U.S. Congressman Tom Graves recently proposed legislation that would amend the primary U.S. anti-hacking law to allow… hacking, so long as it’s done by the good guys. This idea, often called “hacking back” or “counterhacking,” has been bandied about for some time. SecurityWeek provides a nice analysis of the particular proposal, which is actually a bit more nuanced than I've suggested above. But for some readers it may be helpful to step back. So here’s a basic legal primer on counterhacking:
What is counterhacking?
Counterhacking is simply applying the adage that “the best defense is a good offense” to the problem of cybersecurity. In the most extreme, it entails taking actions that would normally be thought of as malicious hacking, but redirected back at the source of cyberattacks:
- Reverse denial-of-service attacks.
- Inserting malware onto attacking computers.
- Attempts to crash attacking servers.
- Inserting “web bugs” and “beacons” to locate stolen data.
But sometimes the term include more innocuous activities that just involve information gathering. These more vanilla activities are usually distinguished with names like “cyber intelligence gathering” or “active defense.”
Is counterhacking really a thing?
Maybe—but it’s hard to tell because almost no one will admit to it. The infamous hack involving Sony’s film The Interview is case in point. In response to the initial hack, widely blamed on North Korea, the White House publicly considered retaliatory hacking. Whether anything came of that consideration isn’t known. But coincidentally, North Korea experienced an Internet outage around that time…. Separately, third-party hacktivists Anonymous reportedly retaliated against North Korea. But it’s all just alleged. Putting aside hacktivists, no one wants to ’fess up to hacking back.
Is counterhacking legal?
It depends on the country. As a U.S. lawyer, I'll give the U.S. answer.
The U.S. Department of Justice’s traditional position has been “no.” In 2015, Assistant Attorney General Leslie R. Caldwell remarked:
"[B]ased on a simple, plain-text reading of the Computer Fraud and Abuse Act, such conduct is generally unlawful. Some observers, at times employing quite creative legal theories, have suggested that hackback conduct is lawful. That is simply contrary to the plain-text of the statute. However, even if it were lawful, we would still recommend against it, because we think that sound policy also militates against use of hackback tactics." (Statement of Assistant Attorney General Leslie R. Caldwell at the Georgetown Cybersecurity Law Institute, May 20, 2015.)
The U.S. DOJ’s “Computer Crimes Manual” is in accord:
"Although it may be tempting to do so (especially if the attack is ongoing), the company should not take any offensive measures on its own, such as 'hacking back' into the attacker’s computer—even if such measures could in theory be characterized as 'defensive.' Doing so may be illegal, regardless of the motive. Further, as most attacks are launched from compromised systems of unwitting third parties, 'hacking back' can damage the system of another innocent party. If appropriate, however, the company’s system administrator can contact the system administrator from the attacking computer to request assistance in stopping the attack or in determining its true point of origin." (DOJ Criminal Division, Computer Crime and Intellectual Property Section, Prosecuting Computer Crimes, app. D, item B(4), at 180, as of January 14, 2015.)
Some observers contend that counterhacking might be legal. Stewart Baker, former General Counsel of the U.S. NSA, argues that the Computer Fraud and Abuse Act must be interpreted in light of traditional notions of self-defense and self-help. In any event, he says, the Act is ambiguous enough that victims who undertake counterattacks may have a defense against criminal prosecution. Other experts in the field, like Orin Kerr, disagree. In Kerr's view, the Act just doesn’t have an exception for counterhacking. Without an express defense, you’d be crazy to take the risk of being prosecuted for counterhacking. (See Stewart Baker, Orin Kerr, Eugene Volokh, The Hack-Back Debate (Nov. 2, 2012).)
What about the more vanilla options of “active defense”? It’s a harder question, but defensive cyber actions like cyber intelligence gathering also might have legal consequences. For example, can you participate in a “dark web” chat room full of hackers—even if just to listen—without exposing yourself to the risk of criminal prosecution? Can you monitor your own company’s devices, or employee “bring you own” devices, without running afoul of foreign data privacy laws? These are questions that companies need to answer based on the laws of the jurisdictions in which they operate.
But why not hack back?
Companies that hack back can cause a lot of damage. And governments have a lot of good reasons to discourage the practice:
- Collateral damage to third-parties. (Hackers often take control of innocent third-parties’ systems to conduct cyberattacks. Retaliation against these systems can harm the third-parties.)
- Interference with ongoing government investigations.
- Dramatic escalation against an unknown adversary.
- Illegality in foreign jurisdictions.
- Interference with international relations.
Could counterhacking be legalized?
Even before Congressman Graves’s proposal, there was talk of legalization. In 2015, Assistant Attorney General Leslie Caldwell remarked:
"[I]n the . . . spirit of collaboration . . . the Cybersecurity Unit is considering whether to offer guidance on other types of effective and truly defensive countermeasures that are considered to be beneficial by cybersecurity experts."
The comment was vague, but widely understood to refer to some kind of counterhacking.
Even if one country legalized counterhacking, would it matter? After all, hacking is illegal pretty much everywhere. So even if the U.S. legalizes counterhacking, U.S. companies would face enforcement risks from other jurisdictions. To give just a couple examples:
- Britain’s Computer Misuse Act of 1990 expressly provides for jurisdiction over hackers regardless of their physical location, and therefore would cover companies counterhacking from the U.S.
- The Council of Europe Convention on Cybercrime, signed and ratified by the United States, prohibits unauthorized tracking or hacking tactics. Article 12 provides for corporate liability in the form of criminal, civil, or administrative penalties for cybercrimes.
So at least for the foreseeable future, individuals and companies that counterhack will do so at their peril.