Computers, Privacy & the Constitution
In the wake of increasing and sophisticated cyber-attacks and the failure of cybersecurity strategies to counter cyber-attacks, the idea of hacking back is being proposed as a solution. This paper explores the legal and ethical issues presented by hacking back.

The Dilemma of Hacking Back

-- By MuhammadUsman - 20 Mar 2022

For quiet some years now, there have been debates around legalizing private sector hack-back. The concept of hacking back refers to allowing private sector entities to take intrusive cyber action against their attackers. Bills have been passed in the past to legalize hacking back with the most recent one being tabled by U.S Senators Steve Daines and Sheldon Whitehouse. Essentially, the bill requires the Department of Homeland Security to conduct a “study on the potential consequences and benefits of amending section 1030 of title 18, United States Code (commonly known as the “Computer Fraud and Abuse Act”), to allow private entities to take proportional actions in response to unlawful network breach”

This idea of using force to deter or stop crime stems directly from the physical world. The idea of fighting back is nothing new and it is intuitive that if you see a shoplifter in your shop, you will search and frisk the shoplifter and even reach into his pockets. It seems as if society recognizes that some amount of force is sometimes necessary and legal to defend property. However, the right to use reasonable force has not been extended to the cyber world so far. Presently, the CFAA prohibits unauthorized access to a computer which constraints the private sector’s ability of self-defense or ‘hacking-back.’

While eliminating the idea of self-defense in the physical world would seem counterintuitive, complications arise when the concept is applied to the cyber-space. Firstly, it is extremely difficult to attribute a certain attack to a specific individual or organization as modern technologies allow cybercriminals to use deceptive techniques. For instance, while in the physical world you may see a person entering into your house, a cybercriminal may simply use botnets which will misdirect the identity of the actual criminal. Using botnets is just one example but the digital world allows pretty much anything to be spoofed. In today’s cyber world, numerous organizations have their systems compromised in malicious attacks. If any such compromised system of an organization is used to attack a third organization and the third organization then uses the option of hacking-back to neutralize the threat, this will revictimize the already affected organization. Cybercriminals are constantly evolving their techniques which makes it extremely difficult to pin-point and discover the cybercriminal.

In addition, the potential of causing collateral damage while hacking-back is enormous. Like the physical world, the cyber world does not operate within clearly chalked-out boundaries. If hacking-back is allowed, it will create a situation which will be similar to private citizens standing at their fences shooting bullets aimlessly and hoping to eventually hit the actual criminal. Furthermore, the effectiveness of hacking back is also questionable. Even if the stolen data is located, it is improbable that deleting that data will provide any security because there is absolutely no way of finding out if any copies of the data were made. It can also be foreseen that hacking back might make the hacker determined to further hack you and damage your system and lead to a cyber-war that could be detrimental to the organization's survival. The example of Blue Security illustrates this point, which had to shut down because the angry spammer decided to fight back. The situation further complicates in cross-border cybercrimes where cyberattacks can be seen as acts of war.

There are also a number of legal and administrative questions that remain unanswered. For instance, if an organization harms a third-party during hacking-back, who will bear the consequences? Who will decide what actions are legal and proportional and what are the parameters to determine the types of targets that can be pursued. Hence, there is a risk that private companies might launch intrusive attacks without clear evidence and may also end up inflicting disproportionate punishments.

On the other hand, it is argued that government agencies and even the FBI are already overwhelmed by an onslaught of cyberattacks and legalizing hack back might deter cybercriminals to a certain extent. It can also be argued that with the availability of this option, cybercriminals could be held accountable to a certain degree as most of them go unpunished today. However, it is unlikely that hacking back will deter ideological hackers who are not motivated by profits or costs. It is also unlikely that taking intrusive actions will remedy the harms or wrongs committed by the initial attack. The entire concept of hacking back is still in its nascent stages. If the private sector is allowed to carry out activities such as hacking back without any significant oversight mechanisms and without deliberating upon the conditions on which hacking back may work, it would be a recipe for disaster and will create more harms then benefits.

Hacking back is far from the ideal response to cyberattacks. Government authorities are much better equipped to respond to cyberattacks and perhaps the work of attacking criminals should be left to professionals who work within the bounds of a legal framework. Options as risky as hacking back are being debated and explored primarily because cybersecurity and law enforcement have not yet caught up with the sophistication of cyberattacks. However, Cyberspace cannot be turned into a survival of the fittest. Perhaps a better route would be a true private-public partnership where both sectors work together and find alternatives to the currently failed cybersecurity strategy. The purpose of this paper is not to outrightly dismiss the proposition of hacking back but to establish the need to fully explore the intricacies and nuances of this strategy before even thinking of implementing it.


You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.

Navigation

Webs Webs

r1 - 20 Mar 2022 - 01:45:55 - MuhammadUsman
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM