Imagine this: Facebook is set to release a slew of shiny new features designed to win back users and increase engagement. But before it can release its products, Renren (one of China’s Facebook clones) releases the same features across its platform, beating Facebook to the punch. Infuriated, Facebook security officials claim they know with near certainty that their plans were stolen by a hacker on behalf of the Chinese social-media giant. Some furious employees put in motion a plan to load a devastating malware attack on the hackers’ networks as payback.
Is that even legal? Can Facebook retaliate with a hack of its own? Under current U.S. law, the answer is no, but a growing number of legislators are attempting to change that. Yesterday, Rhode Island Democratic senator Sheldon Whitehouse became the most recent lawmaker to express support for revenge hacking.
“We ought to think hard about how and when to license hack-back authority so capable, responsible private-sector actors can deter foreign aggression,” Whitehouse said. “If [a major CEO] wanted permission to figure out how to hack back, I don’t think he’d know what agency’s door to knock on to actually give him an answer.”
Hacking back (also known as revenge hacking) involves a retaliatory response by a private company or an individual after they are attacked by a malicious actor. While anyone can monitor and enforce their own network and devices, the Computer Fraud and Abuse Act prevents people from going a step further and hacking into someone else’s network, even if they were hacked first. In his recent book, The Perfect Weapon, journalist David Sanger likens hacking back to a retaliatory home invader.
“It’s illegal, just as it’s illegal to break into the house of someone who robbed your house in order to retrieve your property,” Sanger writes.
Not everyone agrees. For years, lawmakers and CEOs of companies have pushed to roll back restrictions on hacking back. Those in favor of allowing companies more authority to hack back, like MetricStream chief evangelist French Caldwell, often point to the government’s inability to adequately and effectively deal with the sheer scope of attacks across the internet.
“While government agencies could hack back on behalf of private companies, there are simply not enough government resources, and engaging them in circumstances that don’t involve national security can be problematic,” Caldwell, who worked with the White House on cyberwar games, wrote in an email to Select All.
The problem is that hacking back comes with its own set of costly consequences. Some, including the former head of the National Security Agency and U.S. Cyber Command Keith Alexander, have said that those consequences could even lead to war. “If it [hacking back] starts a war, you can’t have companies starting a war,” Alexander told a Motherboard reporter at a cybersecurity conference last year. “That’s an inherently governmental responsibility, and plus the chances of a company getting it wrong are fairly high.”
Aside from the gloomy prospect of accidental war started by a disgruntled Facebook employee, hacking back poses other more pressing issues. Chief among those are detection and collateral damage. Attribution in cyberspace is notoriously difficult and hackers engaged in malicious attacks often route attacks through other computers, making detection all the more difficult. By allowing private companies the ability to conduct online search-and-destroy missions against their attackers, they will inevitably end up pouring through the networks and files of perfectly innocent bystanders.
Illegal but not Uncommon
Even with these criticisms, the debate surrounding hacking back has ebbed and flowed for years and transcends political-party affiliation. Last year’s revised version of the Active Cyber Defense Certainty Act received bipartisan support and would, among other things, allow companies to attack other computers when they themselves appeared in danger. Under the guise of “active defense,” the bill could even grant companies the ability to launch preemptive attacks if they felt endangered. The bill has faced steep opposition and has been called, “a highway to hell.”
Caldwell, though expressing interest in these type of measures, urged caution and clear limits. “Companies should have a limited authorization to hack back, but that needs to be well controlled, limited to specific methods, and require notification of and acknowledgement from law enforcement officials,” he said.
Regardless of legislation, certain levels of hack backs will still occur. Indeed, there is no shortage of vigilante hackers roaming the internet as you read this. This is all well and good, but these small-scale hacker heroes cannot compare with the potential fallback of hack backs posed by tech giants like Amazon, Facebook, and Google, which each possesses more financial and political power than many small nations. And the motivation exists. According to Sanger’s book, Google engineers seriously considered taking matters into their own hands against China in the past.
Given the growing fears over Russian hacking and foreign manipulation via major platforms like Facebook and Twitter, legislators in favor of removing restrictions may have more pull than ever before. If that’s the case, the tech companies will likely be the last ones to object to their newly granted power.