By Alexei Alexis
With sophisticated cyber attacks on the rise, firms are increasingly having to decide whether to take aggressive self-defense measures in a legal environment that is both complex and uncertain, attorneys and consultants told BNA.
At issue are “active defense” tactics that may involve such steps as “hacking back” to locate stolen computer files and, in extreme cases, attempting to take down the network of an identified attacker.
“Until recently, there has not been much discussion about self-defense in cyber space,” Peter McLaughlin, Of Counsel at Morrison & Foerster LLP and co-chair of the American Bar Association's Information Security Committee, said in a BNA interview. “It's a very gray area in which companies must tread very carefully.”
The issue has become a hot topic within legal and computer security circles, McLaughlin said, adding that the ABA is very interested in providing “thought leadership” in this area.
“This is basically the wild, wild West of the cyber frontier.” David Bodenheimer, partner, Crowell & Moring LLP The federal Computer Fraud and Abuse Act (CFAA), which prohibits unauthorized access to a computer system, is seen as the primary U.S. statute governing how far companies may go in defending their computer networks. A violator could potentially face federal prosecution or litigation from an aggrieved party. Experts say this can apply both to attackers and to victims who take countermeasures. Aside from the CFAA, various other laws within and outside of the United States could also come into play, according to attorneys.
“This is basically the wild, wild West of the cyber frontier,” David Bodenheimer, a partner at Crowell & Moring LLP, told BNA. “A company that engages in an active defense campaign that results in damage to another party's computer could end up in a lawsuit without knowing how it will turn out.”
Asked whether the issue potentially requires attention from the Obama administration or Congress, White House spokeswoman Caitlin Hayden told BNA the law on the subject is already “very clear.”
DOJ Promotes Lawful, Effective Self-Defense
A Department of Justice spokesman said that companies can undertake a variety of actions on their own networks that are lawful and effective to protect their information but any steps that alter, damage, or intrude upon other systems may violate the CFAA, federal electronic surveillance statutes, the laws of foreign countries, or state and local laws.
“Arguments for or against hack-back efforts fall into two categories: law and policy,” the DOJ spokesman told BNA. “Both recommend against hack-back. Under current law, accessing a computer that you do not own or operate without permission is likely a violation of law. And while there might be something satisfying about the notion of hack-back on a primal level, it is not good policy either.”
A DOJ computer crime manual warns companies that have experienced a cyber attack to avoid taking offensive measures on their own, such as hacking back. “Doing so may be illegal, regardless of motive,” the manual states. “Further, as most attacks are launched from compromised systems of unwitting third parties, 'hacking back' can damage the system of another innocent party.”
Meanwhile, at least one member of Congress, Rep. Louie Gohmert (R-Texas), has called for amending the CFAA to resolve legal concerns related to hacking back.
“It would certainly be worth examining an exception to the law that would be akin to self-defense protections under criminal assault laws,” he told BNA in a recently emailed statement.
Gohmert serves on the House Judiciary Committee, which has jurisdiction over the issue and is drafting cybersecurity legislation.
Hill, Obama Tackle Cyber Threats
The hacking back controversy has emerged as both Congress and the White House are paying increased attention to cyber attacks against U.S. businesses. In February, President Obama signed an executive order directing federal agencies to promote industry adoption of voluntary cybersecurity standards, among other steps (31 DER A-35, 2/14/13).
However, there is broad, bipartisan consensus in Washington that cybersecurity legislation is still needed. The House Judiciary Committee is just one of several panels in both the House and Senate that are preparing for legislative action.
“We must not allow cyber crime to continue to grow and threaten our economy, safety and prosperity,” House Judiciary Committee Chairman Bob Goodlatte (R-Va.) said in a statement prepared for a March subcommittee hearing (50 DER A-24, 3/14/13).
John Boles, deputy assistant director of the FBI's cyber division, said in testimony provided to the panel that U.S. companies are facing diverse cyber threats, including organized crime groups seeking consumers' financial data for fraud operations and foreign cyber spies on the hunt for valuable intellectual property that can give overseas companies a competitive advantage.
A number of reports have identified China, in particular, as a primary source of mounting cyber threats. Earlier this year, a series of high-profile cyber attacks were disclosed by such companies as The New York Times Co., The Washington Post Co., The Wall Street Journal, Twitter, and Apple Inc.
A report issued by Alexandria, Va.-based computer security firm Mandiant Corp. in February directly linked the Chinese government to a sophisticated hacking unit responsible for stealing hundreds of terabytes of data from as many as 141 organizations, headquartered in the United States and other English-speaking nations, since at least 2006 (34 DER A-22, 2/20/13).
After the report was issued, China's Ministry of Foreign Affairs posted a statement on its website saying that the Chinese government has always resolutely opposed cyber attacks and that groundless speculation and accusations will not help solve the problem.
Experts Debate Hacking Back
Within legal and computer security circles, there is growing debate over whether companies should respond to cyber threats by hacking back. Some experts say that it is an unwise and dangerous practice, and others take the position that it could be justified in some cases, particularly when companies are facing a potentially devastating cyber threat, such as the theft of valuable intellectual property.
Stewart Baker, a partner in the Washington office of Steptoe & Johnson LLP and a former assistant secretary for policy at the Department of Homeland Security under the George W. Bush administration, has been a leading active defense proponent.
In an October 2012 blog post, Baker argued in favor of letting companies “counterhack” in order to extract information about an attacker and locate stolen computer files.
“[C]omputer hackers won't be bringing many lawsuits against their victims,” Baker said. “The real question is whether victims can be criminally prosecuted for breaking into their attacker's machine. And here the answer is: Surely not. Even if you could find a federal prosecutor wacky enough to bring such a case ... the ambiguity of the [CFAA] makes a successful prosecution nearly impossible. Deeply ambiguous criminal laws like this are construed in favor of the defendant.”
Baker said that requiring the victim not to counterhack because of uncertainty about the innocence of the machine's owner “simply gives an immunity to attackers.”
“[C]omputer hackers won't be bringing many lawsuits against their victims. The real question is whether victims can be criminally prosecuted for breaking into their attacker's machine. And here the answer is: Surely not. Stewart Baker, partner, Steptoe & Johnson LLP Baker's position was subsequently challenged by Orin Kerr, a research professor at George Washington University Law School and a former attorney in the Justice Department's Computer Crime and Intellectual Property Section.
“Contrary to Stewart's claim, there is no genuine ambiguity over whether the [CFAA] protects the rights of computer owners or data owners,” Kerr said, also in an October 2012 blog post. “The statutory language expressly prohibits 'intentionally access[ing] a computer without authorization.' ... It protects access to computers, not access to stolen data. The rule here is the same rule that is used in real property law: The owner/operator of the property controls who has access to it. The fact that your neighbor borrowed your baseball glove and you want it back doesn't give you a right to break into everything your neighbor owns on the theory that you can authorize yourself to go anywhere to get your glove back. The same goes for computers.”
Kerr suggested that Baker's position could potentially allow copyright holders to hack into the computers of any individuals suspected of having infringing materials on their computers.
ABA Guidance Possible
McLaughlin said the online debate between Baker and Kerr illustrates why members of the ABA have a strong interest in looking at the issue, which could ultimately lead to the publication of guidance.
“This isn't by any means clear cut,” he said. “The question is: How do you craft a legal framework that will enable companies to adequately defend themselves against these threats? A 'just sit there and take it' approach is unlikely to satisfy them.”
Despite the legal risks involved, companies under sustained attack may decide that an extreme measure is ultimately the best way to protect their cyber assets, and they may be unwilling to wait for law enforcement to come to the rescue, according to David Navetta, a partner in the Denver office of InfoLawGroup LLP.
“Law enforcement's role is often to go after the bad guys, not necessarily to stop the breach, ” Navetta told BNA. “They're often overwhelmed and have to pick and choose their battles.”
In addition, a company that has experienced a major security breach may prefer to act on its own to contain the situation, rather than expose the breach and risk a public relations disaster, experts said.
Legislative Action Needed?
Ronald Raether, a partner at Faruki Ireland & Cox P.L.L., said there is a need for a larger public policy debate as to whether Congress should authorize companies to take certain steps to defend themselves against cyber threats.
“The CFAA has broad hacking prohibitions that were meant to cover bad actors,” Raether told BNA. He noted that there are a range of practices along the active defense continuum, from the use of intelligence-gathering tools to more extreme retaliatory measures that may raise legitimate public policy concerns.
Navetta agreed that Congress should at least take a look at the issue and determine whether legislative action is needed.
“I think there's a need for a debate,” he said. “I wouldn't suggest one way or another whether there should be a change in the law.”
David Willson, owner of Titan Info Security Group, a risk management law firm based in Colorado Springs, Colo., said there is also a need for a better understanding of active defense. He noted that some, rushing to judgment, have likened it to a form of vigilante justice, while others have raised exaggerated concerns about possible conflicts between the United States and other nations.
“One company hacking back is not going to start a war with China,” he told BNA.
As for the legal concerns, he said that Congress could help by better defining what it means to gain unauthorized access to a computer system under the CFAA and by adding a “clear intent” provision to the statute that would settle questions about what type of behavior is punishable.
House Panel Considers CFAA Changes
The House Judiciary Subcommittee on Crime, Terrorism, Homeland Security and Investigations explored the need for CFAA changes during a March 13 hearing focused on the investigation and prosecution of 21st century cyber threats.
Kerr, who was among the witnesses, said the law must allow the government to appropriately punish those who break into computer networks, without being used to prosecute innocent computer users who engage in “routine harmless activity,” such as violating online terms of service policies.
He specifically drew attention to a recent public uproar over the government's use of the CFAA to go after Aaron Swartz, an internet activist, who committed suicide after his indictment and has since become the face of calls to reform the statute.
“Swartz was facing felony charges under the CFAA, and many believe that those charges show that the CFAA is overly broad and overly punitive,” Kerr said in a statement prepared for the hearing. “But whether inspired by recent events or simply by the need to address the scope of a statute that has become ever more important in our Internet age, Congress should take this opportunity to revisit the CFAA to make sure that it both provides appropriate tools for law enforcement but does not end up prohibiting innocent activity.”
Hacking Back Question Posed
Gohmert asked the panel of witnesses to comment on whether the law should be updated to provide an exemption for hacking back, prompting a mixed reaction from Kerr.
“I think the idea of saying there's some ability to counterhack, hack back--however you want to describe it--is a sound one,” he said. “The real difficulty is in the details of how do you do it? In what circumstances do you allow somebody to counter-hack? How broadly are they allowed to counter-hack? How far can they go? The difficulty, I think, is once you open that door as a matter of law, it can be something that's difficult to cabin. So I think if there is such an exception, it should be a quite narrow one to avoid it from sort of becoming the exception that swallows the rule.”
Gohmert responded by saying that he would not necessarily be concerned about the possibility of a hacker's computer being completely destroyed, so long as the damage was confined to that person.
“I don't really understand why you're wanting to be protective of the hacker,” he told Kerr.
“If we can create a law that effectively avoids damage to innocent victims yet punishes or immobilizes the hacker … , I would absolutely be willing to introduce it and push for its passage.” Rep. Louie Gohmert (R-Texas) Gohmert told BNA that he is interested in pursuing the matter further. A step in the right direction, he said, would be legislation to authorize the use of software capable of capturing images of a hacker from that person's own webcam and then immobilizing the hacker's computer.
“It could amount to a technological 'booby-trap' within the victimized computer which punishes the criminal hacker,” he said in an April 5 emailed statement. “If we can create a law that effectively avoids damage to innocent victims yet punishes or immobilizes the hacker, or even captures images of the hacker, I would absolutely be willing to introduce it and push for its passage.”
A House Judiciary Committee spokeswoman declined to comment on whether the panel might tackle hacking back concerns as part of a broader effort to craft cybersecurity legislation. A recently circulated draft would update the CFAA by making it a crime to exceed authorized access into a computer network for the purpose of obtaining sensitive confidential business information (60 DER A-23, 3/28/13).
House Bill Raises Hacking Back Issues
While experts said they were not aware of any pending legislative proposals before Congress that explicitly address the issue of active defense, a bill (H.R. 624) introduced by Reps. Mike Rogers (R-Mich.) and C. A. “Dutch” Ruppersberger (D-Md.), the chairman and ranking member of the House Intelligence Committee, includes related provisions that have prompted objections from public interest groups.
The legislation, dubbed the Cyber Intelligence Sharing and Protection Act (CISPA), would provide liability protection to companies for sharing cyber threat information with the government, as well as for “decisions made based on cyber threat information identified, obtained, or shared.”
“A company could use this section to act against a perceived threat believing it was immune from any legal liability as long as the decision was based on information about a threat,” Mark M. Jaycox , a policy analyst and legislative assistant for the Electronic Frontier Foundation, said in a March 19 blog post. “The immunity could cover decisions to violate other laws, like computer crime laws or privacy laws intended to protect users. Companies should not be given carte blanche immunity to violate long-standing computer crime and privacy law.”
The White House threatened to veto a version of the legislation introduced in the previous Congress, saying that it would, among other concerns, have inappropriately shielded companies from suits challenging actions based on cyber threat information.
A committee aide told BNA that Rogers never intended the legislation to cover hacking back, and the issue will probably be clarified in a markup that is scheduled for April 10.
Uncertainties Seen in Current Landscape
Given the current legal landscape, attorneys and consultants advised businesses to be extremely cautious when addressing cyber threats.
“This is still a very undetermined area with huge legal risks for companies, depending on what they're doing,” Navetta said.
Generally, a company has wide latitude to take defensive action that is limited to its own internal network, but the legal risks increase as businesses begin to take steps that involve targeting and gaining unauthorized access to other computer systems, he said.
Although the CFAA could potentially be used to prosecute company leaders for hacking back, it is unclear to what extent that would actually happen in practice, according to experts.
“I'd be hard pressed to see a prosecutor go after a company for defending itself against a hacker,” Willson said. “It would have to be something that, in my mind, was politically-motivated or meant to cause embarrassment in some regard. I don't think it's likely, but I wouldn't rule it out.”
Willson said there does appear to be a trend in which the government is willing to use the CFAA in new scenarios. “I personally take the position that using the law for terms of service violations is not good policy,” he added.
'Necessity Defense' Could Play Role
Ultimately, factors such as “necessity defense” arguments and prosecutorial discretion could play a role in whether the government seeks to punish someone for hacking back, experts said.
“If you can show that you had no choice, and you did everything you could up to that last-resort step and were unable to stop the attack, it looks better for you,” Navetta said.
Beyond the criminal side, there are also uncertainties about how courts might rule in cases where companies are sued for civil penalties under the CFAA by parties claiming that they were injured in a hack back, experts said.
“Companies are operating in largely a legal vacuum, without sufficient precedent to predict what the legal consequences will be of initiating an offensive cyber operation against another party,” Bodenheimer said.
The chances are slim that litigation will come from a bad actor, but there is a high probability that it could arise from an innocent bystander whose computer was harmed in a company's effort to respond to a cyber attack, experts said.
“It may appear that a particular computer is the source of an attack, but that computer may simply be under the control of another party,” Bodenheimer said. “As a result, you may take down someone's network only to find that they were an innocent bystander whose system was taken over or abused by some other party.”
Suits Expected as Companies Take Risks
Willson said that he advises clients considering active defense to begin with minimal options and gradually progress as needed, with the understanding that the risk of a lawsuit has the potential to increase as their activity becomes more aggressive.
“With active defense, I'm anticipating that there will likely be some sort of civil litigation as you get to the end of the continuum, simply because you could be doing something that ends up disrupting someone's network,” he said. “Sometimes, the company's leadership is willing to live with the risk, because they're losing a lot of money as a result of an attack, and hacking back appears to be the only recourse.”
In such cases, Willson stressed, businesses should be prepared to show that they were dealing with a persistent attack and that they had exhausted all other options. “This will help your defense, if it should get to that,” he said, adding that company leaders should evaluate risks along the way.
One modest option may involve attempting to contact parties whose servers are being used to attack others, according to Willson. “If you can identify the person who owns the server that's being used to attack you, you can call them,” he said. “At that point, you probably would want to get law enforcement involved. As far as I'm concerned, if the person [whose system was compromised] refuses to cooperate with you in stopping the attack, they may have some contributory negligence in this picture.”
Other Laws Involved
Aside from the CFAA, there is a patchwork of similar state and international computer trespass laws that could have hacking back implications, attorneys said.
Also, Bodenheimer noted that an effective cyber operation will probably involve authenticating the identity of a cyber criminal, which could require surveillance activities that raise issues under various wiretapping laws.
In addition, a company that has hacked back could potentially be accused of violating prohibitions against interfering with an ongoing federal investigation, according to Bodenheimer.
“That counterattack may compromise evidence needed by federal agents to complete an investigation, particularly if a criminal's computer system has been shut down or digital footprints have been wiped out or altered in the process,” he said. “A more likely scenario is that a counter attack could tip off cyber criminals and prompt them to shut down their own operations, wiping out evidence as they run away.”
While some companies may be reluctant to involve law enforcement because of public exposure concerns or other factors, doing so can be critical in terms of getting useful assistance, according to experts.
“The benefit of law enforcement is that they may have a lot of information and they can help you if you want to take steps such as filing a court order,” Navetta said.
Willson's solution to the public exposure problem is developing legal agreements allowing clients to maintain their anonymity and protect their reputation when seeking assistance from law enforcement, using his firm as an intermediary. He said he is discussing the idea with law enforcement agencies.
'Sound' Legal Advice Urged
Ultimately, should companies decide to launch a cyber offensive campaign, they should only do so with sound legal advice, Bodenheimer said.
“For anything that might cross the line into active defense or hacking back, a company had better be pulling in its information technology experts and its cyber attorneys to be able to draw the lines between what is clearly lawful and what falls into the gray areas,” he said. “Otherwise, it may find that it has violated the CFAA, wiretapping statutes, or prohibitions against interfering with a federal investigation.”
Navetta said that companies need to make sure they have computer security professionals and lawyers “who know what they're doing in this space.” He also advised firms to explore the full range of options available to them when deciding how to respond to a cyber attack.
“There are a lot of things that you can do on the active defense spectrum before you attempt an attack against the attacker's system,” he added.
Raether suggested that companies have a plan in place ahead of time to address how they will respond in the event of a cyber attack.
“Think through questions such as what responses are going to be permitted by the organization, which ones will require approval, and who will approve them,” he said. “Ideally, when you're in the middle of a cyber battle, that's not the time to be making big policy decisions.”