The Washington PostDemocracy Dies in Darkness

Should the U.S. allow companies to ‘hack back’ against foreign cyber spies?

This Shanghai complex is allegedly the home of a Chinese military-led hacking group that extensively targeted U.S. companies. (PETER PARKS/AFP/Getty Images)
Placeholder while article actions load

Foreign hackers do remarkable damage by breaking into American companies, stealing intellectual property worth enormous amounts of money, swiping proprietary secrets for military technology or other uses and, in the case of some recent Chinese attacks, even exposing U.S. counterintelligence efforts. The Obama administration has made clear that it takes the threat seriously and is escalating efforts to stop it.

One suggestion increasingly floated in the private sector is to allow companies to "hack back." Current U.S. law makes it illegal for private firms to launch retaliatory cyberattacks, and the issue is highly controversial. But it's entering the mainstream.

A new report, from a private commission on intellectual property theft chaired by former U.S. ambassador to China Jon Huntsman and former director of national intelligence Dennis Blair, raised the possibility of changing the law to allow for hacking back. While it stopped short of directly advocating such attacks, it did call for a milder, legal form of hacking back and said the United States should consider changing the law if other measures fail.

It can be tough to talk about allowing corporations to run their own mini cyberwars because, like hacking itself, no one is exactly sure what sorts of norms will develop and where the technology will lead us. The conversations tend heavily toward the hypothetical. Advocates of "hacking back" point out that criminal and state-run hackers are only getting better, and that because they risk little by attacking purely defensive systems, they will simply persist until they succeed. Opponents warn that such a serious escalation could erode what few cyber-norms already exist, turning the Internet into a battlefield where not just rogue states and freelance criminals, but a lot very rich corporations, are invading privacy, stealing data and otherwise hacking for the specific purpose of doing damage.

What does hacking back actually mean? The lighter, legal version advocated in the report suggests that companies could load up sensitive data with a sort of self-destruct device: If, say, plans for a new kind of jet engine are stolen, then special code embedded within the plans might cause the file to become unreadable or even lock up the thief's computer. Think of it kind of like the dye packs that some banks will toss in with cash if they're being robbed: The pack explodes, covering the cash in ink and making it far less useful for the robber.

But most foreign hackers aren't like bank robbers in that they rarely face the threat of arrest. If an attack goes bad, the attacker can usually just close his or her laptop and go out for a latte to think about how to succeed next time. Advocates of "hacking back" say companies should be allowed to actively deter or punish hackers by inserting malicious code into their machines or even publicly outing them. Here's one example, which the New Yorker's John Seabrook cited in a recent article on cybertheft:

In one instance, which Dmitri Alperovitch, of [cyber-security firm] CrowdStrike, cited approvingly to me, the government of Georgia lured a Russian hacker, who had been breaking into government ministries and banks for more than a year, to a machine that planted spyware on the hacker's computer and used his Webcam to take his picture; the photographs were published in a government report. "The private sector needs to be empowered to take that kind of action," Alperovitch said.

The U.S. cybersecurity firm actually did something similar, although less invasive, when it tracked down and published the personal information of some state-sponsored Chinese hackers who had attacked the New York Times.

The big step in the Georgia case, which likely would be illegal in the United States, was actively inserting malicious code into a hacker's computer. Allowing companies to do this carries a few very significant risks. First, although in the Georgia case the code was more playful than harmful, it's easy to imagine corporations taking this a step further. If you're a big military contractor worried about billion-dollar technology or an oil firm fearful that competitors might try to preempt your secret expansion plans, how aggressive would you be willing to get with foreign hackers?

It's not difficult to imagine such firms, willing to spend heavily to defend their intellectual property and accustomed to a cutthroat business environment, launching retaliatory attacks that go beyond just publicly shaming a cyberthief. It opens all sorts of difficult questions: Is it okay to make a hacker's hard drive overheat? To steal his or her credit card information? What if the hacker hasn't actually stolen anything yet, but is poking around in a way that seems potentially malicious? What if he or she might be employed by a powerful foreign government?

The potential risks of allowing cyber-retaliation can get pretty scary. Foreign Policy's John Reed points out that hackers often deploy their attacks from "hijacked computers belonging to innocent bystanders," meaning that a corporate retaliation might end up targeting people who've done nothing wrong.

James Andrew Lewis, at the Center for Strategic and International Studies, calls hacking back "a remarkably bad idea that would harm the national interest." Encouraging corporations to compete with the Russian mafia or Chinese military hackers to see "who can go further in violating the law," Lewis writes, "is not a contest American companies can win." Lewis also asks what happens if, for example, the Chinese government catches a U.S. firm hacking back in a way that violates international law and requests an Interpol arrest warrant for the company's CEO? Does he or she risk arrest by traveling abroad?

Allowing companies to hack back would, Lewis points out, essentially abandon the U.S. effort to establish durable international norms that hacking is bad, implicitly endorsing the idea of all-out cyberwarfare among corporations and criminals in a way that would make it tough to hold anyone accountable. The great powers of the 18th and 19th centuries didn't stop piracy by telling legitimate traders to slap on an eye patch and just pirate back; they did it by patrolling the seas, hunting down pirates and punishing their state sponsors. While some firms like the East India Company did form private armies to combat pirates and hostile foreign governments, this was not a system that ultimately served the world's interests.

Allowing American companies to challenge foreign hackers at their own dirty game does not, of course, necessarily make them a digital version of the East India Company. But the norms around cyberspace and the technological limits of hacking are evolving so rapidly and unpredictably that it's tough to really evaluate the upsides and downsides of hacking back. The costs of inaction are clear and substantial, but the costs of expanding the cyberwar to any corporation with an IT department are nearly impossible to judge, which is exactly what makes them so scary.