Fighting Fire With Fire: Legal And Ethical Issues of Active Defense and Hacking Back

Written by: Sean Cox, Esq.

When a company is hacked, an immediate thought is sometimes whether they can hack back. The next question is then, “Can we do that?”

Hacking back describes striking back at the cyber criminal by accessing, damaging, or breaching the criminal’s own system. The reasons for hacking back can be several: recovering or unlocking data, obtaining evidence, exposing the bad actor, preventing further attacks, disabling botnets, or even attacking and shutting down the attacker’s system. However, when enterprises start considering countermeasures that risk collateral damage, the potential legal repercussions, both criminal and civil, are very real.

Hacking back has its success stories. For example, in 2009 and 2010 Google discovered that it, and several other large technology companies, was the target of sophisticated cyber-espionage believed to be controlled or supported by the Chinese government.[1] Google was able to track these activities to a server in Taiwan, which it was able to shut down, and then informed the United States government.

 The Center For Cyber And Homeland Security at The George Washington University released recommendations for a regulatory framework that would allow private industry to employ active defense measures.[2] These recommendations have not yet been adopted. In the meantime, the United States Department of Justice recommends against hacking back, and warns that it risks civil and criminal liability.[3] The Computer Fraud and Abuse Act (“CFAA”) makes it a criminal offense in a broad range of circumstances to access without authorization computers and other electronic devices.[4] CFAA also allows private persons whose electronic devices have been accessed without authorization to bring civil actions for monetary damages.

Building on the CFAA, the Cybersecurity Act of 2015 authorizes private companies to use defensive measures within its own systems and the systems of consenting entities.[5] However, “defensive measures” specifically excludes “a measure that destroys, renders unusable, provides unauthorized access to, or substantially harms an information system or data on an information system not belonging to” the entity.[6] As currently written, these laws broadly prohibit most types of actions that would be considered “hacking back.”

Many other countries have their own laws against malicious computer attacks or access. Considering that many hackers are based overseas, any attempt to hack back risks running afoul of foreign laws. Foreign countries may be less forgiving of U.S. companies attacking their citizens – regardless of the reason.

Misguided offensive measures also risk striking innocent third parties. Cyber criminals often hide themselves and launch attacks from networks of legitimate entities. Other common attacks such as distributed denial of service attacks and attacks from so-called zombienets may use devices owned by innocent third parties who have already fallen victim to the hacker. Any offensive action against these systems risks damage to the property of these innocent third parties, and could entail significant civil liability to those third persons.

Just because cyber security companies may offer offensive services does not mean they are legal. Just as some cyber criminals are protected by the lack of laws prohibiting cyber crime in their locale, some vendors are willing to provide a more active response to cyber attacks than professionals located in the United States or other countries with robust cyber laws. It is important to understand what your cyber security professionals are doing. Simply outsourcing illegal actions is unlikely to absolve an enterprise from civil or criminal liability.

 

[1] Google Hack Attack Was Ultra Sophisticated, New Details Show, https://www.wired.com/2010/01/operation-aurora/ (January 10, 2010); Google Hacked the Chinese Hackers Right Back, http://gizmodo.com/5449037/google-hacked-the-chinese-hackers-right-back  (January 15, 2010).

[2] Into the Gray Zone The Private Sector and Active Defense Against Cyber Threats, https://cchs.gwu.edu/sites/cchs.gwu.edu/files/downloads/CCHS-ActiveDefenseReportFINAL.pdf (Oct. 2016).

[3] Best Practices for Victim Response and Reporting of Cyber, Incidents, https://www.justice.gov/sites/default/files/opa/speeches/attachments/2015/04/29/criminal_division_guidance_on_best_practices_for_victim_response_and_reporting_cyber_incidents.pdf.

[4] 18 U.S.C. § 1030.

[5] Cybersecurity Act of 2015, S.754 Sec. 104.

[6] Cybersecurity Act of 2015, S.754 Sec. 102(7)(b).