In the cyber-security world, "hacking back" – using hacker-like techniques to defend a company's IT systems by going on the offensive and instituting countermeasures to cyberattacks -- is generating much buzz. For example, some companies create dummy administrator web pages. Another ploy is setting up traps in company IT systems called "honeypots." These consist of some IT and data that appear to be part of a valuable network, but the IT is actually isolated and monitored, the information has no value, and the company is able to collect certain coordinates about the hacker attempting to extract the "sweets". Some cybersecurity software companies now offer services designed not only to be used defensively to detect weaknesses in a company's IT devices but also can strike back at hackers by detecting vulnerabilities in their systems.
While identifying and exposing hackers, and potentially crippling the hacker's operations may be justifiable and even satisfying in a Dirty Harry fashion, companies hacking back need to consider potential legal exposure and be mindful that these activities may incite hackers frustrated by such countermeasures to hit even harder. Legal exposure may include criminal sanctions, civil liabilities through collateral damage to innocent third parties, and regulatory scrutiny for data security breaches that such activities may invite. Many countries currently have laws that expressly prohibit such activities. Worse, the same laws that are targeted against hackers could apply equally to hacking back. For example, US statutes such as the Wiretap and the Computer Fraud and Abuse Act do not include exceptions for self-defense.
A less intrusive option is heightened vigilance when implementing a company's internal cyber-security policies and protocols. For example, companies may undertake industry acceptable steps in a more rigorous and disciplined fashion such as regularly conducting audits or penetration tests to determine vulnerable links in their systems and educating their workforce to avoid processes that expose the company to hacker attacks. Although hackers are becoming more sophisticated, the techniques employed are still often very simple. A recent report on hacking concluded that three-quarters of enterprise network intrusions were the result of weak or stolen user names and passwords.1
There is growing support to permit cybertheft victims, at the very least, to retrieve stolen data. A commission on IP theft led by President Obama's first director of national intelligence and Jon M. Huntsman recommended that companies that experience cybertheft should be permitted to retrieve their electronic files and "limit the exploitation of their stolen information."2 The American Bar Association's Cybersecurity Legal Task Force is also expected to release a report on hacking back soon, and is expected to focus, in part, on "data beaconing," a measure which works like a tracking device for stolen data by signaling to the owner where the stolen data is stored.
Meanwhile, continued surveillance of this area of cybersecurity "active" defenses is warranted. We suspect that the ongoing debate and legislative efforts will focus on differentiating between, on the one hand, permitting certain self-help measures like retrieving stolen data and obtaining information about the hackers, and, on the other hand, prohibiting measures that seek to punish hackers or prevent further attacks by inserting disabling code in their systems. Stay tuned, and vigilant!
2013 Data Breach Investigations Report, VERIZON, http://www.verizonenterprise.com/DBIR/2013/ (last visited on December 16, 2013).
Christopher M. Matthews, Support Grows to Let Cybertheft Victims ‘Hack Back', WALL STREET JOURNAL ONLINE (June 2, 2013, 9:33 PM), http://online.wsj.com/news/articles/SB10001424127887324682204578517374103394466.