Hitting Back at Hackers: Do Two Wrongs Make a Right?
|Subscribe to receive updates when new Debates are released:|
|Receive emails | RSS (What is RSS?)|
If your organization is hit by a cyber-attack, turning the matter over to the authorities is the appropriate course of action. But, if you’re able to stop the attack yourself by taking out the hacker’s servers, should you hit back at the hackers?
When companies are hit by cyber-attacks, some may feel – with good reason – that they have no recourse other than to strike back. Law enforcement’s response can be lumbering and, currently, there are few options for collaborating with others on cyber-security challenges. Yet, before you try to take out a perpetrator’s servers, consider the risks. Increasingly, attacks are launched from within IT environments of legitimate organizations that may have no idea they’ve been breached. Striking back may help stop an attack in progress, but it also could have unintended consequences. Given these considerations, are there times when hitting back at hackers is the more effective response?
Explore all sides below by clicking on each button:
|Why can’t I take out a hacker’s servers?
Someone has interrupted my ability to do business and I know who it is.
|You might be hitting back at an innocent party.
The organization that owns the servers could be unaware that the hacker has invaded its systems.
|Reporting the incident to the government only makes things worse.
If I tell the authorities I’ve been hacked, word could get out and my reputation might suffer. What’s more, the government can be slow to act.
|Hitting back is illegal.
Your concerns are understandable, but remember, taking out someone else’s server is just as illegal as hacking it. Hitting back may make you feel better, but it may only make a bad situation worse.
|Working with my competitors to thwart hackers is risky.
If I don’t warn my competitors, they could be hacked too. But, I’m afraid that the information I share could give them a competitive advantage.
|If everyone shares attack information, everyone wins.
Your competitors face the same cyber security challenges you face. It is in everyone’s best interest to work together to find solutions.
|It was only a minor attack. I’ll ignore it.
There’s no point in hitting back or reporting it to the authorities. I’ll just make sure my security software is current and hope it doesn’t happen again.
|All attacks should be reported.
Even minor incidents may reveal information that can help organizations detect a trend or develop a systemic solution that closes the holes.
Kelly Bissell, Principal, Deloitte & Touche LLP
As tempting as it may be to respond to cyber-attacks by disabling the servers from which they are launched, organizations should only hit back at hackers by working through legal channels and with the appropriate law enforcement officials. In fact, the law may soon require nothing less: In 2011, the SEC Division of Corporate Finance issued guidance that, if enacted into law, will require companies to report cyber-attacks to the government.1
Some private sector organizations have expressed concerns that such reporting requirements may lead to their servers being seized as part of an investigation, or lead to brand and reputation issues if news of an attack is made public.
While such concerns are understandable, I believe that the government’s proposed requirements may actually lead to a new public/private partnership that might address the private sector’s concerns and make it possible to address cyber-crime more effectively. Here’s how it could work: The private sector, working with law enforcement, could establish a clearing house that aggregates information on the cyber threats that companies across the United States encounter. This clearing house should analyze the collected data and share it with federal law enforcement officials, who could then act on it. Furthermore, when hackers launch an attack against a particular company, the clearing house – acting as a monitoring agency of sorts – could alert other companies in the same sector that they may be vulnerable. Collaborating in this way, the public and private sectors could identify the bad guys, develop a greater understanding of where and how they operate and thwart attacks the moment they commence.
There have been many attempts at this (e.g., FBI InfraGard, Secret Service Electronic Crime Task Force (ECTF)). The one thing that has often been a strain in these relationships is that it is a one-way street when it comes to information sharing. Private sector pumps in data and the government uses it, but is very limited in sharing with companies. The new public/private clearinghouse should be a two-way street.
Clearly, it is likely to take significant coordination to make a public/private partnership on this scale work. But with the frequency of cyber-attacks increasing each year, a concerted effort may be among the most effective alternatives to having each company striking back angrily at hackers and, by doing so, potentially making a bad situation worse. Like my mom always said, “two wrongs do not make a right.”
By participating in this poll, you consent and acknowledge that your responses may be disclosed without attribution by Deloitte in future publications and you are authorized to respond to the poll on behalf of your company.
Please review the guidelines before providing your comments.*
Conversations on this debate may lead in many directions. We encourage spirited debate and varying perspectives but honesty, decency and mutual respect are essential. Please remember:
Keep your entries succinct and on topic.
Don’t post confidential information.
Don't use names of companies or individuals.
Use appropriate language and refrain from attacking others.
Comments will be reviewed prior to posting.
We reserve the right to edit, remove or not publish comments at our discretion.
As used in this document, “Deloitte” means Deloitte LLP and its subsidiaries. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.