From data breaches to denial of service attacks, the private sector routinely faces a barrage of threats from those seeking to wreak havoc on their digital systems for profits, politics, or pleasure. When faced with an attack, companies can take steps to secure their own systems, but they are not authorized to retaliate against any system that they do not own—even one that is actively causing them harm. In response, some stakeholders have proposed authorizing companies to take action against servers, networks, and devices they do not own to identify and monitor attackers, disrupt ongoing attacks, and destroy stolen data.
What are the domestic and international implications of authorizing private entities to engage in offensive cybersecurity operations? Should governments allow this, and if so, what restrictions should governments impose on these actions? Would these measures ultimately help improve cybersecurity or create more problems than they solve?
On March 27, 2019 the Information Technology and Innovation Foundation held a panel discussion on the viability and consequences of authorizing companies to “hack back.” ITIF Vice President Daniel Castro moderated the panel.
In his remarks, Bruce Heiman of K&L Gats outlined five main points of active defense, providing a spectrum of distinct combative initiatives:
- Track – Attribute the attack to an individual or group of individuals.
- Hack – Gather intelligence on attack.
- Sack – Delete or recover lost data.
- Jack – Exploit threat to assert control over attacker.
- Whack – Destroy attacker’s system.
Sven Herpig, Project Director of the Transatlantic Cyber Forum of Stiftung Neue Varantwortung, noted that in Germany there are no distinctions in regard to the type of hacking, acknowledging the need for the detailed defense options.
Adam Golodner of Arnold & Porter then noted how the Computer Fraud and Abuse Act challenges the initiative to “hack back.” This new concept of “hacking back” opens the conversation about the legal and ethical dilemmas that surround active defense measures.
Heiman emphasized the need for more legislation on this matter, as victims should have options in terms of defense measures from a legal standpoint. Angela McKay, Senior Director for Cyber Policy for Microsoft, then noted the importance of customer privacy and how “hacking back” not only imposes ethical challenges, but also potentially could create trust and branding issues. Golodner also noted the significance of the impetus behind the defense measure, further emphasizing ethical implications.
Castro then introduced the topic of monitoring hacker activity after a cyberattack in efforts to prevent future attacks. McKay noted that these issues can be addressed with the analysis of the software itself rather than taking external initiatives. Given the multilateral nature of many software organizations, it is crucial that the actions taken to address these issues align with the global consensus. She also stressed that the United States’ strategy to address the issue on a domestic level has the potential to establish a global precedence.
Herpig agreed that action needs to be taken in the general sense, but that the security threats of “hacking back” should not be overlooked. Defense measures have the potential to perpetuate security and privacy implications rather than to rectify them.
Castro shifted the conversation to what initiatives both companies and the government are taking to combat this ongoing issue. Golodner acknowledged Microsoft’s efforts to eliminate malware and stressed the U.S. government would benefit from a more centralized federal department that focuses on cyber defense in efforts to catch hackers.
Overall, the panelists agreed that cybersecurity persists as an international threat. Despite the prominent need for defense measures, companies must be aware of the legal and ethical dilemmas of “hacking back” until there is a global consensus on active defense.