WASHINGTON – Get hacked, and it’s only natural to want to hack back.
But should that visceral desire for vengeance be written into law? The Republican Party suggests so. The party’s quadrennial platform approved this week includes language that seeks to enshrine the country’s and its citizens’ rights to digital self-defense.
The GOP platform wants to “make clear that users have a self-defense right to deal with hackers as they see fit.” It also suggested that the U.S. government should go on the offensive “to avoid the cyber equivalent of Pearl Harbor.”
The cyber world is rife with hackers and digital creeps, rogue spy units and cyber punks, and experts say it is only going to get worse.
This year, hospital networks in California, Kentucky and Maryland have been infected and partially shut down by criminals who sought payment to restore their records. Many smaller businesses hit by ransom demands after hackers encrypt their servers stay silent, embarrassed by their weak security and worried that clients might take their business elsewhere.
But even as there is a move afoot to regulate and codify the rights of people and businesses to defend themselves and actually go after hackers, experts say the issues are more complicated than they may seem. So-called hack backs remain illegal under the Computer Fraud and Abuse Act, which can lead to jail terms of up to five years if a hacker affects a network with 10 or more computers on it.
“It sounds good. It sounds like motherhood and apple pie. ‘Let’s hit back and counter attack,’” said Alan Brill, senior managing director for cyber security at Kroll, the New York-based investigations and global risk consulting company.
But, he added, “when you look under the hood, it gets pretty scary.”
It is easy to hit the wrong target and cause collateral damage that could harm people and give rise to expensive liability claims, Brill said. Other countries might reciprocate with their own laws allowing “hack backs” and trigger a series of attacks and counterattacks.
“The suggestion of ‘hacking back’ places one in dangerous territory. Firstly, hackers are generally anonymous and hide their identity and actual locations, and because the internet is international and borderless, you don’t know where the person you are attempting to ‘hack back’ at actually resides,” said James Lyne, global head of security research, at Sophos Group, a U.K.-headquartered security software and hardware company.
The problem of identifying hackers is difficult even for government forensic teams.
“Even if you trace an attack back to a geographic location through an (internet protocol) address, it doesn’t mean the attacker is from that location,” said Mark Raymond, an international digital security expert at the University of Oklahoma.
Hackers routinely seek to infiltrate and take control of third-party networks, often in countries far from their base. They implant malware, or malicious computer code, on poorly defended networks, Raymond said.
“Things like children’s hospitals come to mind. Also things like electric utilities,” Raymond said.
The hackers utilize what experts term “enslaved” networks to launch attacks elsewhere, disguising their activities and making the innocent networks appear culpable.
Several cybersecurity proposals have been floated in Congress in the past year that would allow countermeasures against hackers, including retaliatory intrusions. Last December, lawmakers approved the Cybersecurity Information Sharing Act, which protects private companies that share cyber threat information with each other or the federal government, but does not explicitly permit hack backs.
Some legal experts voice concern that a thicket of international trouble for major corporations and the U.S. government could arise if hack backs become legal.
“If the law is not appropriately calibrated, then, yes, hack backs will cause unintended consequences,” said Gabe Rottman, the deputy director of the Freedom, Security & Technology Project at the Center for Democracy & Technology, a nonprofit advocacy group for an open and free internet.
“One of the concerns you’ll see is that other countries will liberalize their laws regarding hack backs and you’ll have an arms race,” Rottman said.
Once the stakes go higher, hackers may try to infect targeted computers with what is called a “dead man’s trigger.” If someone tries to remove their malicious code, it would trigger a more devastating action, “and the system would be wiped clean,” Rottman said.
When companies find that their archives related to business strategy or files about key clients are stolen, it is tempting to think of hiring “white hat” hackers to identify the culprits and retrieve or destroy the proprietary data on the hackers’ servers.
But Brill likened that to walking down the street and spotting your stolen flat-screen television through your neighbor’s window resting on his table.
“The cops come and find you taking the flat-screen TV. You maybe can prove it’s yours but you’ll still get stuck with breaking and entering,” Brill said.
He said he could foresee a situation in which a hacker takes control of a network linked to a hospital in a distant country, then launches an attack on a U.S. business – which in turn has its own team launch a counterattack on the hospital network.
“What if you misidentify files and you erase data for treating patients? If you lose those, is that going to cause someone to die?” Brill asked.
Lyne, the security expert at Sophos Global, said those who want to hack back may find themselves dealing with a foe more skilled and powerful than they are.
“Cybercrime is big business and you don’t know who you are dealing with. It’s not kids in bedrooms anymore. Hackers can be and are backed by international organized crime or even nation states,” he said.
“Self-defense is a well-established legal principle in the physical world, yet it is a very complex area of the law fraught with risk for those who undertake it,” Lyne said, adding that hacking victims should always go to law enforcement as a first step.