Go Back

What New Federal Cybersecurity Hack Back Regulations May Mean for Your Company

In April 2015, the United States government suffered one of the worst cybersecurity breaches in its history. Hackers had broken into the network servers of the Office of Personnel and stolen millions of records. The databases contained personal information and fingerprints of the government’s civilian workforce. It was the first cybersecurity break-in that prompted a Congressional investigation. 

Three years later, a United States Navy contractor had 614 gigabytes of material stolen by cybercriminals. The records related to a classified submarine development program. The Navy lost signals and sensor data, information relating to cryptographic systems, and the Navy submarine development unit’s electronic warfare library. It was also in 2018 that the Navy discovered that hackers had stolen the personnel records of 100,000 of its staff in an operation that had started as far back as 2006. All three high profile hacks, as well as many others, were attributed to China’s government. 

Meanwhile, in 2014, North Korean hackers locked up thousands of Sony Picture’s computer workstations. It also stole and published thousands of emails from Sony executives, many of which forced staff at the highest levels to resign. The rogue nation-state also stole several Hollywood films yet to be released, including a comedy that made fun of the country’s leader, Kim Jong-un. 

It’s these attacks against military, contract, and economic targets that motivated John Bolton to publicly take a stance on the issue. Bolton is Assistant to the President for National Security Affairs. He announced on June 2019 that the U.S. reserves the right “to retaliate to economically-motivated cyberattacks, even outside of the cyber realm.” 

Further, Congressional leaders are taking another look at “hack back” legislation. The law would permit large companies to retaliate against an aggressor it has identified as having attacked its networks.

With the U.S. government taking a more aggressive stance against hackers, does it make sense for companies to go after black hats on their own? Would counter-attacks nullify the possibility of future attacks, or merely exacerbate unfortunate circumstances?

Federal Cybersecurity Regulation Reigns in Hack Backs

Corporate hack backs do have precedence. In 2010, Google reportedly breached a computer in Taiwan during an investigation of attacks on its customers. In 2014, the FBI examined whether some banks had hired hackers to crash Iranian computer network

“It’s kind of a Wild West right now,” said U.S. Representative Michael McCaul told Bloomberg at the time. “Some victim companies may be conducting offensive operations ‘without getting permission’ from the federal government,” he said. “They’re very frustrated,” McCaul concluded. However, federal regulations do address the matter.

The Computer Fraud and Abuse Act (CFAA) is a federal government regulation intended to make computer hacking activities illegal. However, hack backs, understandably, qualify as full-on hacks, whatever the motivation. The law makes it illegal to access computer devices that don’t belong to an individual. That also means accessing the tablet computers and mobile phones of others without their permission is against the law.

In other words, federal law also prohibits hack backs even if they’re by big banks.

Hacking Back Considered Worst of Few Options

Academics like Patrick Lin, Ph.D., of the Ethics + Emerging Sciences Group sees an argument for hack backs as tantamount to vigilantism in the way of lynch mobs. He writes in his policy paper: “A common response at this point is that hacking back goes beyond self-defense and smacks more of vigilantism. If hacking back is defensible at all, then self-defense must be distinguished from vigilantism. That discussion is related to the argument from the rule of law since vigilantism seeks to operate outside of it.”

Indeed, many law enforcement officials, lawyers, and information security professionals find hack backs an unpalatable idea. Authorities feel it may confuse cyberattack investigations. Lawyers caution that hack backs may violate foreign laws. Cybersecurity professionals, as well, see an array of concerns.

Information security specialists are concerned that companies that hack back may escalate conflicts. Let’s say the source of a hack on a bank was the Chinese government’s own APT 10, a department devoted to exfiltrating private and government-contractor network servers. A hack back may precipitate a conflict that draws in the United States militarily.

Cybersecurity companies also wonder if hack backs hit the correct target. Cybercriminals are well-practiced at covering their tracks and misdirecting investigations to other servers around the world. Supposed victims of cyber break-ins may even stage fake attacks to get at competitors, they suggest. 

Companies do complain about having their hands tied in the event of cybercrime. However, a Bloomberg poll showed that fewer than 20 percent of corporate survey respondents supported hacking back.

Washington’s Hawks Circle

During President Obama’s Administration, Presidential Policy Directive 20 explicitly stated that the President had to approve any cyber attacks by government departments. John Bolton has effectively replaced the Obama-era policy with National Security Presidential Memorandum] 13. The executive order devolves cyberattack authority from the President’s Office to the Pentagon. Then, the Pentagon can devolve it further down the chain of command. 

The Administration, in other words, is taken out of the loop. The Memorandum intends to speed up the cyber attack decision-making process. The Administration wants to have federal government agencies responding more quickly to cybersecurity intrusions that threaten military, infrastructure, and even economic interests. 

Rep. Tom Graves, R-Ga., reintroduced a bill in the House of Representatives in June 2019 that would permit companies to act outside of their computer networks. Organizations would then be able to identify their attackers and possibly disrupt their activities. Graves believes the bill is necessary because he and 14 other cosponsors of the bill believe enterprises have little recourse when hackers attack them.

Justin Fier, Darktrace’s director for cyber intelligence and analysis, has reservations about the bill. “If such legislation passes, we run the risk of a future of cyber crossfire – where businesses, organizations, and governments alike will suffer operational downtime inflicted by incorrect targeting.” In other words, the policy risks greater damage by “friendly fire” or escalation with foreign powers than if stakeholders coordinated information and response with the federal government. 

Alternatives to Hack Backs

One approach cybersecurity professionals have mooted as an alternative to a counter-attack is beaconing. The practice would involve an organization attaching programming code to sensitive files. If hackers steal the files, the beacon will report back the IP address of the server onto which thieves copied the data. 

Jeremy Rabkin has promoted organizing a list of cybersecurity firms that the federal government vets. Rabkin is a law professor at George Mason University. His idea is that hacking victims can go to the firms to surgically counter-attack the hackers.

When Getting MAD Isn’t So Bad

Currently, the Internet has only seen cyber skirmishes. State actors like North Korea, China, Russia, Iran, and the United States have digitized corporate and governmental espionage, which has a long and rich history. Meanwhile, criminal gangs make the occasional headline with thefts from ATMs and cryptocurrency accounts.

Fortunately, there has been very little weaponized use of cybersecurity technology. The most recent example is the American government’s disabling the Iranian military computer network in mid-2019 in retaliation for the Iranians downing a U.S. drone. 

Unfortunately, the federal government, its contractors, nor private enterprises have as yet developed a sense of MAD: Mutually Assured Destruction. MAD was the unofficial policy — more an understanding, really — between the United States and the Soviet Union during the Cold War. What each knew at the time was that if either side uses nuclear weapons against the other, it could mean the end of the world.

Fortunately, nations have held back from using the Internet to shut down the power grids of the United States, or bring airliners crashing to the ground, or launch American missiles against itself. Corporations, however, have not yet developed that level of cyber-awareness about the possible repercussions of hack backs.

Unfortunately, in the United States, combatants are fighting purely defensive pitched battles that frustrate them greatly and sometimes cost them dearly. Nevertheless, as cybersecurity tools of mass destruction arrive on the scene, those charged with defending the nation need to closely guarded and wield those weapons with the greatest wisdom and restraint to avoid MAD. Providing the right for anyone to hack back may lead to short-term satisfaction, but long-term devastation in the virtual and real worlds.

Receive updates straight to your inbox