The Evolving Landscape of “Hacking Back” Against Cyber Attacks
Self-defense is a natural, almost reflexive human instinct. But it has a complicated history in American law, full of contradiction and compromise. Many jurisdictions have long recognized that an otherwise illegal act—such as taking a swing at a purse-snatcher—may be justifiable (and therefore legally permissible) in the context of fending off a physical threat or attack. But victims of cyber-attacks tempted to “hack back”—have yet to enjoy such a privilege. In fact, following through on this natural instinct in cyberspace could lead to criminal and civil liability.
Broadly speaking, “hacking back” refers to attempts by cyber-attack victims to locate the perpetrator of the attack and, in some cases, identify and recover any information that may have been stolen by working backwards from the point of entry of the attack.
Cyber security scholars have debated the effectiveness and propriety of such an approach. Some liken hacking back to a justified response to a physical attack, while others compare it to vigilantism. As the number and scope of cyber-attacks continues to increase rapidly, this debate is heating up. Some thought leaders argue that creating a hacking back privilege may be appropriate. As articles in the Washington Post and the Financial Times recently noted, the idea of hacking back—or “active defense” as proponents of this strategy prefer to call it—is gaining momentum, particularly amongst private entities that believe that law enforcement is not agile or responsive enough to catch hackers in the act or before data is accessed or acquired. Proponents of this strategy argue that hacking back—or at least identifying a cyber-attack in its early stages—can give victims a leg up by identifying materials that may be stolen before any data is actually copied, and by identifying the whereabouts of the perpetrators to bring them to justice.
Regardless of this philosophical disagreement, under U.S. law hacking victims enjoy no special legal privileges when it comes to hacking back. In fact, just the opposite is true. In guidelines released over the summer, the Department of Justice specifically admonishes “victimized organizations” to “not attempt to access, damage, or impair another system that may appear to be involved in the intrusion or attack.” Regardless of the motive, the DOJ observes, “doing so is likely illegal, under U.S. and some foreign laws, and could result in civil and/or criminal liability.”
The U.S. laws the DOJ is referring to include, among other things, the Stored Communications Act and the Computer Fraud and Abuse Act, both of which criminalize (and create civil penalties for) intentionally accessing third-party computers without permission, and various state laws which essentially criminalize this behavior on a local level. Hacking back runs afoul of these laws because effectively tracing the source of a cyber-attack often involves surreptitiously accessing other computers (even the hackers’) without their owners’ consent. Violating these laws carries stiff penalties, including fines and—in many cases—the possibility of many years in prison. And as the DOJ noted, hacking back may be governed by foreign law too. Because the internet is inherently multijurisdictional, hacking back in response to a cyber-attack could result—intentionally or unintentionally—in following perpetrators through a maze of interstate and international jurisdictions, exposing cyber victims to a morass of jurisdictional issues and laws. Besides violating criminal law hacking back carries the risk that the computer systems of an innocent third party could also be damaged, because hackers often gain access to their target through third-party servers.
To date, the ultimate legality of hacking back has not been adjudicated in the courts—principally, one imagines, because a hacker is unlikely to come forward and identify themselves as a victim—but it is certainly an issue that is ripe for judicial interpretation, especially as private actors, driven by private security concerns, increasingly wade into the murky space between clear legal prohibitions and traditional notions of justifiable self-defense. Indeed, as some commentators have pointed out, cyber legislation in the United States hasn’t been comprehensively overhauled since 2002, and it may well be time for hacking back to find a formal place in the cybersecurity toolkit.
Given the current U.S. legal regime and the difficulty of identifying in advance the potential state and foreign laws that might be impacted by hacking back, the safest approach for a cyber-attack victim today is to do exactly what most of us would do if physically attacked on the street—call for help from the appropriate authorities.