“Hacking Back” a Recipe for Digital Arms Race
The following is a guest post from i2Coaliton Co-Founder, Board and Policy Chair David Snead and Greg Nojeim the Senior Counsel at the Center for Democracy & Technology, a digital rights organization based in Washington, DC
“Malicious hacking”—using technological means to penetrate or manipulate the networks, data, or devices of others without permission is a threat to the Internet and to the health of the Internet infrastructure companies (i.e., hosting companies, data centers, registrars and registries, software services providers, and related tech firms) that serve as its backbone.
Malicious hacking can impact just about anyone, from individuals to institutions to governments—even presidential campaigns. According to a recent estimate by Cybersecurity Ventures, “cybercrime will continue to rise and cost businesses globally more than $6 trillion annually by 2021.”
With so much at stake, it is understandable that some businesses and other stakeholders are looking for new ways to protect themselves. But investigating, defending against, and responding to malicious hacking are extremely complex activities in their own right, and the methods used to do so can sometimes resemble the very nefarious activities trying to be prevented.
Hacking Back: Mutually Assured Destruction
So-called “hacking back”—using active countermeasures to respond to malicious hacking, generally leveraging methods similar to those favored by attackers themselves—is highly controversial. It should be. Internet infrastructure companies, which play a critical role in building and maintaining a robust, free, and open Internet, are deeply concerned with the implications of such activities. The best defenses should not be offensive to others.
When a company is hacked, it can conduct an investigation, work with law enforcement, take defensive measures, and mitigate the harm that has been inflicted. Some, however, are encouraging companies to pursue active countermeasures that take the form of aggressive attacks on the malicious hacker’s network or data in an effort to disrupt their ability to conduct further illegal activities. While there is a certain visceral appeal to this approach—who doesn’t want to fight back when attacked—this kind of “he hit me first” vigilantism it is a truly terrible idea. It is, and should continue to be, unlawful.
Legal Landscape: Strength Through Peace
Federal law prohibits accessing networks and data without authorization. For example, the Computer Fraud and Abuse Act (CFAA), which was enacted in 1986, makes unauthorized access to data, networks, or devices illegal. Also passed in 1986, the Electronic Communications Privacy Act (ECPA) codified and reformed federal electronic surveillance law and set criminal penalties for unauthorized access. And, the Cybersecurity Information Sharing Act (CISA), signed into law in 2015 primarily to facilitate the sharing of cybersecurity information, authorizes “defensive measures” against malicious hackers, but only those measures that do not involve gaining unauthorized access to others’ networks and data.
Today, some proponents of “hacking back” want to change the general prohibition on gaining unauthorized access that is set out in these laws. The Active Cyber Defense Certainty Act has been circulated for discussion by Representative Tom Graves. To his credit, Rep. Graves is seeking comment from stakeholders; the bill has not yet been introduced. This bill would permit victims of malicious hacking to gain unauthorized access to the computers of others to gather information about their attackers, share that information with law enforcement, and use malicious hacking methods to combat those who breach their networks or illegally access their data. It would authorize access to the computers of others in ways that are a crime and a civil violation under current law. In cyberspace, attacks are often routed through the computers of others: hacking back can victimize, again, another victim of the original attack. The proposed legislation attempts to address the problems that hacking back would cause by exempting from its protections conduct that destroys stored information, causes physical injury to a person or threatens public health or safety. But hacking back can cause many other harms that the bill does not protect against, including degrading network performance, disclosing private information obtained by hacking back, causing physical damage to property that depends on a computer, and altering information in a way that makes it unreliable.
Bad for Business—and the Internet
For two years leading up to the passage of CISA, stakeholders—very much including the Internet infrastructure industry—debated the merits of allowing “hacking back.” Ultimately, Congress decided to give affirmative authority to individuals and businesses to undertake countermeasures but to prohibit the use of countermeasures that cause substantial damage or include gaining unauthorized access to others’ computers, data, or networks. The Graves bill would effectively nullify this commonsense approach.
This approach would create major risks for private-sector companies, including Internet infrastructure firms. Besides authorizing heretofore unauthorized access and creating significant confusion as to when it is and isn’t legal to undertake certain activities, it would also strongly incentivize a kind of “digital arms race” with all actors working to create bigger and better offensive methods. Instead of mitigating attacks, “hacking back” could end up benefitting the very people whose criminal activities the Graves bill seeks to stop. Instead of sharing pertinent cybersecurity information, a whole industry will be created to help “arm” individuals and businesses to attack other networks. Because attribution online is such an uncertain science, consumers, businesses, and other Internet users would be caught in the crossfire of these hack back attacks. The term “vigilante hackers” is very appropriate for an industry that would be created as a result of such a change.
We can say with great confidence that there are very few reasons to believe that even sophisticated “hacking back” would result in the identification of a specific hacker. The use of pooled IP addresses and shared infrastructure (which is unlikely to be owned by the malicious hacker) make it extremely difficult to precisely identify culprits, creating significant potential for the kind of collateral damage that would result in less cooperation between legitimate entities, which can only serve to advance the interests of the malicious hackers. There is also a significant risk of economic damage due to the high probability of widespread misattribution. The lines between good and bad actors will be blurred, with the attackers themselves claiming they are just defending themselves. Both sides will increasingly waste valuable time and resources trying to differentiate attackers from those hacking back.
“Hacking back” also creates major privacy concerns for all involved. There is simply no way to guarantee that any data collected in an active countermeasure setting will be limited to the data of the attacker. Server information, personal data, and other sensitive material, especially that which is otherwise unprotected (i.e., not encrypted), would be highly vulnerable to appropriation and dissemination. This is especially worrisome given that the Active Cyber Defense Certainty Act creates no incentive to patch holes in networks or disclose them to the relevant network operator.
Reject the Digital Arms Race
The whole concept of authorizing or insulating from liability companies that gain unauthorized access to attribute cyber attacks should be rejected. The Active Cyber Defense Certainty Act is ill-advised in both spirit and letter. There are better ways to improve cybersecurity that Congress should explore. Fostering better information sharing between hacked entities—as well as encouraging more collaborative investigations vis-à-vis hacked entities, law enforcement, and infrastructure providers—would go a long way towards improving cybersecurity. So too would measures that encourage the government to disclose vulnerabilities so they can be patched. Ultimately, “hacking back” would make us all more vulnerable to more sophisticated and frequent attacks. Our focus should be on protecting networks from intrusion, rather than making them more vulnerable by turning the Internet ecosystem into a digital war zone.