Authorizing Private Hackback Would Be a Wild West for Cybersecurity

Private “hackback” is back in the news, with Sen. Sheldon Whitehouse (D-R.I.) raising the issue of “how and when to license hack-back authority so capable, responsible private-sector actors can deter foreign aggression.” Encouraging online vigilantism in cyberspace is fraught with peril. It threatens to make a chaotic cyber battleground more dangerous and takes the government off the hook for protecting us in cyberspace.

What is hackback? To simplify, it describes actions outside an entity's network that are designed to defeat a cyber attack, as well as certain attempts to repossess stolen data. On one end of the spectrum, there are fairly benign and possibly legal techniques, such as the use of software “beacons” that a hacker might unknowingly pick up from a victim, which transmit code to the victim from the attacker's network. It could refer to more aggressive actions like taking an attackers' servers offline. And, at the far end of the spectrum is the digital equivalent of O.J. Simpson going to that Vegas hotel room to steal back sports memorabilia he claimed was stolen.

The Department of Justice has long advised that, “'hacking back' and similar intentional intrusions onto third-party computers and networks can carry serious legal consequences and policy risks.”

Nonetheless, some policymakers are interested in hackback because they want the private sector to defend itself against an onslaught of attacks from criminals and nation states. Last year, Congressman Tom Graves introduced the Active Cyber Defense Certainty Act. It would exempt the use of “attributional technology” from the federal Computer Fraud and Abuse Act, which makes any computer intrusion illegal. Recently, Senator Whitehouse suggested that it is time to consider promoting broader hackback by private companies.

The U.S. should be wary of deputizing the private sector to engage in computer intrusions or otherwise wage cyber war. Cyber is a central national security issue. According to Director of National Security Dan Coats, “the digital infrastructure that serves this country is literally under attack.” The government must lead cyber defense. The private sector should not be the tip of the spear in this unsettled area. Our nation doesn't even have clear rules of engagement for government cyber operations, and experts clamor for international norms that might have moral force or justify responsive action by a sovereign nation.

Concerns about hackback are not philosophical. A critical challenge in cyberspace is in identifying the source of attacks. Attribution is hard; it took months for the White House to publicly attribute the WannaCry attacks to North Korea. Hackers routinely use the servers of innocent third parties to launch attacks, and misguided retaliation could intrude on or take these servers offline. Expecting the private sector to make these tough calls is unrealistic. And, it increases the risk of unintended consequences and collateral damage. Worse, the perpetrator may be a nation state, eager for an excuse to retaliate or justify its own misdeeds. It is not hard to imagine a cyber tit-for-tat, with innocent people paying the price. As a Wired article recently noted, cyberspace is “a medium where national borders have no meaning, and where collateral damage travels via a cruel and unexpected logic.” Domestic corporations should not be encouraged to take actions that occur at machine speed and can have significant diplomatic and real-world consequences.

Legitimizing hackback is not consistent with calls by DHS and Cyber Command for more collaboration with the private sector. A spirit of cooperation already guides work in several agencies, where private companies help the government execute core homeland security functions, such as working with FBI to take down botnets and identify global hackers.

Congress should not expect the private sector to shoulder responsibility for one of the government's most fundamental duties. In the physical world, we do not advise citizens that they are on their own to chase down criminals or that they can launch their own counter-terrorism operations. Cyberspace should be no different.

The government should not expand federal law to deputize private “hackback.” It is counterproductive to encourage a wild west for cybersecurity, especially when so much of our lives are bound up in a properly functioning Internet. Authorizing private cyber operations may complicate network operators' security efforts and open the door to vast unintended consequences. Instead, our government should aggressively defend the U.S. from the serious threats posed by overseas adversaries, promoting international norms and collective defense.

Megan L. Brown, a partner leading the cybersecurity and technology practices at Wiley Rein LLP, is the Cybersecurity Program Director at the National Security Institute at George Mason's Antonin Scalia Law School. She served at the Department of Justice under Attorneys General Alberto Gonzales and Michael Mukasey. Matthew J. Gardner is Of Counsel in Wiley Rein LLP's cybersecurity practice, where he litigates and advises companies about cyber risk, defenses, and incident response. He is a former Assistant United States Attorney.