From: Bloomberg/BNA
By Alexei Alexis
With sophisticated cyber attacks on the rise, firms are increasingly having to decide whether to take aggressive self-defense measures in a legal environment that is both complex and uncertain, attorneys and consultants told BNA.
At issue are “active defense” tactics that may involve such steps as “hacking back” to locate stolen computer files and, in extreme cases, attempting to take down the network of an identified attacker.
“Until recently, there has not been much discussion about self-defense in cyber space,” Peter McLaughlin, Of Counsel at Morrison & Foerster LLP and co-chair of the American Bar Association’s Information Security Committee, said in a BNA interview. “It’s a very gray area in which companies must tread very carefully.”
The issue has become a hot topic within legal and computer security circles, McLaughlin said, adding that the ABA is very interested in providing “thought leadership” in this area.
The federal Computer Fraud and Abuse Act (CFAA), which prohibits unauthorized access to a computer system, is seen as the primary U.S. statute governing how far companies may go in defending their computer networks. A violator could potentially face federal prosecution or litigation from an aggrieved party. Experts say this can apply both to attackers and to victims who take countermeasures. Aside from the CFAA, various other laws within and outside of the United States could also come into play, according to attorneys.
“This is basically the wild, wild West of the cyber frontier,” David Bodenheimer, a partner at Crowell & Moring LLP, told BNA. “A company that engages in an active defense campaign that results in damage to another party’s computer could end up in a lawsuit without knowing how it will turn out.”
Asked whether the issue potentially requires attention from the Obama administration or Congress, White House spokeswoman Caitlin Hayden told BNA the law on the subject is already “very clear.”
DOJ Promotes Lawful, Effective Self-Defense
A Department of Justice spokesman said that companies can undertake a variety of actions on their own networks that are lawful and effective to protect their information but any steps that alter, damage, or intrude upon other systems may violate the CFAA, federal electronic surveillance statutes, the laws of foreign countries, or state and local laws.
“Arguments for or against hack-back efforts fall into two categories: law and policy,” the DOJ spokesman told BNA. “Both recommend against hack-back. Under current law, accessing a computer that you do not own or operate without permission is likely a violation of law. And while there might be something satisfying about the notion of hack-back on a primal level, it is not good policy either.”
A DOJ computer crime manual warns companies that have experienced a cyber attack to avoid taking offensive measures on their own, such as hacking back. “Doing so may be illegal, regardless of motive,” the manual states. “Further, as most attacks are launched from compromised systems of unwitting third parties, ‘hacking back’ can damage the system of another innocent party.”
Meanwhile, at least one member of Congress, Rep. Louie Gohmert (R-Texas), has called for amending the CFAA to resolve legal concerns related to hacking back.
“It would certainly be worth examining an exception to the law that would be akin to self-defense protections under criminal assault laws,” he told BNA in a recently emailed statement.
Gohmert serves on the House Judiciary Committee, which has jurisdiction over the issue and is drafting cybersecurity legislation.
Hill, Obama Tackle Cyber Threats
The hacking back controversy has emerged as both Congress and the White House are paying increased attention to cyber attacks against U.S. businesses. In February, President Obama signed an executive order directing federal agencies to promote industry adoption of voluntary cybersecurity standards, among other steps (31 DER A-35, 2/14/13).
However, there is broad, bipartisan consensus in Washington that cybersecurity legislation is still needed. The House Judiciary Committee is just one of several panels in both the House and Senate that are preparing for legislative action.
“We must not allow cyber crime to continue to grow and threaten our economy, safety and prosperity,” House Judiciary Committee Chairman Bob Goodlatte (R-Va.) said in a statement prepared for a March subcommittee hearing (50 DER A-24, 3/14/13).
John Boles, deputy assistant director of the FBI’s cyber division, said in testimony provided to the panel that U.S. companies are facing diverse cyber threats, including organized crime groups seeking consumers’ financial data for fraud operations and foreign cyber spies on the hunt for valuable intellectual property that can give overseas companies a competitive advantage.
A number of reports have identified China, in particular, as a primary source of mounting cyber threats. Earlier this year, a series of high-profile cyber attacks were disclosed by such companies as The New York Times Co., The Washington Post Co., The Wall Street Journal, Twitter, and Apple Inc.
A report issued by Alexandria, Va.-based computer security firm Mandiant Corp. in February directly linked the Chinese government to a sophisticated hacking unit responsible for stealing hundreds of terabytes of data from as many as 141 organizations, headquartered in the United States and other English-speaking nations, since at least 2006 (34 DER A-22, 2/20/13).
After the report was issued, China’s Ministry of Foreign Affairs posted a statement on its website saying that the Chinese government has always resolutely opposed cyber attacks and that groundless speculation and accusations will not help solve the problem.
Experts Debate Hacking Back
Within legal and computer security circles, there is growing debate over whether companies should respond to cyber threats by hacking back. Some experts say that it is an unwise and dangerous practice, and others take the position that it could be justified in some cases, particularly when companies are facing a potentially devastating cyber threat, such as the theft of valuable intellectual property.
Stewart Baker, a partner in the Washington office of Steptoe & Johnson LLP and a former assistant secretary for policy at the Department of Homeland Security under the George W. Bush administration, has been a leading active defense proponent.
In an October 2012 blog post, Baker argued in favor of letting companies “counterhack” in order to extract information about an attacker and locate stolen computer files.
“[C]omputer hackers won’t be bringing many lawsuits against their victims,” Baker said. “The real question is whether victims can be criminally prosecuted for breaking into their attacker’s machine. And here the answer is: Surely not. Even if you could find a federal prosecutor wacky enough to bring such a case … the ambiguity of the [CFAA] makes a successful prosecution nearly impossible. Deeply ambiguous criminal laws like this are construed in favor of the defendant.”
Baker said that requiring the victim not to counterhack because of uncertainty about the innocence of the machine’s owner “simply gives an immunity to attackers.”
Leave a Reply