Inspired by this week’s episode of the Steptoe Cyberlaw Podcast and a conversation with Brock Meeks, an old friend and sparring partner, Victoria Muth and I contributed an op-ed summarizing the case for hacking back to Atlantic Media’s BRINK site. A few excerpts below:
Corporate executives are fed up with the current approach to network security. They’ve been spending more and more on security. Despite that spending, they’re told that they can’t expect to keep intruders out of their networks; the best they can hope for is to lock the intruders out of their most important files, or to keep hackers from exfiltrating all that data.
Government is failing us there, too. While there have been more high-profile indictments and even somewhat more prosecutions of hackers, the government lacks the resources to attribute most network compromises. A single large financial institution probably spends more on static network defense than the entire Federal Bureau of Investigation and Justice Department spend investigating intrusions nationwide.
Worse, the Justice Department and FBI have been spending at least some of those scarce resources trying to stop victims from going beyond static network defense, claiming that deploying active defenses that might have an effect outside the victim’s network is legally questionable under the Computer Fraud and Abuse Act(CFAA).
We need a more effective method to attribute cyber attacks—and more effective retribution for the attackers.
Opponents call this “hacking back,” and they conjure dire consequences, such as the accidental shutdown of hospital intensive care networks, or massive retaliation against the United States because private actors have thwarted a state-sponsored intrusion. But network defenders aren’t forced to choose between huddling at home, waiting to be attacked and launching the cyber equivalent of a thermonuclear exchange. There are many ways to improve both our attribution and our retribution tools without resorting to indiscriminate attacks.
After attribution comes retribution. Here, too, the U.S. government has made progress. For example, the Executive Branch and Congress have proposed a “Strategy on Mitigating the Theft of Trade Secrets” as well as a “Joint Strategic Plan on Intellectual Property Enforcement,” calling for improved protections by “naming and shaming” countries that don’t take certain actions against hackers. Justice Department indictments, even if they never produce arrests, have changed the sense of impunity in hacking circles.
But again, government cannot do the job alone. We need to bring private resources to bear on retribution as well as attribution—not by endorsing network attacks, but by encouraging retribution within the law. Luckily, once an attack has been attributed, legal remedies begin to look quite realistic. Companies that have received their competitors’ trade secrets from hackers begin to look quite vulnerable. These companies often do business in the U.S., and they can be sued here under several existing statutes.
Don’t expect much comfort from the Justice Department or the FBI. They’ll say that active defense is at least arguably a violation of the CFAA. What they won’t tell you, though, is that the CFAA exempts actions taken under law enforcement authority. Not federal law enforcement authority. Any law enforcement authority. If you can find a sheriff or attorney general who’s willing to deputize your forensics team, federal threats to invoke the CFAA lose most of their force.
In short, you don’t have to sit and take it anymore. There are plenty of risks in trying to go beyond passive network defenses, but there may be more risk in doubling down on an approach to network defense that has been failing ever more spectacularly for 30 years.