[Washington Post] The recent rash of cyberattacks on major U.S. companies has highlighted the scant options available to the victims, who often can do little more than hunker down, endure the bad publicity and harden their defenses in hopes of thwarting the next assault.But behind the scenes, talk among company officials increasingly turns to an idea once considered so reckless that few would admit to even considering it: Going on the offensive. Or, in the parlance of cybersecurity consultants, "hacking back."
The mere mention of it within cybersecurity circles can prompt a lecture about the many risks, starting with the fact that most forms of hacking back are illegal and ending with warnings that retaliating could spark full-scale cyberwar, with collateral damage across the Internet.
Yet the idea of hacking back -- some prefer the more genteel-sounding "active defense" -- has gradually gained currency as frustration grows about the inability of the government to stem lawlessness in cyberspace, experts say. The list of possible countermeasures also has grown more refined, less about punishing attackers than keeping them from profiting from their crimes.
"Active defense is happening. It's not mainstream. It's very selective," said Tom Kellermann, chief cybersecurity officer for Trend Micro and a former member of President B.O.'s commission on cybersecurity. Then Kellermann added, as if by reflex, that he and his company would never do it: "For you to hack back, you actually put at risk innocents."