Pentagon cyber official warns U.S. companies against ‘hacking back’

by Jacqueline Thomsen - 11/13/18 3:18 PM ET

A top cyber official at the Defense Department on Tuesday urged companies to refrain from “hacking back” when they are the victim of a cyberattack, saying it could negatively affect the already unclear rules of engagement in cyberspace.

B. Edwin Wilson, the deputy assistant secretary of defense for cyber policy, said at a Foundation for Defense of Democracies event that “industry, private citizens should have the ability to defend themselves.”

But he cautioned that there is a “unique nature in cyberspace in regards to offensive activity,” such as a company using cyber methods to retaliate against hackers who target their networks.

{mosads}Wilson said that while there are some established norms for behavior in cyberspace, like the United Nations cyber agreements whose signatories include the United States, industries carrying out offensive attacks could be a “destabilizing influence.”

The concept of “hacking back” has gained steam in recent months. Sen. Sheldon Whitehouse (D-R.I.) said during a congressional hearing earlier this year that Congress should allow companies to retaliate against cyberattacks.

“We ought to think hard about how and when to license hack-back authority so capable, responsible private-sector actors can deter foreign aggression,” he said at the time.

Reps. Tom Graves (R-Ga.) and and now Sen.-elect Kyrsten Sinema (D-Ariz.) introduced legislation last year that would allow companies and private citizens to use “active defense measures” against hackers. The bill was met with opposition from cybersecurity experts who pushed back against the proposal, saying it could escalate feuds in cyberspace and cause hackers to strike back even harder.

Congress has not passed the legislation.

At the state level, Georgia Gov. Nathan Deal (R) vetoed a bill this year that would have allowed firms to hack back.

Daniel Hoffman, a former chief of station at the CIA, suggested at Tuesday’s event that the Pentagon could authorize some companies to take hack-back actions, allowing the government to regulate who is allowed to retaliate.

“I think the idea for me has some value, at the same time it can’t be unregulated,” Hoffman said. “So maybe that’s a middle ground.”

Tags Cyber cybersecurity Department of Defense hack back Sheldon Whitehouse Tom Graves