⚠ We would appreciate if you would disable your ad blocker when visiting our site! ⚠
Fighting Fire with Fire: Legal and Ethical Issues of Active Defense and Hacking Back

Fighting Fire with Fire: Legal and Ethical Issues of Active Defense and Hacking Back

Order a reprint of this story
Close (X)
ORDER A REPRINT

To reprint an article or any part of an article from Hospitality Upgrade please email geneva@hospitalityupgrade.com. Fee is $250 per reprint. One-time reprint. Fee may be waived under certain circumstances.

SEND EMAIL

October 25, 2017
Legal Corner
Sean Cox



©2017 Hospitality Upgrade
This work may not be reprinted, redistributed or repurposed without written consent.
For permission requests, call 678.802.5302 or email info@hospitalityupgrade.com.

It’s happened. 
 
Despite all the recommended precautions, despite a robust IT security architecture, despite the correct polices and procedures, despite proper employee training, your enterprise has been hacked. The breach plan is ready to go. Everyone knows their job and what to do. You bring in a forensic security professional and she says that the best response is to go on the offense. She recommends that you hack the hacker. Your plans did not prepare you for this possibility, and your first question is, “Can we do that?”
 
Many security experts point out that the low risk is a key driver in the prevalence of cyber crime. To many, the best approach to reversing the trend is for private industry to aggressively counter cyber crime and strike back against these criminals. Enterprises can pursue a spectrum of active countermeasures. This spectrum, referred to as active defense, comprises measures taken outside the enterprise’s network perimeter to enhance the security of the network. Examples include sharing threat information with industry and law enforcement, traps for cyber criminals, beacons that alert when confidential files are compromised, and dark web investigations. Hacking back represents the extreme end of the active defense spectrum and describes striking back at the cyber criminal by accessing, damaging, or breaching the criminal’s own system. The reasons for hacking back can be several: recovering or unlocking data, obtaining evidence, exposing the bad actor, preventing further attacks, disabling botnets, or even attacking and shutting down the attacker’s system. 
 
Much of the active defense spectrum is uncontroversial and is becoming commonplace. Many of the tools are the result of coordination between industry, cyber security companies and law enforcement. However, general frustration with the seeming inability of traditional cybersecurity methods to stop a stream of high profile attacks is encouraging many to explore new options. For example, in the case of ransomware, the FBI does not recommend paying the ransom, but acknowledges that victims should weigh the costs of doing or not doing so. When a company’s very existence is at stake, the desire to do something, or to get payback can be strong. Going on the offense may seem like the best, if not only, response. Despite the legal risks, a feeling of helplessness can lead enterprises down a dangerous path. In many cases after a breach, the authorities can be little or no help. Doing so may cause greater complications. However, when enterprises start considering countermeasures that risk collateral damage, the potential legal repercussions, both criminal and civil, are very real. Any unorthodox response should be carefully considered, legal ramifications weighed, and strict parameters set.
 
Effectiveness of Active Defense Measures and Hacking Back
Probably the most common active defense measures, offered by many cyber security companies, are tools such as “honeypots,” which are seemingly juicy, but fake targets, and “beacons,” which are tools attached to valuable files that alert owners when the files are exfiltrated. While there is little quantitative analysis as to the efficacy of these systems, they can be effective in increasing the burden on cyber criminals. This may in turn cause the criminals to waste time, thereby permitting detection or causing them to seek easier prey.
 
Farther down the spectrum, hacking back also has its success stories. For example, in 2009 and 2010 Google discovered that it, and several other large technology companies, was the target of sophisticated cyber espionage believed to be controlled or supported by the Chinese government. Google was able to track these activities to a server in Taiwan, which it was able to shut down, and then informed the United States government. The wide-ranging cyber espionage was publicly attributed to China and condemned by the United States government. In this instance Google was not subject to any criminal or civil repercussions, but this is likely because it was circumspect in the methods it used and there was no known collateral damage.
 
In a very recent story, customers of an encrypted email provider ProtonMail began receiving phishing emails that appeared to be coming from ProtonMail. According to reports, not long after the phishing emails went public, the link used by the cyber criminals in the emails went offline. ProtonMail then tweeted, “We also hacked the phishing site so the link is down now." Perhaps recognizing potential legal risks, shortly thereafter, the tweet was deleted by ProtonMail.
 
These success stories come from sophisticated technology companies. Not every company has the wherewithal to undertake such an endeavor or understand the potential consequences. Less publicized are the failures. An attempt to recover stolen data is unlikely to succeed. It can never be certain that the cyber criminal has not already distributed the information. Trying to disrupt or disable attacker’s systems could also harm innocent third parties. Successful cyber criminals often hide in the systems of legitimate entities. 
 
Legality and Risks of Hacking Back
There have been calls for the U.S. government to allow the private industry greater leeway in countering bad actors. The Center for Cyber and Homeland Security at The George Washington University released comprehensive recommendations for a legal and regulatory framework that would allow private industry to employ active defense measures. It sets out recommendations for the executive and legislative branches that focus on clarifying what is permissible and establishing guidelines. These recommendations have not yet been adopted, but in early 2017, legislation that would “allow the use of limited defensive measures that exceed the boundaries of one’s network in an attempt to identify and stop attackers,” was introduced in the United States Congress. The legislation has yet to gain significant traction towards passage.
 
While the legal and cyber landscape may be moving toward greater flexibility, and may eventually condone more active defensive measures, the law has not caught up with the realities of cyber crime and defense. 
 
The United States Department of Justice recommends against hacking back, and warns that it risks civil and criminal liability. The Computer Fraud and Abuse Act (CFAA) makes it a criminal offense in a broad range of circumstances to access computers and other electronic devices without authorization. CFAA also allows private persons whose electronic devices have been accessed without authorization to bring civil actions for monetary damages. Building on the CFAA, the Cybersecurity Act of 2015 clarified what cybersecurity measures are permissible under the law. It authorizes private companies to use defensive measures within its own systems and the systems of consenting entities. However, “defensive measures” specifically excludes “a measure that destroys, renders unusable, provides unauthorized access to, or substantially harms an information system or data on an information system not belonging to” the entity. As currently written, these laws broadly prohibit most types of actions that would be considered “hacking back.”
 
Beyond potential criminal sanctions, misguided offensive measures risk striking innocent third parties. 
 
The potential costs of hacking back are not limited to the malicious hacker or the organization choosing to hack back because cyber criminals often hide themselves and launch attacks from the networks of legitimate entities. Other common attacks such as distributed denial of service attacks and attacks from so-called zombienets may use devices owned by innocent third parties who have already fallen victim to the hacker. Any offensive action against these systems risks damage to the property of these innocent third parties, and could entail significant civil liability to those third persons.
 
Just because cyber security companies may offer offensive services does not mean they are legal. Just as some cyber criminals are protected by the lack of laws prohibiting cyber crime in their locale, some vendors are willing to provide a more active response to cyber attacks than professionals located in the United States or other countries with robust cyber laws. It is important to understand what your cyber security professionals are doing. Simply outsourcing illegal actions is unlikely to absolve an enterprise from civil or criminal liability.
 
Recommendations
There are options for active defense that are legal and may make your enterprise less susceptible to cyber crime. As cyber crime becomes more and more prevalent, active defense may become standard. However, when an entity chooses to go beyond traditional perimeter and internal-based security measures, it is important to understand what the measures entail and weigh their potential for civil or criminal liability. The greater the external effect of the measure, the more well-defined the rules of engagement must be and the greater thought that must be given to preventing collateral damage.
 
 
Sean Cox, CIPP/US, is an attorney in the Atlanta office of Hall Booth Smith. His practice involves both domestic and global data privacy and security regulation. He is well-versed in data incident response, and guides clients through the regulatory, legal and business pitfalls of data incidents.

Articles By The Same Author

2022 Privacy Roundup
2021 Privacy Legislative Update
Injecting Good Practices into Mandatory Vaccination Programs
Privacy Implications of Remote Working
Revisiting the California Consumer Privacy Act of 2018
Privacy Implications of Facial Recognition
Typosquatting: An Old Danger Showing Renewed Vigor
Consumer Privacy - California Consumer Privacy Act of 2018
GDPR - Don't Be So Sure It Doesn't Apply to You
Privacy Implications of Voice-activated Devices


Related Articles
want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.

Close   X