By Melisa Azak

In the past decade, data breaches have become more common with nearly 38 billion records reached in 2010.[1] To put that number in perspective, if all of those records belonged to American residents, each person would have nearly 116 accounts hacked.[2]

Some of the largest companies in the world have been plagued with how to deal with hackers. Equifax suffered one of the largest breaches in American history with 147 million Americans affected by their 2017 breach, which released highly sensitive information like credit cards, social security numbers, and dates of birth.[3] The company later settled with consumers for $671 million to resolve a multi-district consumer class action litigation, which created a resolution fund to restore “actual out-of-pocket losses related to the breach” as well as “other consumer benefits such as identity restoration services.”[4]

The particular danger of data breaches is that culpable hackers rarely get caught and prosecuted, leaving businesses and governments continuously vulnerable to targeted attacks. The Third Way, a center-left think tank, estimates that only 0.3% of cybercrime complaints are prosecuted and enforced.[5] Further, only one in six victims of cybercrime actually report to law enforcement, making the effective enforcement rate about 0.05%.[6]

And even when hackers are found, diplomatic relations can draw out complex prosecutions. Yevgeniy Aleksandrovich Nikulin, for instance, was found guilty earlier this year of numerous charges including computer intrusion and data theft eight years after he hacked LinkedIn and Drobox in 2012.[7] His defense team argued unsuccessfully that prosecutors relied improperly on misinformation from the Russian government and “asked the jury to consider the possibility that the U.S. government was prosecuting the wrong person.”[8] Nikulin’s case seems to demonstrate a broader tactic by the United States to send a firm message to foreign hackers that although they may rarely be found, they will be severely punished when caught.[9]

However, with breaches becoming more severe and ubiquitous, forceful prosecution may not be enough to stop hackers from obtaining sensitive information and hacking with near impunity. The Third Way recommends the United States adopt ten key strategies in order to meet the growing cybersecurity threat.[10] One of the key goals of the country, the think tank suggests, should be to expand law enforcement’s role in combatting hackers.[11] Currently, state and local law enforcement officers, prosecutors, and judges in digital/cybercrime investigations are grossly underfunded.[12] Further, less than a quarter of publicly funded crime labs offered “dedicated digital evidence support services.”[13] Effectively meeting the cybersecurity threat requires that the country allots more resources to already existing law enforcement organizations to meet the growing threat.

Some other key findings include amping up international efforts by seeking mutual legal assistance treaties and agreements, which are binding documents “typically bilaterally signed between the United States and other countries to formalize the parameters of their criminal justice cooperation.”[14] Given the global nature of successful hacks, these treaties can be “critical tools for sharing data and digital evidence in cyber investigations and prosecutions.”[15]

Another effective tactic may be to adopt the old adage “if you can’t beat them, join them.” A new start-up company called Synack provides ways for companies to discover their security flaws, and then turns those problems over to hackers “who use their powers for good” to see how they can use the flaws to breach the client, better preparing the client for future attacks from hackers who want use their powers for nefarious purposes.[16]

However, too offensive a cyber security approach may raise legal complications. Although the Justice Department officials find that the “the optics would be ‘awfully poor’ if the department prosecuted a company that had retaliated against foreign hackers”, the Computer Fraud and Abuse Act prohibits any form of hacking.[17] Many cybersecurity firms “hack back” by creating “honeypots” or “caches of documents that fool hackers into think they are inside a target’s system” so they can trace the identities of hackers from their digital trails.[18] Considering the growing cyber security threat and the need for new strategies to meet it, the Act may have to be modernized to allow companies to add “hacking back” to their arsenal of tools of cybersecurity defense.[19]

The growing cyber security threat is not unlike 9/11. Before 9/11, the government struggled with “lack of prioritization of the [terrorist] threat, competing priorities and immense bureaucratic challenges.”[20] If the United States wants to avoid repeating history’s mistakes and avoid a “digital” 9/11 incident, it must take an unprecedented, comprehensive approach and meet elusive hackers head on.

[1] Megan Leonhardt, The 10 Biggest Data Hacks of the Decade, Make It, CNBC (Dec. 27, 2019 9:01 AM), https://www.cnbc.com/2019/12/23/the-10-biggest-data-hacks-of-the-decade.html.

[2] Id.

[3] Id.

[4] See Press Release, Equifax Announces Comprehensive Consumer Settlement Arising from 2017 Cybersecurity Incident (Jul. 22, 2019), https://investor.equifax.com/news-and-events/press-releases/2019/07-22-2019-125543228.

[5] Mieke Eoyang et al., To Catch a Hacker: Toward a Comprehensive Strategy to Identify, Pursue, and Punish Malicious Cyber Actors, Third Way 7 (Oct. 29, 2018), https://thirdway.imgix.net/pdfs/override/To_Catch_A_Hacker_Report.pdf.

[6] Id.

[7] Hannah Albarazi, Russian LinkedIn, Dropbox Hacker Gets 7-Year Sentence, Law360 (Sep. 29, 2020 11:26 PM), https://www.law360.com/articles/1315137.

[8] Hannah Albarazi, Russian Convicted in LinkedIn, Dropbox Cyberattacks, Law360 (Jul. 10, 2020 9:13 PM), https://www.law360.com/articles/1291090?scroll=1&related=1.

[9] See supra note 7 (“Assistant U.S. Attorney Michelle Kane sought out a tougher sentence; one that would send a message to other foreign hackers that they cannot act with impunity.”).

[10] See supra note 5 at 2.

[11] Id. at 13–15.

[12] Id. at 15.

[13] Id.

[14] Id. at 20.

[15] Id. at 20–21.

[16] See Kate Fazzini, Why Some of the World’s Top Cybersecurity Hackers Are Being Paid Millions to Use Their Powers for Good, Disrupter 50, CNBC (May 18, 2019 10:00 AM), https://www.cnbc.com/2019/05/17/cybersecurity-hackers-are-paid-millions-to-use-their-powers-for-good.html.

[17] See Nicholas Schmidle, The Digital Vigilantes Who Hack Back, New Yorker (Apr. 30, 2018), https://www.newyorker.com/magazine/2018/05/07/the-digital-vigilantes-who-hack-back.

[18] Id.

[19] Id.

[20] See supra note 5, at 26.

Image Source: https://newconomy.media/news/hacker-claims-to-steal-personal-data-of-840-million-users