Self-Defense Goes Cyber: Congress Considers a Bill Permitting Victims of Cyberattacks to “Hack Back”
Criminal law doctrine has embraced the concept that a person may use deadly force in self-defense, if reasonable, when there is an intruder in his or her home. See Mark Randall & Hendrik DeBoer, The Castle Doctrine and Stand-Your-Ground Law, Conn. Gen. Assembly Off. Legis. Res. (Apr. 24, 2012), https://www.cga.ct.gov/2012/rpt/2012-R-0172.htm. But what happens if there is an intruder to his or her computer network? United States House Representatives Tom Graves of Georgia and Kyrsten Sinema of Arizona have sought to answer that question with the proposed Active Cyber Defense Certainty Act, which would allow victims of cyber hacking to “hack back” in retaliation under certain circumstances. See Iain Thomson, US Congress Mulls First ‘Hack Back’ Revenge Law. And Yup, You Can Guess What It’ll Let People Do, Reg. (Oct. 13, 2017, 10:36 PM), https://www.theregister.co.uk/2017/10/13/us_hack_back_law/.
The bill was introduced on October 13, 2017, as an amendment to the Computer Fraud and Abuse Act as a response to the threat of cyberattacks against individuals and organizations alike. Id. The Computer Fraud and Abuse Act, enacted in 1986, prohibits any defensive action against cyberattacks other than the use of anti-virus software. Press Release, Congressman Tom Graves, Rep. Tom Graves Formally Introduces Active Cyber Defense Bill (Oct. 13, 2017), https://tomgraves.house.gov/news/documentsingle.aspx?DocumentID=398840.
Representative Sinema recognized that cyberattacks “have upended the lives of hundreds of millions of Americans . . . . The recent Equifax data breach shows that cyber vulnerabilities can have real financial and personal implications for Arizona families and businesses.” Id. To put the threat of cyberattacks into financial terms, “[r]ecent estimates put the cost of cyber attacks against private business to be between 0.64% and 0.9% of the United States’ gross domestic product. If those estimates are accurate, cyber-attacks did between $120 and $167 billion dollars of damage to the U.S. economy in 2015.” Ctr. for Cyber & Homeland Sec., George Wash. Univ., Into the Gray Zone: The Private Sector and Active Defense Against Cyber Threats 3 (2016), https://cchs.gwu.edu/sites/cchs.gwu.edu/files/downloads/CCHS-ActiveDefenseReportFINAL.pdf (footnote omitted). Further, the bill addresses the reality that law enforcement, specifically the Federal Bureau of Investigation and the Department of Justice, simply cannot effectively investigate and prosecute the vast majority of hackings and other cybercrimes in a timely or efficient manner. See Active Cyber Defense Certainty Act: Bipartisan Bill Empowers Americans to Develop New Defenses Against Cyber Attacks, Congressman Tom Graves (2017) [hereinafter Bill Summary], https://tomgraves.house.gov/uploadedfiles/acdc_expaliner.pdf; see also Active Cyber Defense Certainty Act, H.R. 4036, 115th Cong. § 2(2) (2017) (“In 2015, the Department of Justice prosecuted only 153 cases of computer fraud.”).
As a solution, the bill proposes to carve out an exception to the Computer Fraud and Abuse Act, excluding an individual or company from prosecution for certain cybercrimes if they were committed while taking “active cyber defense measures.” H.R. 4036 § 4. Such measures include accessing the computer or network of an attacker in order to: utilize beaconing technology to extract digital identifiers; establishing attribution of an attack; disrupting continued unauthorized activity; monitoring the behavior of an attacker; and destroying or rendering inoperable stolen information belonging to the victim. See id. These measures, listed in the bill, permit somewhat intrusive actions that not only allow identification of the hacker for prosecutorial purposes, but also provide the victim with an opportunity to recover the stolen files. See id.
The bill’s granted authority must obviously be balanced by limitations. In order to address concerns of potentially major collateral damage to innocent parties, the bill incorporates several safeguards to “help ensure that active defense is only targeted at the source of the attack, while imposing a strict standard of care on the defender to ensure that innocent bystanders aren’t impacted.” Bill Summary, supra. First, those who wish to take action against a hacker must notify authorities before doing so: “A defender who uses an active cyber defense measure under the preceding section must notify the FBI National Cyber Investigative Joint Task Force and receive a response from the FBI acknowledging receipt of the notification prior to using the measure.” H.R. 4036 § 5. Second, the bill lists actions that are not considered permissible active cyber defense measures, including intentionally destroying information not belonging to the victim, recklessly causing physical injury or financial loss, creating a threat to public health or safety, intentionally intruding on the computer of an intermediary (bystander), and impacting any government-controlled computer. Id. § 4. Third, the bill defines an attacker as “a person or an entity that is the source of the persistent unauthorized intrusion into the victim’s computer.” Id. (emphasis added). Notably, one wishing to employ active cyber defense measures must be able to show more than a single isolated incident of intrusion. See id. Fourth, the bill states that any person or entity who is targeted by the permitted actions retains the right to seek a civil remedy for compensatory damages or an injunction. Id. This preserves a bystander’s ability to obtain relief if he is either recklessly or intentionally affected by active cyber defense actions. See id.
Even with certain restrictions in place, the bill is not without its critics. The George Washington University’s Center for Cyber & Homeland Security issued a report regarding active cyber defenses in the private sector, which points out that “[t]he policy discussion on active defense measures in recent years has largely fallen into one of two camps: those who believe that active defense activities are appropriately prohibited under current U.S. law, and those who believe that more active tools should be available to the private sector.” Ctr. for Cyber & Homeland Sec., George Wash. Univ., supra, at xi. To some scholars, the active cyber defense measures that the bill deems permissible toe the line between defense measures and aggressive retaliatory attacks: “The term active defense is not synonymous with ‘hacking back’ and the two should not be used interchangeably.” Id. at 9 (explaining that the term “active defense” encompasses “a spectrum of proactive cybersecurity measures that fall between traditional passive defense and offense,” while “hacking back” refers only to the most aggressive form of active defense). Even if the actions that the bill would permit do indeed fall within the definition of “active defense,” such steps may often be unfavorable:
While technically feasible, operations in which defenders attempt to retrieve stolen information from adversary networks, even when the intent is not to alter or destroy any of that adversary’s other legitimate data, are not likely to succeed and are inadvisable. . . . Both are high risk and often ill-fated from the start. The moment an advanced adversary captures stolen information, they are likely to protect it by replicating and hiding it within their network or backing it up offline. Due to the low likelihood of achieving a beneficial outcome, even if government partners were to be involved, such operations are again, inadvisable.
Id. at 12. In addition, Robert Chesney, Director for the University of Texas at Austin’s Center for International Security and Law, highlights some vague sections within the bill that could undermine the bill’s goal of creating legal certainty as to what retaliatory actions are authorized. See Robert Chesney, Legislative Hackback: Notes on the Active Cyber Defense Certainty Act Discussion Draft, Lawfare (Mar. 7, 2017, 10:30 AM), https://www.lawfareblog.com/legislative-hackback-notes-active-cyber-defense-certainty-act-discussion-draft. First, the bill authorizes victims to “establish attribution of criminal activity to share with law enforcement and other United States Government agencies responsible for cybersecurity.” H.R. 4036 § 4 (emphasis added). Chesney urges that the language must clarify “whether it is required that the victim in fact follow through by actually sharing the data it gathers, as opposed to just having such an intent but perhaps not following through in the end.” Chesney, supra. The bill also requires that the Department of Justice produce a report related to cybercriminal deterrence, but such a report would be lacking if those who utilized the active cyber defense measures were not required to report the results of their actions. H.R. 4036 § 7. Second, Chesney notes the requirement that, before a victim may take action, the attacker’s intrusion must have been persistent. Chesney, supra. This provision may create confusion: “[Persistent] could refer to dwell-time in relation to a particular intrusion, or to a series of intrusions by the (apparently) same actor, or some combination of both. But how much is enough to count as ‘persistent’?” Id. Chesney questions whether, considering the uncertainty of the chosen term, it was worth excluding insignificant intrusions at all. Id.
The bill seemingly seeks to mimic criminal law doctrines by creating an affirmative defense to otherwise illegal cybercrimes when they are committed in “self-defense.” However, questions have quickly arisen as to whether the bill stretches beyond self-defense by allowing a cyber victim to leave his own network in order to aggressively pursue the attacker, opening the door to collateral damage and injury to bystanders. Id. While the bill remains in the early stages of the legislative process, its introduction to the House of Representatives indicates the government’s acknowledgement of the severe threat that cyberattacks pose, as well as the need to empower individuals and organizations to protect themselves.
*Meghan Noone is a second-year law student at the University of Baltimore School of Law, where she is a staff editor for Law Review. She is also a member of the Women’s Bar Association and the Royal Graham Shannonhouse III Honor Society, and volunteers weekly with Reading Partners Baltimore. Last summer, Meghan worked as a legal intern with John H. Denick & Associates, a general business practice. During the fall of 2017, Meghan served as a judicial intern with the Hon. Joseph M. Getty of the Court of Appeals of Maryland. This spring, Meghan will intern with the in-house counsel at TD Ameritrade.