Should companies be allowed to "hack back" against thieves?
Here are my comments on New America responding to the question of whether companies should be allowed to hack back against thieves.
Companies should absolutely not hack back against cyber thieves. One major concern is attribution, namely knowing that you have identified the right parties. Intruders typically use other people’s computers and servers, so odds are high that a company would simply be attacking an innocent party.
Furthermore, if a company does take down an attacking server, they might take down many other innocent third-party web sites and services, which would make the company potentially liable for damages.
Companies also have varying levels of talent and resources. While a very large tech company might be able to mount a proportional countermeasure, the vast majority of companies can’t. It would only be a matter of time before one of these other companies oversteps its bounds and inadvertently causes collateral damage and a great deal of embarrassment.
Lastly, in the unlikely case that a company could pinpoint who the attackers are and guarantee a precise counterattack, it is worth pointing out that some cyber thieves are state sponsored. As such, hacking back could spark an unwanted international incident.
A better alternative is to consider softer countermeasures that can slow down thieves and help law enforcement. For example, some banks feed fake data into phishing web sites, to make it easier to trace criminal activities. Many companies also run honeypots, which are servers that, when hacked, contain fake content and a great deal of monitoring software. This kind of approach makes it easier to identify attackers and their strategies, and potentially deter thieves as well.