Authorizing Private Hackback Would Be a Wild West for Cybersecurity
Hackbacks are back in the news, but it may be counterproductive to encourage a wild west for cybersecurity, especially when so much of our lives are bound up in a properly functioning Internet.
September 06, 2018 at 08:00 AM
5 minute read
Private “hackback” is back in the news, with Sen. Sheldon Whitehouse (D-R.I.) raising the issue of “how and when to license hack-back authority so capable, responsible private-sector actors can deter foreign aggression.” Encouraging online vigilantism in cyberspace is fraught with peril. It threatens to make a chaotic cyber battleground more dangerous and takes the government off the hook for protecting us in cyberspace.
What is hackback? To simplify, it describes actions outside an entity's network that are designed to defeat a cyber attack, as well as certain attempts to repossess stolen data. On one end of the spectrum, there are fairly benign and possibly legal techniques, such as the use of software “beacons” that a hacker might unknowingly pick up from a victim, which transmit code to the victim from the attacker's network. It could refer to more aggressive actions like taking an attackers' servers offline. And, at the far end of the spectrum is the digital equivalent of O.J. Simpson going to that Vegas hotel room to steal back sports memorabilia he claimed was stolen.
The Department of Justice has long advised that, “'hacking back' and similar intentional intrusions onto third-party computers and networks can carry serious legal consequences and policy risks.”
Nonetheless, some policymakers are interested in hackback because they want the private sector to defend itself against an onslaught of attacks from criminals and nation states. Last year, Congressman Tom Graves introduced the Active Cyber Defense Certainty Act. It would exempt the use of “attributional technology” from the federal Computer Fraud and Abuse Act, which makes any computer intrusion illegal. Recently, Senator Whitehouse suggested that it is time to consider promoting broader hackback by private companies.
The U.S. should be wary of deputizing the private sector to engage in computer intrusions or otherwise wage cyber war. Cyber is a central national security issue. According to Director of National Security Dan Coats, “the digital infrastructure that serves this country is literally under attack.” The government must lead cyber defense. The private sector should not be the tip of the spear in this unsettled area. Our nation doesn't even have clear rules of engagement for government cyber operations, and experts clamor for international norms that might have moral force or justify responsive action by a sovereign nation.
Concerns about hackback are not philosophical. A critical challenge in cyberspace is in identifying the source of attacks. Attribution is hard; it took months for the White House to publicly attribute the WannaCry attacks to North Korea. Hackers routinely use the servers of innocent third parties to launch attacks, and misguided retaliation could intrude on or take these servers offline. Expecting the private sector to make these tough calls is unrealistic. And, it increases the risk of unintended consequences and collateral damage. Worse, the perpetrator may be a nation state, eager for an excuse to retaliate or justify its own misdeeds. It is not hard to imagine a cyber tit-for-tat, with innocent people paying the price. As a Wired article recently noted, cyberspace is “a medium where national borders have no meaning, and where collateral damage travels via a cruel and unexpected logic.” Domestic corporations should not be encouraged to take actions that occur at machine speed and can have significant diplomatic and real-world consequences.
Legitimizing hackback is not consistent with calls by DHS and Cyber Command for more collaboration with the private sector. A spirit of cooperation already guides work in several agencies, where private companies help the government execute core homeland security functions, such as working with FBI to take down botnets and identify global hackers.
Congress should not expect the private sector to shoulder responsibility for one of the government's most fundamental duties. In the physical world, we do not advise citizens that they are on their own to chase down criminals or that they can launch their own counter-terrorism operations. Cyberspace should be no different.
The government should not expand federal law to deputize private “hackback.” It is counterproductive to encourage a wild west for cybersecurity, especially when so much of our lives are bound up in a properly functioning Internet. Authorizing private cyber operations may complicate network operators' security efforts and open the door to vast unintended consequences. Instead, our government should aggressively defend the U.S. from the serious threats posed by overseas adversaries, promoting international norms and collective defense.
Megan L. Brown, a partner leading the cybersecurity and technology practices at Wiley Rein LLP, is the Cybersecurity Program Director at the National Security Institute at George Mason's Antonin Scalia Law School. She served at the Department of Justice under Attorneys General Alberto Gonzales and Michael Mukasey. Matthew J. Gardner is Of Counsel in Wiley Rein LLP's cybersecurity practice, where he litigates and advises companies about cyber risk, defenses, and incident response. He is a former Assistant United States Attorney.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1'Largest Retail Data Breach in History'? Hot Topic and Affiliated Brands Sued for Alleged Failure to Prevent Data Breach Linked to Snowflake Software
- 2Former President of New York State Bar, and the New York Bar Foundation, Dies As He Entered 70th Year as Attorney
- 3Legal Advocates in Uproar Upon Release of Footage Showing CO's Beat Black Inmate Before His Death
- 4Longtime Baker & Hostetler Partner, Former White House Counsel David Rivkin Dies at 68
- 5Court System Seeks Public Comment on E-Filing for Annual Report
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250