Cyber-crime against American companies is at epidemic levels. The overwhelming majority of all businesses in the United States have been victims of a hack. Some estimates are as high as 80%. Currently, the cyber battlefield is a largely ungoverned space. Law enforcement is simply not equipped to respond and prosecute fast enough and the military’s scope is limited to national security. That leaves private companies on their own in the aftermath of a cyber attack.
Even in lieu of proper enforcement, decades-old computer security laws are stilldenying companies the means to protect themselves. Until there is a better framework in place, private firms need to be allowed to “hack-back”: that means being given the legal cover to defend themselves and retaliate against cyber criminals during and after an attack.
Opponents of the idea treat it as an indiscriminate retaliatory method that would likely stoke broader conflict, potentially between state actors. The truth is that many hack-back methods are far more nuanced, focusing on “active deterrence” and spoiling the fruits of a hack.
One method calls for attaching a “beacon” to sensitive data. Think of this as a dye pack in a bag of stolen cash. It makes stolen data easier to identify and track. Another is a laying a “honeypot,” or trap, or allowing hackers to steal fake data and then following its movement in cyberspace. These sorts of active defenses can help law enforcement and investigators when it comes time for attribution. Think of it as tracking a burglar’s getaway car rather than waiting for police to tediously reconstruct a crime scene.
In many ways, hacking back is less about retaliation and more about understanding how hackers breached a particular system and exactly what data were compromised. Discovering the tools in a hacker’s arsenal can, for example, expose a zero-day vulnerability and allow developers to patch flaws more quickly.
The laws governing the cyber realm are decades old and are in desperate need of modernization. Licensing hacking-back would be a great place to begin urgently needed reforms. Thankfully, Congressional legislation has been introduced to that end. Senator Sheldon Whitehouse (D-R.I.) recently stated“ we ought to think hard about how and when to license hack-back authority so capable, responsible private-sector actors can deter foreign aggression.”
Until the federal government has the resources and infrastructure in place to stem the tide of cyber threats, organizations must be allowed to defend themselves. High profile data breaches like that of Equifax and Target show that the stakes are simply too high. Congress needs to establish a proper legal framework that permits firms to hit back.