This post is authored by Gene Burrus, Assistant General Counsel
The hack of the San Francisco transit system and the subsequent hack back by a third party makes for a twenty-first century morality tale in some ways. The perpetrator of a ransomware blackmail is given a dose of his/her own medicine, undone by his/her own poor security practices. Painted at a larger scale however, is the picture we see equally salutary? Recent accusations of state or state-sponsored hacking during the US Presidential campaign led to threats of retaliation between what are arguably the world’s two preeminent nuclear powers.
At the heart of most thinking about good behavior you are likely to find the concept of consequences for actions, and even the concept of preemptive deterrence of bad actions. Those concepts of consequence and deterrence have not become embedded in our online expectations and behaviors. This may be because cyberspace is still a new “public space” and people are still working out how to behave. It is also likely, perhaps, because cyberspace allows levels of anonymity and remote actions unprecedented in the real world. People do things because they think there will be no consequences, no “pay back”. There is certainly an argument to be made, then, for hackers and cybercriminals being subject to payback in some, if for no other reason than to begin to build underpin a behavioral system in cyberspace of “do as you would be done unto”.
Is this, however, the way forward that we should collectively take? There are after all existing laws that apply to cybercriminals, and new laws are being brought into existence as both technology and criminality evolve. However, the reality of enforcement is that most cyber criminals will never be caught and operate with near impunity.
Is “retaliation” something individuals or even companies should be able to engage in, if there is a functional legal system and a police force to do it in their place? Vigilantism, mob-justice and corporate extra-judicial actions wouldn’t look any more attractive online than they do in the real world. After all, can the retaliator be certain that the right person has been targeted? And if so, what is a proportionate response? If you hack my social media profile, is it fair for me to erase your bank account?
Furthermore, could “attack back” policies open another potential cause of state to state conflict in cyberspace? Certainly that risk might exist if State-Owned-Enterprises (SOEs) became involved, as retaliator or retaliated-against. Even carrying out seemingly simple actions against a hacker might inadvertently breach national laws the target’s jurisdiction, thereby involving “real world” police and state institutions when previously they were not.
On the other hand, there may be ways to ‘hack back’ that fall short of the ‘tit for tat’ retaliation that is commonly thought of, and instead facilitate catching criminals, disrupt their operations, or deprive them of the fruits of their illegal conduct. The challenge is in making cyberspace a less consequence free realm in which criminal predators can seek victims. A colleague of mine recently mentioned the digital equivalent of the “dye packs”; and the ability to trace criminals through what they steal might be helpful. Still, for every measure taken by the forces of law and order, a countermeasure can be developed by criminals and others who operate outside the law. This is not an argument for inaction but for the realization that there is unlikely to be silver bullet to cybercrime through hacking back.
If genuine progress is to be made on this issues, the technology industry, law enforcers, lawyers and concerned society groups will have to consider at least three questions about hack back technologies and actions. First, explore what is technically feasible. Second, consider what is legal and for whom. Will law enforcement or private actors be legally allowed to use certain tools or tactics, and should some laws be changed to accommodate technical innovations that might be used to deter, track or punish criminal activity. And against the backdrop of both of these questions will be the question of what policies and tools will be wise to deploy and not do more harm than good. The intersection of these three questions may show the way forward on making cyberspace a place where crime doesn’t pay.