Hacking back: A controversial idea that won't go away
- By Patrick Marshall
In a rare quiet moment during an otherwise tense hearing of the Senate Judiciary Committee on Jan. 16, Sen. Orrin Hatch (R-Utah) asked Department of Homeland Security Secretary Kirstjen Nielsen whether the department supported “hacking back” or “active defense” — measures taken by companies to strike back at hackers.
“Is active defense a part of the department's current or planned cybersecurity assistance to the private sector?” Hatch asked.
“It is, yes,” Nielsen responded, though she immediately added that there is a lot of disagreement about what active defense means. For DHS, she said, it means giving the private sector information -- in some cases information that would otherwise be classified -- about malware, botnets and other threats “so they can proactively defend themselves before they are in fact attacked.”
When Nielsen did not address the issue of “hacking back,” or proactively striking back at hackers, Hatch pressed further. “Do you believe that current law imposes any unnecessary constraints on the private sector's ability to deploy active defense?” he asked.
“It’s rather complicated,” Nielsen responded. Noting vaguely that there are “some limitations” with respect to liability and insurance, Nielsen offered that she’d be happy to work with Hatch’s staff on the issue.
There are, in fact, some very clear legal constraints on the private sector’s ability to deploy the kinds of active defenses Hatch referred to as “hacking back.” Specifically, the Computer Fraud and Abuse Act, first enacted in 1986, makes it illegal for anyone to use a computer to access other computers and networks without authorization. In short, hacking a hacker's computer would be a violation of the act.
While Hatch didn’t mention it during his questioning of Nielsen, legislation was introduced in October that would amend the Computer Fraud and Abuse Act to allow hack backs. Sponsored by Rep. Tom Graves (R-Ga.), the Active Cyber Defense Certainty Act, would allow companies to retaliate against hackers. Specifically, the proposed legislation holds that “It is a defense to a criminal prosecution … that the conduct constituting the offense was an active cyber defense measure.”
Three similar bills were introduced in the previous Congress -- none of which managed to get out of committee. Critics noted that because private-sector companies lack the sophisticated attribution tools and information available to government, they could retaliate against the wrong targets and cause the kind of collateral damage prohibited by current and proposed laws.
Some experts also warned that allowing U.S. companies to retaliate against hackers would likely encourage bad actors to route their attacks through innocent networks --government systems, medical facilities and critical infrastructure -- that, if retaliated against, could cause serious damage and embarrass the retaliator.
Perhaps the most curious thing about the recurring introduction of bills allowing hack backs is that the private sector itself does not seem interested in retaliatory operations.
“I haven’t heard from particular companies that they want to have that activity authorized,” Greg Nojeim, the director of the Freedom, Security, and Technology Project at the Center for Democracy and Technology, told a reporter after the Active Cyber Defense Certainty Act was introduced. According to Nojeim, the only vocal support for hack backs is from some academics and one or two think tanks.