Hacking Back in Self-Defense: Is It legal? Should It Be?
Hacking? Bots? The bottom-line is we are losing the war. Businesses must be able to defend themselves to prevent the loss of money, technology, and secrets. As new laws are explored, old ones amended, and solutions sought, let's think outside the box and give the good guys the advantage, or at least a fighting chance. This paper explores some of the ways clear, forward, out-of-the-box thinking, and analysis can put us back in the game.
Your business has been hacked, leaving you with a persistent bot; now what? Legal disclaimer: The following theory is just that, a theory, and in no manner constitutes legal advice, nor advocates or provides justification for hacking back. Okay, here it is: when plagued with a persistent bot you can legally use automated code outside of your network, in specific circumstances and via specific means, to eliminate the threat in an act of self-defense or defense of property.
I don't need to regurgitate numerous statistics to prove hackers seem to have an upper hand these days, but consider these: of 500+ companies recently surveyed, 90% admit being hacked with an average loss of $500,000 and higher.2 Most cyber security experts agree that getting hacked is no longer a matter of if, but when. One hundred percent security is a myth. So what can you do? Standard responses are slow and, in many cases, not very effective. Nations can legally defend themselves but what about businesses?
A Losing Battle - Defending Against the Botnet
The presumption is that a business cannot reach outside its network in self-defense to block an attacker. I disagree! I am not advocating vigilantism, but we are losing the war in cyberspace and must rethink our strategy and laws. Too much money and too many secrets are walking out of the door unchecked. We need to open a dialogue and move the conversation down the road for better responses, solutions, and laws.
My focus is the botnet since, currently, it appears to pose the largest threat with millions of infected machines around the world being used to attack networks.3 Computers and networks are being infected through a variety of methods: phishing attacks, malware on legitimate and fake websites, employees visiting social media sites, and other methods. In 2010 and the first half of 2011, the top four botnets were:
|2010||2011 (First half)|
|RudeWarlockMob (TDL-3) now TDL-4||SpyEye Operator (OneStreetTroop)|
|RudeWarlockMob (TDL-3) now TDL-4||RudeWarlockMob|
Current responses to these threats are to detect, block, clean up, and move on. Dealing with a bot in your network can be like getting your kids to clean their room. It takes a lot of work and a day later it is dirty again. What if, once discovered, a company could block that bot from talking to its command and control (CnC) server?
So, let's assume you found a virus/bot in your network and believed you cleaned it up but, lo and behold, it is back.5 For whatever reason, law enforcement was not able to assist or, for business reasons, you decide calling law enforcement is not advisable. You have not been able to determine the location of the command and control (CnC) server, which likely belongs to an innocent bystander whose network was infected and is now controlling hundreds or thousands of bots without the owner's knowledge. Alerting the CnC server owner and asking him to correct the situation is not an option.
Hacking Back In Self-Defense
Although technically difficult but clearly feasible, what if you implanted code on the phone-home function or communication function of the bot so that when it communicates with the CnC server for instructions, the communication path is blocked or cut off by the code at the CnC server? Perfect solution? Not even close, but it may finally rid you of that nasty bot. Is this hacking? Is it gaining unauthorized access to or trespassing on a computer system?
Computer Fraud and Abuse Act
There are many laws that could certainly apply; and most, if not all, states, as well as many countries, have some sort of computer trespass law. In the interests of brevity we will focus on the Computer Fraud and Abuse Act (CFAA). The CFAA was enacted in 1986 and revised in 2001 and again in 2008. A violation of the Act is defined as anyone who "knowingly causes the transmission of a program, information code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer; . . . or intentionally accesses a protected computer without authorization, and as a result of such conduct, . . . causes damage and/or loss."6 Obviously other provisions exist, but these pertain directly to our discussion. This definition should raise the following questions: is placing code on the phone-home function of a bot, knowing it will eventually gain access to the CnC server, considered "gaining unauthorized access"; and is blocking the communication path causing "harm, loss or damage"?