A proposed bill in the US would allow companies to hack-back when defending against a cyber attack. However, retaliatory hacking is not without risk. Companies and authorities may be better advised to work holistically when responding to cyber attacks.
The Active Cyber Defense Certainty Act, a discussion draft bill proposed by the Representative for Georgia, Tom Graves, would amend section 1030 of the Computer Fraud and Abuse Act, which prohibits unauthorised access of computers.
The bill aims to give organisations greater power to engage in active cyber defence measures when under attack. It would also exempt them from prosecution for taking cyber defence measures.
The bill defines an “active cyber defence measure” as “accessing without authorisation the computer of the attacker… to gather information in order to establish attribution of criminal activity to share with law enforcement or to disrupt continued unauthorised activity against the victim’s own network”.
However, the proposed bill includes limitations. For example, organisations are not permitted to destroy data on third party's networks or computers.
Some security and technology firms are known to use retaliatory hacking to defend against attacks or to reveal the methods of cyber criminals. For example, Google is said to have responded to a 2010 attack with a “counter offensive”.
Security companies offer forms of “active defence”, such as tracing the origin of an attack or luring hackers into traps. Some will go further and hack back. For example, retaliatory hacking could be used to delete or retrieve stolen data while a distributed denial of services attack (DDoS) attack could be used to disable an attacker’s systems.
When under attack, hacking back may seem perfectly logical - a survey conducted by KPMG found that over half of UK companies would consider hiring a hacker to prevent against attacks. But retaliatory hacking is controversial and not without risk.
Question of legality
In the US it is currently illegal for an organisation to engage in hacking, even in self-defence.
In 2013, US company Absolute Software was sued after it hacked into a stolen laptop in a bid to capture its IP address and geographical location. The judge ruled that the company was not allowed to break into the computer, even if it was stolen.
Retaliatory hacking is also likely to be deemed illegal in the UK. According to law firm DWF, the Computer Misuse Act 1990 makes it a criminal offence to gain unauthorised access to a third party’s computer or data. It is also an offence to impair the operation of a third party computer, through a DDoS attack for instance.
Hacking back may also not be straightforward and could have unintended consequences. It is not always possible to identify perpetrators, while hackers may use innocent third party systems (such as botnets) to launch an attack.
Rather than hack back, companies could instead focus on mitigating their risks by improving internal security management. They can also work with government agencies and intelligence services to fight cyber crime.
Some countries are looking to take a more holistic approach to fighting cyber crime. For example, the UK National Cyber Security Centre (NCSC) is shifting its focus to ‘active defence’ as it looks to improve the country’s cyber security.
This would include the government sharing security tools and expertise with companies. The NCSC also says that it is prepared to take “specific action” with the industry to address large-scale, non-sophisticated attacks.
Download Cyber Decoder
For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on firstname.lastname@example.org