It’s probably not the best idea to allow private companies to retaliate against hackers — that’s a job best suited for the U.S. government, a panel of cybersecurity experts argued this week.
The three individuals, with experience in the private sector, intelligence community and military, said at a panel organized by APCO that if companies feel compelled to hack back, they should delegate any potential response to the government. If retaliation is warranted, U.S. Cyber Command should carry it out, they said.
“I think if it’s going to happen, it’s best in the hands of the government,” said Sean Weppner, chief strategy officer at NISOS Group and a former Defense Department cyber officer. No company has the intelligence, offensive tools and contextual understanding of the U.S. government, he said.
By allowing companies to hack back, U.S. lawmakers would be enabling a kind of cyber vigilantism, the panelists said. That behavior would come with profound and potentially dangerous consequences. For one, companies venturing out into foreign networks would run the risk of disrupting existing U.S. intelligence or military operations.
Even if companies wanted to hack back, they aren’t legally authorized to do so. At present, companies are not authorized to access computers outside of their own network without expressed permission, all but precluding any sort of retaliatory actions.
This may soon change, as lawmakers on Capitol Hill mull modernizing the Computer Fraud and Abuse Act (CFAA), a piece of legacy legislation that governs computer crimes and hacking. It seems unlikely that the bill will be amended to allow companies to strike back against digital assailants.
Last year, Rep. Tom Graves, R-Ga., introduced the ACDC Act, which would have dramatically opened up options for companies to strike back. Though the bill gained some momentum in Congress, it was widely panned by the technology community.
Read more about this discussion on CyberScoop.