Tuesday, June 26, 2012

The illegality of striking back against hackers

It has been an emerging trend in recent security publications to highlight the interesting trend of companies "hacking back" against infiltrators and potential data exfiltrators. The concept sounds intriguing - if the internet is the wild wild west, then what better way to participate in it than to allow the tumbleweeds to shift in the wind as you and your foe see who can draw first, or, more accurately, get the last shot. However, the Computer Fraud and Abuse Act provides no escape hatch for such actions; there is no Castle Doctrine in federal statutes relating to hacking, and no such doctrine in state cybercrime laws, either. Any such activities are ill-advised, likely illegal, and do nothing but encourage the escalation of cybercrime.

It's certainly clear that this is a response to the plethora of attacks that have happened recently, but I think more tellingly, resonates from the clear embarrassment that permeates any large company's mea culpa when they admit a breach has occurred. In the article above, it notes that firms have popped up that are for-hire counter-strikers. While the notion fulfills the age-old revenge story meme, and could even make hackers think twice about striking your company (if they knew you would take such measures), the legal niceties are nothing even remotely so poetic. Here is a non-exclusive list of the problems I see with such a strategy:

1.  Such actions tread into legal no-mans-land - namely, that as far as I can tell, there is no legal precedent in support of such actions. Conversely, there's a ton of case law that is not on your side which states bluntly that unauthorized access is just that, unauthorized - no matter who the party "hacking" is.

2.  Any sophisticated hacker that would attack a semi-large or multi-national corporation isn't going to be hacking from their Dell PC at home, sitting behind a poorly secured Linksys router. They will be hitting through proxies, utilizing Tor, or more likely executing strikes through already compromised machines. The implication of this is three-fold - (a) in striking back, you may end up attacking an unwitting third-party who is likely also a victim of a computer crime - therefore, you will have even less sympathy if litigation arises; (b) if the originating host is an already compromised third-party, you could accidentally cause greater damage to hosts that are specifically enumerated in the CFAA, such as government computers, those containing national security information, or systems involved in medical care or public health/safety (See the DOJ's Prosecuting Computer Crimes manual) - and end up with a significant felony; or (c) (assuming a world where hacking-back becomes common), end up irritating a non-interested party, motivating them to also attack you.

3. While such actions may embolden or vindicate a hacked entity, they also put a larger target on your forehead. More specifically, if I were a hacker and my goal was simply to exfiltrate data, and you then attack me back, I am highly likely to escalate my attacks quid pro quo. Accordingly, what might have been simply a small case of data loss may turn into full scale damage to your systems; instead of sneaking in and out, you are now susceptible to much more malicious attacks - Denial of Service attempts, deletion of sensitive or irreplaceable data, actual hardware damage, or "doxing" of company executives. This undoubtedly will raise the price of the incident exponentially.

4.  It is unclear to me what an entity stands to gain by hacking back, other than the cathartic chest pounding that may occur when one can say that they "lost the battle, but won the war." Is that really worth a potential prison sentence?  Yes, your efforts could assist law enforcement in tracking down who hacked you, but it won't be so cathartic when the tables are turned, post investigation, to then investigate you for your actions.

5. Lastly, in 2008 the CFAA was amended to include a conspiracy offense, so you may not even need to actually breach an attacker to run afoul of the law. Could a corporate agreement with a strike-back contractor be sufficient to violate 18 U.S.C. 1030(b)?  That is not clear - but I'm betting we are going to find out if this trend evolves into the norm.

2 comments:

  1. Assuming that the retaliating party would be able to avoid harming third parties, would you not think that law enforcement and prosecutors would turn a blind eye to their acts? I realize they could be prosecuted for what they were doing, but it just doesn't seem likely. See, for example, the Unknownuser case (US v. Jarrett, 338 F.3d 339 (4th Cir. 2003)).

    I guess the other side is that an employee has to ask themselves if it is really worth risking possible prosecution for the sake of avenging their employer.

    ReplyDelete
  2. Mr. Webb:

    The words and metaphors chosen to describe any particular activity can influence the application of law to that activity. It may be inaccurate to describe a well-intentioned, socially-responsible activity as "hacking back" because the word "hacking" carries a negative connotation. Depending on the circumstances, the activity might better be called "responding" or "reacting" or "rendering ineffective." http://legal-beagle.typepad.com/security/2011/08/crime.html

    --Ben Wright

    ReplyDelete