David Navetta is an attorney who focuses primarily on technology, privacy, information security, and intellectual property law at Norton Rose Fulbright. In an interview with The Cipher Brief, Navetta discussed the legal and liability issues associated with businesses attempting to utilize offensive cyber capabilities.
The Cipher Brief: Recently, there have been increased calls for “hacking back” against countries and groups that hack the U.S. Why might some businesses find hacking back to be an attractive option, and is it a valid response to a cyber-incident?
David Navetta: Unfortunately, while we should encourage the use of any and all means to fight back against cyber crime, hacking back implicates some serious legal and attribution issues. On its surface, companies may find it an attractive option, especially if they can quantify their losses and those losses are significant. In such a case, the decision to hack back may boil down to a relatively straightforward risk and cost-benefit analysis. For example, while the inability to attribute the attack to the actual attacker could result in harm to an innocent third party, methods may exist to allow for a hack-back that minimizes the risk of the innocent third party. That said, it gets trickier when the act of hacking back poses criminal sanctions that may be incurred regardless of the harm caused by hacking back.
TCB: What are the legal and liability issues associated with “hacking back”? How do issues about attribution play into it?
DN: Gaining unauthorized access to a third party’s system is itself illegal hacking in many jurisdictions, including the United States. For example, the Computer Fraud and Abuse Act may ensnare companies seeking to hack back against attacks. It provides for both civil and criminal penalties when computer systems are accessed or used in an unauthorized manner. The other practical problem, which could lead to legal liability, is attribution. Cyber criminals regularly hide the source of their attacks, whether it be by using proxy servers, establishing or renting botnets, or taking over an innocent third party’s machine to launch attacks. As such, a company seeking to hack back may be attacking a machine that is not the root source of the attack. This can cause business interruption, data loss or corruption, and other losses.
TCB: There is also a growing movement in favor of the “active defense” approach to cybersecurity. What is the difference, in terms of liability and legal concerns, between active defenses and hacking back?
DN: I view active defense as a spectrum, upon which hacking back is at the more intrusive end. The line between intrusive and less intrusive active defense is whether unauthorized access or unauthorized disruption of the target systems occurs. There are some active defense techniques that do not involve actually gaining access to third party systems, including beaconing, sinkholing, honeypots, and threat intelligence gathering. While the legal liabilities and compliance issues raised by any active defense method should always be analyzed before taking action, on both the statutory (criminal and civil) and lawsuit side of the equation, once a company decides to gain access to a third-party system or cause a business interruption or disruption, the company’s legal risk increases significantly.
TCB: How can the government better meet the needs of businesses seeking to protect themselves from cyber-attacks? What legal changes, if any, could help to change the incentives associated with hacking back?
DN: Governments are already beginning to encourage the sharing of threat intelligence within industry sectors in order to combat cyber crime. I think stronger enforcement regimes, including those between countries, need to be in place to create a stronger deterrent and more cooperation with respect to identifying the sources of cyber attacks. That said, it does not appear that government is moving quickly to create legal mechanisms to insulate companies that want to hack back. Laws could create safe harbors to allow hacking back within certain parameters and following specified procedures, which would limit liability for the unintended impacts of hacking back. Arguably, this approach was used with the Digital Millennium Copyright Act and its notice and take down procedures that allow third parties to avoid IP liability for traditional copyright infringement. Unfortunately, as complex as copyright law is, developing a safe harbor that effectively insulates and allows for worthwhile hacking back would be vexing.