By: Jon Neri,

In light of the recent Equifax data breach, I feel that now is an appropriate time to be talking about current legislative pushes for the public recognition and legalization of defensive hacking efforts. Defensive hacking, sometimes referred to as “hackback,” is a method to prevent and counteract future data breaches that has been scarcely discussed within a political forum up until recently.[1] There is no single process to successfully hack an eminent hacker, and companies have been imploring a wide range of counter-hacking methods for well over a decade.[2] Despite varying avenues for accomplishing a preemptive attack, strategies commonly involve collecting intel on suspect hackers, breach the hackers’ data infrastructures, and then proceeding to destroy any stolen data.[3]

Large companies, banks, search engines, and other internet entities that store the private information of their users are known to contract private companies and individuals who specialize in this practice; the goal being to protect their own networks and data from further breach and prevent the release of confidential information.[4] Despite the known fact that these employed hackers are breaking those same laws as threatening hackers, their methods have rarely gained large-scale public attention.[5] Therefore, the debate on whether such practices should become deemed suitable and further condoned under federal law has never entirely culminated.[6]

While defensive hacking remains unsupported by codified law, it has long been observed that governing policy appears to support such efforts in countervailing data breaches.[7] In 2005, there was a highly-publicized case in which the plaintiff sued his former employer for wrongful termination after being let go following his independent investigation of a network breach.[8] Shawn Carpenter had been employed at Sandia National Laboratories as a network security analyst when the company’s network was hacked in 2003.[9] Carpenter took it upon himself to launch an independent investigation, utilizing hacking techniques in order to track-down a cyberespionage group centralized in China.[10] He eventually reported his discoveries to the FBI.[11] Once Sandia officials learned of Carpenter’s sharing of information with outside agencies, they terminated him for the inappropriate use of power and confidential information that he only had access to through his position as network security manager.[12]

Carpenter sued and ultimately won his case, the District Court of New Mexico awarding him $4.3 million in punitive damages and over $387,000 in compensatory damages.[13] Carpenter’s attorney gave a statement indicating that the jury’s verdict served as “vindication of his decision to do the right thing and turn over the information he obtained to the proper federal authorities… protect[ing] the national interest.”[14] It’s safe to say that over a decade later, the message sent in the Carpenter ruling stands true today: the law intends to protect those who hack on behalf of security interests, whether those interests stem from government or otherwise.[15]

However, the hush around counter-hacking has steadily grown louder with every news heading boasting another large-scale cybersecurity breach. As a result, some legislatives appear ready to address hackback within the public forum. In March of this year, Representative Tom Graves presented a discussion draft bill which would amend the Computer Fraud and Abuse Act (CFAA).[16] Representative Graves stated that the “bill is about empowering individuals to defend themselves online… [amendment] will serve as a disincentive for criminal hacking because the risk of getting caught will likely go up.”[17] This is because private individuals and companies will now officially be protected under the proposed law, when implementing hacking techniques with the intent to track hackers immediately following a network breach.[18]

The proposed bill essentially provides a “defense to a prosecution under the CFAA that the conduct constituting the offense was an active cyber defense measure.”[19] This means that it is simply to be applied as a justification for the immediate tracking of hackers after a cyberattack.[20] It excludes the “destruction of data” or the “impairment of the functionality of the attacker’s computer system.”[21] Thus, the proposed amendment does not place justice in private hands, but allows victims to conduct an instantaneous defense against hackers and then report relevant information to government agencies responsible for cybersecurity.[22]

While the bill has received praise from legal professionals such as University of Texas law professor Robert Chesney, who sees it as a necessity in our technological age, it is not lacking in critiques.[23] In fact, its strongest opposition is from those who deal in cybersecurity as a profession. Brad Maryman, retired FBI agent and leader cybersecurity firm Maryman & Associates, is not of the opinion that “the average citizen is capable of appropriately identifying the hacker.”[24] This is because cyberattacks are routed through other victims’ network systems after they have been attacked themselves. [25] This creates a string of computers, known in the field as “botnet” networks.[26] Botnets are often incredibly complicated, and the notion that millions of victims engage in searches, trying to navigate such a complex maze, delivering information to authorities along the way could easily turn into chaos for everyone involved.[27]

Regardless of its initial feedback, Rep. Graves’s bill represents a transition in legal discourse surrounding cybersecurity. As data breaches continue to plague our industries, we will undoubtedly see increased efforts to promote legislation concerning cyberattacks and the rights of victims involved. Based on recent events in our cyber community, such rights are likely to incite legal protections concerning defensive hacking techniques in the near future.

 

[1] See Joseph Cox, Revenge Hacking Is Hitting the Big Time, The Daily Beast (Sept. 19, 2017, 1:00 AM), https://www.thedailybeast.com/inside-the-shadowy-world-of-revenge-hackers.

[2] See Jaikumar Vijayan, Reverse hacker wins $4.3M in suit against Sandia Labs, Computerworld (Feb. 14, 2007, 12:00 AM), https://www.computerworld.com/article/2543470/security0/reverse-hacker-wins–4-3m-in-suit-against-sandia-labs.html.

[3] Cox, supra note 1.

[4] Id.

[5] See id.

[6] See id.

[7] Robert Chesney, Legislative Hackback: Notes on the Active Cyber Defense Certainty Act discussion draft, Lawfare Blog (Mar. 7, 2017, 10:30 AM), https://www.lawfareblog.com/legislative-hackback-notes-active-cyber-defense-certainty-act-discussion-draft.

[8] Vijayan, supra note 2.

[9] Id.

[10] Id.

[11] Id.

[12] See id.

[13] Id.; see also Carpegnter v. Sandia Corp., No. 05-06347, N.M. Dist. WL 1108465 (Feb. 21, 2007).

[14] Vijayan, supra note 2.

[15] Chesney, supra note 7.

[16] See Steven Nelson, ‘Self-Defense’ Bill Would Allow Victims to Hack Back, U.S. News, Mar. 9, 2007, https://www.usnews.com/news/articles/2017-03-09/self-defense-bill-would-allow-victims-to-hack-back.

[17] Id.

[18] Chesney, supra note 7.

[19] Id.

[20] See id.

[21] Active Cyber Defense Certainty Act of 2017 (discussion draft), 115th Cong. § 2(1)(B) (2017).

[22] Id. at § 3(2)(B).

[23] Chesney, supra note 7.

[24] Nelson, supra note 16.

[25] Id.

[26] See id.

[27] See id.

Image Source: https://thetempconnection.com/2777-2/.