Is it a good idea for an organization to resort to retaliation if they are the victims of a malicious hacking activity? This is a topic that has attracted a lot of attention. It might sound appealing to retaliate against bad actors, but what are their legal ramifications. Is there a legal precedent?
The purpose of a hack back is, in essence, to identify an attacker and possibly retrieve stolen data in a retaliatory way. This would be done in the context of some legal protection. It is appealing to alert authorities and have legal cover to go and compromise hacker’s systems. This could be a deterrent. It could also help you with disaster recovery efforts.
This concept has been controversial for many years. It seems to be getting more attention with the recent ransomware outbreak and large-scale malware attacks. Cyberwarfare might seem appealing from an emotional standpoint. The discussion will focus on legality and morality. To put it another way: Is hacking back even legal.
The Computer Fraud and Abuse Act of 1986 (CFAA) made clear and unwavering its opposition to the hack back. Computer hacking attacks cannot be counter-punished with any other than standard preventive measures like anti-malware. Retaliatory actions were also prohibited. The majority of the charges were accompanied by possible 1- to 5-year prison sentences.
The Active Cyber Defense Certainty Act (H.R. 4036) was introduced in the House of Representatives in March 2017. The House of Representatives introduced H.R. 4036 in March 2017. The bill can be described as follows:
“A bill to amend Title 18, United States Code to provide a defense against prosecution for fraud and related activities in connection with computers for persons protecting against unauthorized intrusions into computers and for other purposes; to the Committee on the Judiciary.”
H.R. H.R. 4036 gives individuals and companies the legal right of retaliatory action if their data is stolen or their systems are breached.
The bill allows the victim of cyberattack to access the information on the attacker’s computer for the following purposes:
To share information with law enforcement and other U.S. Government agencies that are responsible for cybersecurity, establish attribution (e.g. the nature, cause, and source) of criminal activities.
Disrupt any unauthorized activity that continues against the defender’s network (without causing damage to the computer systems of the presumed attack or anyone else).
Any stolen data can be recovered and destroyed.
To help develop future cyber defense techniques, monitor the behavior of an attacker.
Use beaconing technology (technology which sends information about the attacker’s computers and networks back into the victim’s network).
Hacking back must be legal. The threshold is based on the term “persistent, unauthorized intrusion.” You must prove that hacking is a persistent threat and identify the attacker. This requires accuracy, documentation, and a framework that can be vetted by the FBI and supported by them when the victim company notifies the FBI. Only then can hacking back be done under legal cover. This does not apply to individuals or companies based in the United States.
This type of cyber defense strategy requires a certain level of skill, tools and structure. While the idea is appealing, hacking back as an effective defense strategy seems dangerous and questionable. The potential drawbacks seem to outweigh the benefits.
What are your thoughts about hacking back?
Is hacking back a useful component of a cyber defense plan? Is it legal? Let us know your thoughts about hacki