The former director of the NSA and the US military's cybersecurity branch doesn't believe private companies should be allowed to hit back at hackers.
Without using the popular term "hack back," Keith Alexander, the ex-director of the spy agency and the Cyber Command, said that corporations should never be allowed to hack a group or individual in retaliation for getting hacked.
"If it starts a war, you can't have companies starting a war. That's an inherently governmental responsibility, and plus the chances of a company getting it wrong are fairly high," Alexander said during a meeting with a small group of reporters on Monday.
During a keynote he gave at a cybersecurity conference in Manhattan, Alexander hit back at defenders of the extremely common, although rarely discussed or acknowledged, practice of revenge hacking, or hack back. During his talk, Alexander said that no company, especially those attacked by nation state hackers, should ever be allowed to try to retaliate on its own. Using the example of Sony, which was famously hacked by North Korea in late 2014, Alexander said that if Sony had gone after the hackers, it might have prompted them to throw artillery into South Korea once they saw someone attacking them back.
"We can give Sony six guys from my old place there," he said, presumably referring to the NSA, "and they'd beat up North Korea like red-headed stepchild—no pun intended."
But that's not a good idea because it could escalate a conflict, and "that's an inherently governmental responsibility. So if Sony can't defend it, the government has to."
Instead, Keith argued that the US government should be able to not only hit back at hackers—as it already does—but should also have more powers and responsibilities when it comes to stopping hackers before they even get in. Private companies should share more data with the US government to prevent breaches, ha said.
"If [hacking back] starts a war, you can't have companies starting a war. That's an inherently governmental responsibility."
Alexander recalled a meeting of the Presidential Commission, where he made that case pulling out the US constitution and pointing at the preamble, which gives the government powers to "provide for the common defense."
"Is it the role of government to defend industry?" Keith asked rhetorically. "[The constitution] doesn't say for the common defense unless it's network, or unless it's technically challenging, or unless it's really hard, or unless it's really fast, then we'll let y'all defend yourselves. We created our government for the common defense. "
Hacking back has always been a controversial topic in cybersecurity and government circles. Some believe companies should be allowed to do something when hackers go after them. Others believe allowing and making that that legal would open a can of worms with unpredictable consequences, such as causing a diplomatic incident, or impeding a legitimate law enforcement investigation.
In theory, hacking back is illegal in the United States. But Republican lawmaker Tom Graves is trying to change that with the so-called Active Cyber Defense Certainty Act (ACDC), which would allow some limited form of hacking back.
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at email@example.com, or email firstname.lastname@example.org
Get six of our favorite Motherboard stories every day by signing up for our newsletter.