On Thursday, July 28, Rob Joyce, chief of Tailored Access Operations at the National Security Agency, and four others wrap up the 2016 ICCS conference with a distinguished panel discussion. Joyce, who joined the NSA in 1990, spoke about his presentation with Inside Fordham.
You appear on the panel called “Reverse Deception: Understanding the Real World of Hacking Back.” What must you focus on to get an audience to understand this “real world?”
There are a lot of companies and individuals where, once they get an intrusion or a hack, they feel almost viscerally intruded on. There’s a strong urgency to make it stop, and sometimes there’s a strong desire even to retaliate. We’ve gotten some proposals where people feel that they ought to be going back and hacking back against that intrusion, to either try to delete the data, or to go ahead and inflict pain on the people who are coming at them to try to deter them from further action.
I want to make sure that people understand that this is really not a good idea. Probably the easiest reason why is [that]it’s illegal. If you’re undertaking hacking against equipment or property you don’t own, that’s illegal, so that [a]hack back is fundamentally illegal even if you’re trying to argue that it’s self-defense.
We’re working very hard to establish some durable international norms that we’d like countries, companies, and individuals to behave by. Efforts to hack back can go against the work the State Department is working on right now to establish norms and expectations with our international partners, and even our international adversaries.
If it’s illegal, why would people do it?
It could be an emotional response. There are some people who consider it a much more strategic response. They hope to go and make the data that was stolen unusable; they’d like to go back, find it, and delete it. They also may just be going back for attribution. They’d like to hack back [into the networks that appear to be targeting the victim]and work their way backwards and try to understand who’s responsible for it. So it may not even be a response; it may just be trying to gather that intelligence.
Is there anything else from your presentation you’d like to share with us?
I’d like to point out that it’s really hard to understand who’s actually hacking your network. That presents a big danger, because if you’re trying to respond, retaliate, or go back, you run a serious risk of going against the wrong person. In hacker circles, there’s often mischief going on, and it may be that if people understand that a company or an entity is doing hack backs, you could actually be manipulated into attacking somebody who’s completely innocent in this space. So it’s these subtleties and nuances that make it tough, and likely ill-considered to hack back.
You run the risk of inflicting collateral damage, because often the hacks go through an unwitting third party. If you’re striking the network touching your infrastructure, you’re often striking the wrong target.