Baby Got Hack Back presented at bsideslasvegas 2017

by Robert Graham, Davi Ottenheimer, Jen Ellis, Leonard Bailey,

Summary : You’ve heard it before: the bad guys are winning; US companies are under attack every day, and defenders are on the losing end of the war. We are less resourced and, held back by the legal framework, less free to act, to fight back against our adversaries. This is not just a common lament in security circles, it is also the foundation of the ‘hack back’ argument. It continues that organizations on the receiving end of attacks should be able to defend themselves the same way US citizens can defend themselves against intruders in their homes. Defenders should be able to fight back, launch a counterstrike. This is hack back. And today it is illegal for private entities in the US. But there is increasing noise about legalizing it, with a bill introduced to do just that earlier this year, and a number of foreign governments also discussing it. The arguments that support it are appealing, yet it is widely opposed by many in the security community, with dire warnings about potential consequences of authorizing such measures.
This talk will examine the arguments for and against hack back; the current legal constraints; potential outcomes of authorizing it; and how hack back fits within both broader cybersecurity policy discussions, and other security program practices, such as active defense. We will begin with an objective, balanced overview from the Department of Justice’s Leonard Bailey and Rapid7’s Jen Ellis (40 mins) of the legal and practical dimensions of hack back. They will then be joined by advocates for and against authorizing hack back for a lively debate (40 mins). There may also be some bad rapping, but we make no promises.