Computers, Privacy & the Constitution

Cyber peace: Is Hacking-back the solution?

-- By MuhammadUsman - 20 Mar 2022


Over the past decade, governments across the world, private companies and even NGO’s have been targets of comprehensive cyber-attacks. Nations across the world have been engaged in debates on how to counter this looming threat, but the sophistication and frequency of cyber-attacks continues to grow, with little repercussions in place for the perpetrators. One idea proposed as a defense against cyber-attacks is the concept of ‘hacking-back,’ which refers to allowing private sector entities to take proportional intrusive cyber action against their attackers. Bills have been tabled in the past to legalize hacking back with the most recent being proposed in 2017 by U.S Senators Steve Daines and Sheldon Whitehouse.

Hacking-back: A recipe for disaster

This idea of using force to deter or stop crime stems directly from the physical world and seems to be based on the proposition that a certain amount of force is sometimes necessary and legal to defend property. While eliminating the idea of self-defense in the physical world would seem counterintuitive, complications arise when the concept is applied to the cyber-space. Firstly, it is extremely difficult to attribute a certain attack to a specific individual or organization as modern technologies allow cybercriminals to use deceptive techniques, such as botnets. Additionally, the potential of causing collateral damage while hacking-back is enormous. Unlike the physical world, the cyber world does not operate within clear boundaries. If hacking-back is allowed, it would create a situation similar to private citizens standing at their fences shooting bullets aimlessly and hoping to eventually hit the actual criminal.

Furthermore, the effectiveness of hacking back is also questionable. Even if the stolen data is located, it is improbable that deleting that data would ensure any amount of security for there is absolutely no way of ascertaining if any copies of the data were made. It can also be foreseen that hacking-back might make the hacker determined to further hack you and damage your system, which can lead to a cyber-war that could be detrimental to the organization’s survival. The example of Blue Security illustrates this point, which had to shut down because the angry spammer decided to fight back. Furthermore, it is unlikely that hacking back will deter ideological hackers who are not motivated by profits or costs. If the private sector is allowed to carry out activities such as hacking back, it would certainly be a recipe for disaster. Hacking-back is far from the ideal response and it is unlikely that it would counter the threats of cyber-attacks.

Achieving cyber peace

The solution lies not in individual actions but in a collective attempt to create a more peaceful internet where crime is simply harder to commit, instead of being more violently deterred or retaliated against. We need the governments of the world to collaborate and work together towards a common goal; to stand up for principles that call for protection of innocent civilians, the infrastructure and the internet. However, these governments will first have to build confidence and mutual trust amongst each other. They can start by exchanging information and best practices between each other and establishing cyber hotlines. Microsoft’s call for creation and implementation of international cybersecurity norms - a Digital Geneva Convention, seems to be a much-awaited step in the right direction. The idea does not seem too far-fetched. The US and China have already shown the way forward by overcoming tensions and agreeing to ban intellectual property cyber-theft in 2015.

However, governments alone might not be able to achieve this and tech companies also need to stand up for shared principles that protect individual users. It is important that tech companies collaborate with each other and adopt commitments to help, deter, prevent and respond to cyber-attacks. Tech companies across the world will have to come together, and protect users everywhere. Most importantly though, companies need to do away with offensive strategies and adopt total defensive policies. The Cybersecurity Tech Accord (2018) appears to be a good starting point. As per the Tech Accord, 34 companies across the world, including Microsft, Dell, Cisco Nokia, Linkedln etc., have committed to “protecting people and communities from online threats through action across four areas: stronger defense, no offense, capacity building, and collective action”. Moreover, companies need to develop products and services that focus on privacy and security and minimize vulnerabilities or any likelihood thereof. Users should be empowered and provided with tools and information that help them better understand cyber threats.

Tech companies should also focus on already existing as also on emerging open-source technologies. With thousands of experts working to improve the software at all times, there is a greater chance that someone would notice a bug or a flaw and fix it instantaneously. It allows many pairs of eyes, usually thousands, to constantly review and maintain the software which ensures its safety. This is not the case with commercial software’s where large companies can take anywhere up to a few months to fix flagged issues. This collaborative approach towards software development also drives innovation and provides far lower risks of technology being obsolete as the entire community is involved in its development.


It is true that cyber-attacks pose challenges the likes of which have never been seen before, but individual actions and risky options like hacking-back would create a cyberspace in which only the fittest can survive. A collective approach seems to be the only sound alternative to our currently failing cybersecurity strategies. In this collective approach, governments, tech companies and other like-minded groups will have to work together to create a cyber-space where crime is extremely difficult to commit. Until that is done, there is little hope of achieving peace in our digital world.


You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.


Webs Webs

r3 - 09 May 2022 - 17:47:29 - MuhammadUsman
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM