Wednesday, June 27, 2012

An attempt to make the case for "hacking back"

Justin's recent post, "The illegality of striking back against hackers," presents a number of interesting issues with regard to organizations hacking in retaliation against those who hack them first. It is only fair that such an act should be allowed in light of the current state of our legal system. But as Justin correctly states, allowing retaliation is not a clear-cut issue and should not be considered lightly.

Hacking cases are complex. Beyond the cases where hackers go to the Internet to boast about their actions, it can be very difficult for law enforcement and prosecutors to track down the perpetrators. Facing a lack of resources, cybercrime investigators tend to focus their attention on issues such as child pornography. Hacking cases and the identity (or other) thefts that follow present great hurdles for millions of Americans each year.

Of course, there is a remedy for consumers - file a lawsuit. After LinkedIn's recent security breach, many quickly jumped at the chance to file. LinkedIn committed a grave error, and attention needed to be brought to the issue so they'll fix the problem and other companies will be warned as well. No amount of investment in security, however, will make a system perfect and neither will it make a company immune from lawsuits and damage to their reputation when breaches occur.

Likewise, there is also a solution for the hacking victim - file a lawsuit. The CFAA allows a civil suit to be brought for certain damages, but it carries with it a multitude of problems. Often, the hacker could only be found by an investigation that would, in turn, violate the CFAA (see Justin's point number 2). They may be located in another country. They may not have any money, and even if they do, there may be no legal process for getting to it. For these reasons (and many others), companies like LinkedIn are often required to take the beating from the press and users, spend a lot of money beefing up security, and keep their fingers crossed.

Until law enforcement and prosecutors make these cases more of a priority, American organizations (and therefore, consumers) will be left without a true means of protecting themselves. But suppose we modified the CFAA to allow a self defense-type approach. In some ways, being hacked is like being punched in the face. If you retaliate in either situation, it's possible that others will come in defense of the attacker (imagine a bar fight where all of your friends are already outside, and you're now facing five guys twice your size). Similarly, if you were in a crowd and weren't sure who the punch came from, you can't just start hitting everyone to get back at the true puncher. However, if you can find them and timely respond, you may be able to defend yourself from further harm.

There are a few ways in which such a modification would be helpful:
  1. Investigation - Allowing victims to hack back would allow them to collect the information that would be essential to any civil or criminal case - information like the IP address of the hacker.
  2. Security Improvement - Patching security issues is much easier if you know how the infiltration happened. Further, knowing what resources hackers are using would allow technology security teams to better plug the holes in their networks. Perhaps the statute could require mandatory reporting so that the government could collect data in an effort to study developing patterns in the hacking world.
  3. "Cathartic Chest Pounding" (Justin's words) - Billion dollar corporations have at least one thing that common hackers don't - a billion dollars. Not every business has the ability to dedicate essentially unlimited resources to protecting themselves, but these do. Hacking back may result in more attacks at first, but the right successes might turn hackers away. (The problem here, of course, is that if large companies make themselves essentially hack-proof, the market for unauthorized data will result in attacks on small business that have no such resources.)
Obviously, there's no easy solution to this problem, but rest assured - the CFAA is not likely to hinder everyone. Now we have the waiting game to see how prosecutors, Congress, and corporations will respond.


Post a Comment