The Evolving Landscape of “Hacking Back” Against Cyber Attacks

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/the-evolving-landscape-of-hacking-back-35882/

Self-defense is a natural, almost reflexive human instinct.  But it has a
complicated history in American law, full of contradiction and compromise.
Many jurisdictions have long recognized that an otherwise illegal act—such
as taking a swing at a purse-snatcher—may be justifiable (and therefore
legally permissible) in the context of fending off a physical threat or
attack.  But victims of cyber-attacks tempted to “hack back”—have yet to
enjoy such a privilege.  In fact, following through on this natural
instinct in cyberspace could lead to criminal and civil liability.

Broadly speaking, “hacking back” refers to attempts by cyber-attack victims
to locate the perpetrator of the attack and, in some cases, identify and
recover any information that may have been stolen by working backwards from
the point of entry of the attack.

Cyber security scholars have debated the effectiveness and propriety of
such an approach.  Some liken hacking back to a justified response to a
physical attack, while others compare it to vigilantism. As the number and
scope of cyber-attacks continues to increase rapidly, this debate is
heating up.  Some thought leaders argue that creating a hacking back
privilege may be appropriate.  As articles in the Washington Post and the
Financial Times recently noted, the idea of hacking back—or “active
defense” as proponents of this strategy prefer to call it—is gaining
momentum, particularly amongst private entities that believe that law
enforcement is not agile or responsive enough to catch hackers in the act
or before data is accessed or acquired.  Proponents  of this strategy argue
that hacking back—or at least identifying a cyber-attack in its early
stages—can give victims a leg up by identifying materials that may be
stolen before any data is actually copied, and by identifying the
whereabouts of the perpetrators to bring them to justice.

Regardless of this philosophical disagreement, under U.S. law hacking
victims enjoy no special legal privileges when it comes to hacking back.
In fact, just the opposite is true.  In guidelines released over the
summer, the Department of Justice specifically admonishes “victimized
organizations” to “not attempt to access, damage, or impair another system
that may appear to be involved in the intrusion or attack.”  Regardless of
the motive, the DOJ observes, “doing so is likely illegal, under U.S. and
some foreign laws, and could result in civil and/or criminal liability.”

The U.S. laws the DOJ is referring to include, among other things, the
Stored Communications Act and the Computer Fraud and Abuse Act, both of
which criminalize (and create civil penalties for) intentionally accessing
third-party computers without permission, and various state laws which
essentially criminalize this behavior on a local level. Hacking back runs
afoul of these laws because effectively tracing the source of a
cyber-attack often involves surreptitiously accessing other computers (even
the hackers’) without their owners’ consent.  Violating these laws carries
stiff penalties, including fines and—in many cases—the possibility of many
years in prison.  And as the DOJ noted, hacking back may be governed by
foreign law too.   Because the internet is inherently multijurisdictional,
hacking back in response to a cyber-attack could result—intentionally or
unintentionally—in following perpetrators through a maze of interstate and
international jurisdictions, exposing cyber victims to a morass of
jurisdictional issues and laws. Besides violating criminal law hacking back
carries the risk that the computer systems of an innocent third party could
also be damaged, because hackers often gain access to their target through
third-party servers.

To date, the ultimate legality of hacking back has not been adjudicated in
the courts—principally, one imagines, because a hacker is unlikely to come
forward and identify themselves as a victim—but it is certainly an issue
that is ripe for judicial interpretation, especially as private actors,
driven by private security concerns, increasingly wade into the murky space
between clear legal prohibitions and traditional notions of justifiable
self-defense.  Indeed, as some commentators have pointed out, cyber
legislation in the United States hasn’t been comprehensively overhauled
since 2002, and it may well be time for hacking back to find a formal place
in the cybersecurity toolkit.

Given the current U.S. legal regime and the difficulty of identifying in
advance the potential state and foreign laws that might be impacted by
hacking back, the safest approach for a cyber-attack victim today  is to do
exactly what most of us would do if physically attacked on the street—call
for help from the appropriate authorities.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!