Should an organization that is the victim of an intentional nefarious hacking activity resort to retaliation? It’s a question that has been gathering a lot of attention. Retaliating against bad actors might seem appealing, but what are the legal ramifications? Is there even a legal precedent to do it?
Ostensibly, the purpose of a “hack back” is to identify an attacker and possibly recover stolen data in a retaliatory manner. In the common contemporary discussion, this would ideally be done under the guise of some sort of legal protection. The idea of alerting authorities and thus having legal cover to go and compromise your hacker’s system is appealing and could provide a valuable deterrent. It may also support your disaster recovery efforts.
The controversy around this concept has raged for years and seems to be gaining speed with the recent scourge of ransomware and large-scale malware deployments. Conceptually, the temptation to engage in cyberwarfare as retaliation might emotionally feel satisfying. But, for this discussion, the question of what is appropriate, moral, or fair will take a backseat to what is legal. To wit: Is hacking back even legal?
The Computer Fraud and Abuse Act (CFAA) of 1986 took a clear and unwavering stance on the idea of the hack back. Countermeasures to a computer hacking attack cannot exceed standard preventive measures such as anti-malware, and retaliatory actions were prohibited. Most of the applicable charges came with possible 1- to 5-year criminal sentences.
However, in March of 2017, the Active Cyber Defense Certainty Act (H.R. 4036) was introduced in the House of Representatives. The bill is described as follows:
“A bill to amend title 18, United States Code, to provide a defense to prosecution for fraud and related activity in connection with computers for persons defending against unauthorized intrusions into their computers, and for other purposes; to the Committee on the Judiciary.”
H.R. 4036 provides individuals and companies the legal right to perform retaliatory actions when their data is stolen or their system has been breached.
According to the bill, the victim of a cyberattack is allowed to access information on the computer of their attacker for the following purposes:
- Establish attribution (e.g., the nature, cause and source) of criminal activity to share with law enforcement and other U.S. Government agencies responsible for cybersecurity.
- Disrupt continued unauthorized activity against the defender’s own network (without damaging the computer systems of the presumed attacker or anyone else).
- Retrieve and destroy any stolen data.
- Monitor the behavior of an attacker to assist in developing future cyber defense techniques.
- Use beaconing technology (technology that sends information about the attacker’s computers and networks back to the victim’s network).
For hacking back to be a legal recourse, the threshold hinges on the term “persistent unauthorized intrusion.” You must prove a “persistent” threat, while also identifying the attacker and attributing the attack. This requires accuracy, documentation and a defined framework that can be vetted and supported by the FBI when the victim company notifies them. Only then could any hacking back occur under legal cover. This also only applies to U.S.-based companies and individuals, and does not provide legal cover or relief outside of the country.
Obviously, there is a level of skill, tools, structure, protocol, documentation and discipline required to engage in this type of cyber defense strategy. Although the concept can certainly be appealing, hacking back as a defense strategy seems to be a perilous and questionable tactic, as the potential drawbacks seem to outnumber the benefits.
What are your thoughts on hacking back?
Is hacking back a worthwhile component of a cyber defense strategy? Is it even feasible if it were legal? Let us know what you think about hacking back on Twitter @GKonITsecurity.