreign commerce. 18 U.S.C. 1030(a)(6)
  • Accessing a computer to commit espionage. 18 U.S.C. 1030(a)(1).

While this law appears on its face to be limited in scope to governmental computers, bank computers, and those used in, or affecting, interstate or foreign commerce, it must be recognized that because of the global reach of the internet, virtually all computers are, at least arguably, accessible between U.S. states and between the U.S. and other countries. Thus realistically, this law covers virtually all computer systems.

There are other U.S. federal laws and state laws that prescribe criminal penalties for activities that these laws define as being criminal. In addition, as discussed below, carrying out these actions may provide a basis for a civil action (i.e., a lawsuit.)

When hackers operate from another country, the digital information that goes between their computers and their target’s computers flows across legally defined international borders. By definition, for example, an internet inquiry from a computer in France to a computer server in the U.S. must cross between France and the U.S. However, because the internet provides global routing of messages and parts of messages, that signal does not necessarily go directly from France to the U.S. It’s not unlike commercial air transportation. Sometimes you can get a non-stop flight from your originating airport to your destination airport. Other times, you might have to have flights that connect in intermediate cities or countries. For example, flying from New York to Istanbul, you could take a nonstop flight, but you could also take flights with changes of planes in Canada, France, Germany, or many other countries.

Just as the laws of those countries apply while you are there, the laws relating to cybercrime may apply at the origination and destination, as well as the laws of countries through which the signals pass. This is made even more complex when it is recognized that the multiple packets which constitute a single message may travel over different paths, crossing into different countries as they travel between origination and destination. And the responses to those messages may travel over completely different paths, potentially involving additional nations.

Even if a country were to pass laws permitting private-sector organizations to hack back, such laws would in no sense provide immunity from the laws of other nations for such activity. For example, on May 25, 2017, U.S. Congress Member Thomas Graves introduced a bill called the “Active Cyber Defense Certainty Act” which would authorize certain hackback measures by private sector organizations and which would allow them to avoid prosecution under U.S. law that would otherwise be possible.11 But no U.S. law can immunize against cyber-related laws in other countries. Were such a bill to be signed into law, and a company take action against a computer in France (which has a range of cybercrime laws), those who took the actions might be considered criminals under French law regardless of any immunity provided in U.S. law. Of course, there are many opposed to this bill, including Admiral Mike Rogers, who heads both the U.S. National Security Agency (NSA) and the U.S. Cyber Command. At a recent congressional hearing before Congress’s Armed Services subcommittee, Admiral Rogers said “My concern is be leery of putting more gunfighters out on the street in the Wild West.”12

Even in situations where some hackback action might not be defined as a criminal act, it might still result in a lawsuit brought under civil laws. And the lawsuit could be venued in a court in a location where the defendant has no operations. For example, if a hackback is alleged to cause damage to the computer of an innocent third party in the Republic of Korea, an action could be brought before a Korean court under the laws of South Korea. Defending such an action for a company with no operations or personnel in Korea could be expensive and complex, with the need to instruct local counsel, the potential for being ordered to have executives and technical specialists travel for depositions or trial testimony, and potentially substantial judgements, such suits can be strong motivators not to engage in such behavior.

Even in cases where immunity is granted under local law, such immunity is unlikely to provide protection against private-sector-initiated lawsuits. Take for example, the case of two companies – we will call them Company One and Company Two – both located in the same nation.

Company One determines that they have been the target of an intrusion which resulted in the loss of both valuable intellectual property (trade secrets) and customer data, including credit and debit card information (often referred to as “personally identifiable information or PII”.) An investigation provides information that identifies Company Two as the source of the hacking. Company One initiates action to see if it can find the stolen information on any servers within Company Two’s systems. It does this using multiple techniques designed to hide Company One’s identity. Company Two’s IT department receives a call from the company to which they had outsourced real-time computer security monitoring operations. The monitoring company reports that Company Two is under attack by actors trying to break into the Company Two network without authorization.

Company Two’s internal cybersecurity team verifies the report within minutes and informs management. Both external and internal analysts agree that the attack is coming from an IP (Internet Protocol) address in another country. Company Two’s security staff assures management that it is not part of a drill or test that they are carrying out – it is the real thing.

With this information, management initiates its response plan. It assigns a number of IT security and IT operations employees to a special task force to address the attack. Through its insurance broker, it immediately notifies the issuer of its cyber insurance that it is under attack, and requests authorization to bring in a forensic consulting firm that has been pre-approved by the insurer, and with which Company Two has a stand-by agreement in place. The insurer approves, and the forensic company is called in to assist. Company Two also notifies law enforcement that it is under attack.

At some point, Company One notifies Company Two of what is going on. They say that they now believe that Company Two was also a victim, but that they haven’t been able to get into their network to verify that. They request access.

Company Two determines that it has spent the equivalent of US$ 50,000 on internal resources focused on dealing with the “attack’” and an additional US$ 25,000 on the forensic consultant. It asks Company One for reimbursement. The general counsel of Company Two, in a letter to Company One, points out that “had you chosen to approach us before you tried to hack us, we would have gladly cooperated with you and with law enforcement. But by hacking us – particularly through another country to hide your identity – you are, in our view, hackers yourselves, and you cost us $75,000. You can pay it voluntarily and we’ll consider the matter closed, or we will sue you for the money and call a news conference to explain it to the media.”

Certainly, basic principles of justice would not suggest that Company Two should bear the financial burden of dealing with Company One’s hackback. Even if Company One argues that they thought it was Company Two’s fault, the alternative of contacting them and seeking cooperation should have at least been considered.

Companies worry about their reputations. As was pointed out in the earlier article published by the Center for Democracy and Technology,13 a company’s reputation could be hurt if it is revealed that in their quest to hack back, they caused disruptions in radiation therapy for pediatric cancer patients at a medical center whose computers had – without the hospital’s knowledge or consent – been hacked by intruders who used it to attack another company. No company can afford to ignore the potential issues of reputational risk associated with hacking.

An increasing number of organizations have taken or are at least considering transferring some of their cyber risk to insurance companies by purchasing what is referred to as “cyber insurance.” The contracts associated with these policies often require the company to coordinate actions taken in response to an attack or actual breach with the insurer. The insurer may well conclude that whatever claim they may face as a result of the incident will not be dependent on actually identifying the source of the hack, and may tell the insured that they will not cover the costs associated with identifying the source of the intrusion or any “hacking back” activity. This can certainly discourage any such actions, as the costs of those activities may well be substantial.

Terrorists can exploit hackback laws

A sophisticated terrorist group can use hackback laws to their advantage, although one might initially think that such laws would be used against terrorist cyber actors.

A smart cyberterrorist can use hackback laws to the terrorist group’s advantage. They can launch attacks that are deliberately designed to be noticed, with the hope of encouraging targets to hack back, not against the terrorists, but against the organizations through which they launched the attack. The scenario of a company victimized by hackers by having its servers compromised and used for attacks, then being itself attacked by the terrorist group’s ultimate target, is appealing. The target could be the subject of criminal charges, civil actions, and reputational damage, all of which are objectives of the terrorist group behind the false flag attack.

Further, to the extent that such false flag attacks result in criminal or civil litigation, or bad publicity, potential attack targets will become “gun-shy” of responding forcefully to an attack, which again may be something helpful to the terrorists when they actually launch an attack on that target.

A terrorist organization often runs legitimate (or at least semi-legitimate) front organizations. It is certainly possible for the group to select a target known to use hackback with the objective of having them do so and cause “damages” for which they can demand compensation and threaten litigation and reputational damage. In fact, with good tradecraft in the form of attack obfuscation, perhaps by routing the attack through not only their own front organization systems, but also innocent third parties as well, the terrorists can win either by their attack being successful, or by reacting to hacking back by their intended victim – or both!

There is nothing to prevent a terrorist or terrorist-sympathizer organization from arranging an attack (perhaps by outsourced hackers) against a designated site under their control. Done right, the attack can appear to be – at least to some extent – launched from the terrorist group’s intended target. Although that target may have no involvement, evidence can be manipulated to suggest otherwise. The terrorist group then engages in a “hackback” to defend itself. Depending on jurisdictional issues, a carefully thought-through scenario could use a country’s own hackback laws to immunize what is, in fact, an attack against a target by a terrorist group.

A terrorist group can use the fact that a victim hacked back in an argument (that might well work with the terrorist group’s sympathizers) that the hackback makes them as much a victim as the original target. Manipulated evidence, falsified testimony, and documentation can provide support for such claims. While bogus, these claims can lead to some people believing that the terrorist group is being targeted for unfair attack by the actual victim.

Should Governments Hack Back Against Terrorists?

Of course, this consideration of the consequences of hacking back is focused on potential activities of private sector organizations. Do the same factors apply when a governmental entity is considering using hackback techniques as part of an investigation of an incident, or as part of an intelligence gathering operation?

The potential opportunity to use hacking back as a means of attack attribution, or of validating/disproving suspicions regarding who is behind an attack can be of great importance to a government organization. The means of doing hackbacks are well known, and it is expected that resources with such knowledge will be available to the agency involved.

The risks associated with hacking back – like misidentification of the source of an incident, or potential damage (technical, financial) to an innocent third party – are no different for a public sector entity hackback than for a private sector hackback operation. We believe that for any public sector hackback operation, whether operated by law enforcement agencies, military organizations, intelligence agencies, or any other government sector, to operate without recognizing these risks and planning how to deal with them is irresponsible.

While governments may be legally able to operate outside of normal criminal statutes, that does not mean that they do not have an obligation to consider potential problems. The concept of collateral damage – defined as “injury inflicted on something other than an intended target”14 – is directly applicable. The third party whose site was used by an actual perpetrator is not – or should not be - the intended target of hacking back. Causing damage to that third party – particularly with the intention of letting the third party suffer the economic, legal, or reputational consequences should not be ignored.

As noted earlier, the third party can incur significant expenses. They can also be required to report the incident – particularly if it appears that certain types of information might be compromised – to government agencies. For example, in the United States, a health care organization that believes that it suffered a compromise involving more than 500 medical records is required to report that to the U.S. Department of Health and Human Services, which publishes the notification on a list available on the internet.15

Should these issues stop a governmental agency involved in an investigation or intelligence collection from carrying it out or cause them to modify their investigative/collection plans to minimize collateral damage to third parties? There is no answer to that question that would apply in all times and in all situations. Could there be situations (perhaps life-and-death situations) where the need for the hackback overrode all other considerations? At the very least, it appears that the process through which governmental hackback operations are developed and approved should have a specific requirement to identify collateral damage issues and require that a specific decision be documented regarding how these issues should be handled.

There is a principle known as the “Law of Unintended Consequences” which basically says that there can be consequences in any project that were not the intention of the project team. For example, there has been a massive global recall of certain automobile airbags because when triggered, those devices may eject metal fragments (like shrapnel) that can injure or kill occupants of the car. Causing those injuries or death were not an intended result by the automobile manufacturer of installing those air bags – they were a result of the design of the bags – design carried out by another company. Nonetheless, the automobile manufacturers had to take responsibility for the airbags they installed.


In this article, the potential effects of hackback efforts, including undesired or unintended effects, have been described.

There should be little doubt that governments have the right to conduct cyber operations including counterattacking those who attack, but the risks of such actions – as with all such plans – must be understood. The actions of NATO and of member states to recognize cyberspace as a valid domain of warfighting underscores the fact that as with operations in any warfighting domain, every operation has potential risks and rewards.

There are potentially significant dangers relating to private sector organizations engaging in hackback operations. There are also ways for terrorist groups to take advantage of private-sector hackback laws in ways that may not have been considered by those drafting such laws.

Our conclusion is that when a governmental entity is planning a hackback operation, there is a moral imperative to identify the potential results and consequences of that operation – intended and unintended, expected and unexpected – and consider each of them in the final design and approval of a project. Undertaking a project without doing so should put into question the competence of the project team. Failing to do this analysis may mean that unplanned consequences (like the target detecting the hackback, either to interdict it or collect evidence that can be made public) are not being considered, when doing so is vital. We believe that any hackback planning process which does not include such an analysis is flawed and should be carefully considered by government agencies considering hacking back.

Key Words: Cyberterrorism, Hacking back, Cyberwarfare, International Law, Critical Infrastructure.


Submitted on 18 August 2017. Accepted on 05 October 2017.
Senior Managing Director, Kroll Cyber Security, New York and Adjunct Professor, Texas A&M University School of Law, Fort Worth, Texas. e-mail: [email protected]
Senior Managing Director, Kroll Cyber Security, Los Angeles and Adjunct Professor, Loyola Law School. e-mail: [email protected]
This article, which was specifically written for Defense Against Terrorism Review, is based, in part, on prior research carried out and published by the co-authors including Mark Raymond, Greg Nojeim, and Alan Brill, “Private Sector Hack Backs and the Law of Unintended Consequences,” Center for Democracy and Technology (December 15, 2015), available at (accessed 31 July 2017); see also Alan Brill and Jason Smolanoff, “When You Have Suffered a Data Breach, Attribution may be Useful, But Hacking Back? Not So Much”, Florida Bar Association International Law Quarterly, (Spring 2017).
5 Kevin Rose, “Trump Says that the DNC Hacker Could Be ‘Somebody Sitting on their Bed Who Weighs 400 pounds’”, (26 September 2016), Fusion, available at (accessed 05 May 2017).
6 Glenn Fleishman, “Cartoon Captures Spirit of the Internet”, (14 December 2000), The New York Times, available at 05 May 2017).
7 Thomas Rid & Ben Buchanan, “Attributing Cyber Attacks”, Journal of Strategic Studies, 38 (2015), pp. 1-2, 4-37.
8 “False Flag,” Wikipedia, at (accessed 31July 2017).
9 Tomáš Minárik, “NATO Recognizes Cyberspace as a ‘Domain of Operations’ at Warsaw Summit”, CCDCOE Incyder (21 July 2016), at (accessed 31 July 2017).
10 Charles Doyle, “Cybercrime: A Sketch of 18 U.S.C 1030 and Related Federal Criminal Law”, Congressional Research Service Report 7-5700, 14 October 2014, available at 31 July 2017).
11 Tim Starks, “Scoop: ‘Hack back’ Bill Gets Version 2.0”, (25 May 2017), Politico at (accessed 31 July 2017).
12 Ibid.
13 Rid and Buchanan, “Attributing Cyber Attacks”.
14 Merriam-Webster dictionary, “Collateral Damage”, at (accessed 2 August 2017).
15 The publication of this list is mandated by section 13402(e)(4) of the Health Information Technology for Economic and Clinical Health (HITECH) Act, and the current list can be accessed at


Doyle, Charles, “Cybercrime: A Sketch of 18 U.S.C 1030 and Related Federal Criminal Law”, Congressional Research Service Report 7-5700, (14 October 2014).
Fleishman, Glenn, “Cartoon Captures Spirit of the Internet”, (14 December 2000),The New York Times. 
Minárik, Tomás, “NATO Recognizes Cyberspace as a ‘Domain of Operations’ at Warsaw Summit”, (21 July 2016), CCDCOE Incyder.
Rid, Thomas, and Buchanan, Ben, “Attributing Cyber Attacks,” Journal of Strategic Studies, 38 (2015).
Rose, Kevin, “Trump Says that the DNC Hacker Could Be ‘Somebody Sitting on their Bed Who Weighs 400 pounds’”, (26 September 2016), Fusion.
Starks, Tim. “Scoop: ‘Hack back’ Bill Gets Version 2.0”, (25 May 2017), Politico.