The Republican Party platform seems to endorse the "hack back" concept, or the right of a private enterprise or individual to retaliate against cyberattackers.
See Also: IoT is Happening Now: Are You Prepared?
The platform - adopted this week at the Republican convention in Cleveland that nominated Donald Trump for president - does not specifically mention the term hack back, but states: "We ... make clear that users have a self-defense right to deal with hackers as they see fit."
"This notion that people could just be cowboys is very risky for them."
It shouldn't be surprising that the platform - characterized by The New York Times as "the most extreme Republican platform in memory" - would favor a tactic that has fallen out of favor with the vast majority of cybersecurity experts, lawmakers - including Republicans - and policymakers. Many on the far right that helped shape the platform champion a do-it-yourself attitude toward defense combined with a deep mistrust of government.
"It's crazy," Jody Westby, chief executive of the cyber-risk advisory firm Global Cyber Risk, says of the platform's "as-they-see-fit" provision. "This notion that people could just be cowboys is very risky for them. It can actually deter, defeat investigations because often data is damaged or destroyed in the [hack back] process and very few people are skilled to do this."
Cybersecurity expert and author Bruce Schneier characterizes the hack back approach as vigilante justice. Though hacking back could "feel so good," Schneier says, it's "truly crazy."
First, he says, attribution for a hacker attack is difficult, and the wrong party could be victimized, such as a business whose computers were secretly commandeered by the hacker. Second, the United States eschews vigilante justice for a good reason: "We actually don't want citizens to deal with criminals as they see fit," he says. "That's called anarchy, and it's bad.
"If you walk by your neighbor's house, look in his window, and see the thing he stole from you yesterday, you're not allowed to break into his house and take it back. That's the law. There's a real reason why we let the police and the justice system handle this."
Schneier also raised several rhetorical questions based on the vagueness of the platform position. Can "as they see fit" include firebombing a building or hacking a car to make it crash to revenge a hack?
Westby contends some forensic security companies advocate the hack back approach to try to "show that they have the cowboy skills. But we're not the Wild West. ... Individuals and companies that try to engage in active defense run a very high risk that they're violating criminal laws themselves and putting great risk on themselves, far more risk than the attackers bring to their organization."
I queried the Republican convention press office, seeking an explanation of why the platform endorses a "self-defense" approach to cybersecurity. But the party did not offer an immediate response.