Hacking Back against Cyber Attacks

The rapid advancement of information technology facilitates an increasing demand for information transmission, processing, and storage. However, it also creates substantial data security risks, which have provoked wide, public concern. Apart from implementing new defense technology to upgrade the traditional cyber protection system, some American corporations have developed a more aggressive strategy to fight against cyber attacks. One such example is the practice of active defense, which is often referred to as “hack back.” Back hacking is the process of reverse engineering of hacking efforts, which attempts to stop cyber crimes by identifying attacks on a system and their origin. Some definitions also include aggressive active defense actions, such as stealing back what was stolen. The publication of the controversial “IP Commission Report” in 2013 provoked hot public debate over back hacking, making it a trending technology topic over the past two years. Although this approach seems to be more effective intuitively, it remains a controversial topic whether back hacking is legal and whether it can be clearly defined.

In “Cyber Security Active Defense: Playing with Fire or Sound Risk Management?,” Sean L. Harrington discusses the legality and risks of active defense against cyber attacks in various aspects. By exploring the risks associated with the most popular active defense tactics used by private organizations, including Beaconing, Threat Counter-Intelligence Gathering, Sinkholing, Honeypots, and Retaliatory Hacking, Harrington argues that it seems both difficult and unlikely for the government to legalize active defense without being able to establish what is or is not misattribution. In other words, it is difficult to distinguish between hacking and back hacking, meaning that hackers could potentially use active defense as a means to conduct cyber attacks. Without clear restrictions, it’s likely that an actual hacking action could be disguised as active defense.

In this context, alternatives to back hacking, including approaches that involve new technologies and those based on collaboration among corporations, governments, Internet Service Providers (ISPs), and trade associations, are evolving rapidly and are widely implemented by private corporations to reduce their cyber vulnerabilities.

Since back hacking is also “hacking” by nature, the public has not yet reached a consensus on its legality. Some believe that the legality of active defense depends on the exigency of the circumstances. If the specific circumstance is sufficiently demanding and the individual has proper intent, the active defense action could be justified. Opponents argue that active defense technically violates the law, and one practitioner even claims that it is both legally and morally wrong.

Without clear restrictions, legalizing active defense would bring huge risks of “potentially dangerous misattribution or misunderstanding.” The difficulties in differentiating aggressive back hacking from actual hacking actions would lead to serious legal issues. Although there exist different voices, most practitioners and scholars agree that back hacking is not a viable option for various reasons.

However, in the contemporary era of information sharing, the private sector has greater demand for a secure cyber environment and advanced cyber protection technologies. Some commentators have urged that active defense “must be considered as a possible device in the cyber toolkit,” based on the fact that private firms currently do not receive enough help from the government. As the government continues to fail to take action to protect private organizations and individuals from cyber attacks, the private sector must step in and resort to self help. However, these self-help strategies implemented by private organizations may or may not be appropriate in terms of legality. Without clear guidance from the government and law, such self-help actions could be risky and even dangerous.

The risks in private cyber security practices originate from the lack of a comprehensive regulatory and criminal framework. No new comprehensive US cyber legislation has been enacted since 2002, and neither the Computer Fraud and Abuse Act (CFAA) nor the Electronic Communications Privacy Act (ECPA) makes reference to the Internet. Eventually, the courts fill the significant gap between growing cyber security practices and a lack of clear legislation. This results in an unstable legislative framework, whose components, including state law, federal legislative proposals, and case law, are all in a state of flux. Practitioners need to follow and adapt to changes, which becomes a major origin of legal risks in cyber security practices.

Apart from active defense, private corporations have also developed various alternative approaches in order to reduce their vulnerabilities to cyber crimes. Some of these alternatives are based on collaboration and information sharing among organizations; others are built upon new technologies or a combination of partnerships and technologies. These approaches have been proven effective and are steadily evolving.

The future of cyber security active defense remains unclear. Will active defense become a legal and powerful tool? Or will it eventually be abandoned and replaced by less risky alternatives? The answer will depend heavily on whether the government is willing and able to allocate adequate resources to develop a clear regulatory and criminal framework for cyber security and whether the private and public sector are able to establish an effective and cooperative relationship.

 

Article Source: Harrington, Sean L., “Cyber Security Active Defense: Playing with Fire or Sound Risk Management?” Richmond Journal of Law & Technology, 12 (2014).

Feature Photo: cc/(UK Ministry of Defence)