By: Drusti Gandhi
Cyber attacks are certainly happening at a higher rate and with bigger stakes. Within recent years, we had targets from Sony Pictures to Yahoo to DNC and, just recently, Equifax. The question comes to what can private sector do to defend itself from such attacks? Active defenses to cyber attacks are limited in their own ways. Computer Fraud and Abuse Act (CFAA) does not provide much support in way of active defense. It merely prohibits an individual from accessing someone else’s Internet devices without authorization; regardless if the person has malicious intent, or if they were responding to an attack. However, experts have noted that there is a possibility of active defenses depending on how CFAA classifies the word “authorization.” Technically, a victim cannot use defenses that go outside his or her network so any retaliatory attack would have to happen within their own network such as hacking back against a botnet as it pushes security patches onto infected computers.
Active Defense can range from basic passive Internet security firewalls, antivirus to information sharing, beacons, botnets takedowns, to an offense active defense such as hacking back. Hacking back as a defense brings about its own challenges; it is currently considered an illegal concept within the cyber security field because it allows victims, individuals, or companies to retaliate against the attacker in order obtain what was stolen. Certain members of Congress view this cyber “an eye for an eye” action as an acceptable defense to cyber-attacks. Representative Tom Graves (R-GA) recently proposed amendments to the CFAA called The Active Cyber Defense Certainty Act (ACDC) would exempts people employing hack back from criminal prosecution. It does prohibit any defense resulting in financial harm or collateral damage.
Currently, the only way to implement hacking back as a defense is through an agency of a state or law enforcement agency. They could deputize private firms or third parties to act under their authority to investigate the attack and pursue the attackers. Not only are the FBI or other law enforcement agencies giving companies authority to “hack back,” but also when the companies do use such defenses without the law enforcement authority, the companies are not being prosecuted. There is a clear ambiguity on what is being allowed by CFAA and what’s the role of enforcement agencies and private sector in investigating the attacks. There is a clear grey area in the law with respect to hacking back. It is seen as a cyber version of any self-defense one would see in a tort law. But is this self-defense beneficial or more harmful?
Employing hack back as a defense could be seen as one’s natural right to defend one’s own property. There is also the issue of immediacy with the cyber attacks that would make hacking back a great viable option. It would allow the individual or the company to immediately attack the attacker to obtain what was stolen and get some information on the identity of the attacker. Time is of the essence because it would allow the victims to take control of the situation, protect any further damage, and could even allow them to provide the attacker the false information in order to identify them. It would also allow the victim to control the situation and protect its network rather than let law enforcement agencies try to figure it out because there are some doubts within the private sector about the government officials and law enforcement agencies’ abilities to address such issues, investigate the crime, and prosecute the attackers. It could also be a deterrence factor for attackers if they know that there is a high probability of an attack on their network with a risk of prosecution.
Looking at the other side of the coin hacking back could promote vigilantisms. When looking at deterrence effect, hacking back might not deter hacktivist groups who attack for the lulz or to expose weakness of the network. There is also the fear that legitimizing hacking back would lead to chaos with attackers and victims going back and forth infiltrating the networks. Some critics worries that hack back would lead to violation of foreign laws and policies. It could also potentially lead to attacking innocent third parties. Some hackers might use stolen computers to hack so hacking back would end up harming or publicizing the innocent original computer owners as the perpetrators. It might also lead to destruction of evidence that could be beneficial to the law enforcement agencies in identifying the attackers. It could also lead the victim into a third party network exposing their private files and potentially cause financial harm.
However, hacking back or something equivalent might be needed because many large corporations do not disclose when they have been hacked making it harder for law enforcement to identify the perpetrator. Many large companies or firms feel embarrassed by the attack. They might also not disclose the hack in fear of losing consumers and investors. Many companies have disclosed that they prefer not to disclose their attack instead have employed hack back as a defense. Congress could amend CFAA with an active defense condition but with maybe a narrow permission for active defenses with imposing liabilities for harm. They could also erase the ambiguity in the Act by clearly defining certain words like “authorization.” ACDC 2.0 would make it much easier for individuals and companies to operate such defenses by exempting them from prosecuting by allowing them to hack the attacker’s system with certain conditions. But is it worth the potential risks or will the benefits offset those risks?