Recently, I read a few articles on the legality of hacking back for individual users. Within were arguments on the possible costs for individual users and corporations alike. But first, let’s start with an explanation of what I’m even discussing.
What is “Hacking Back”?
Computer hacking occurs whenever someone knowingly accesses a computer without proper authorization. Hacking occurs quite frequently but consistently goes under the radar due to the lack of visible effects to the end user. Under the Computer Fraud and Abuse Act (CFAA), no person whether having been a victim of a cyber attack is legally authorized to hack. This has led to hacking being used by criminals and state actors to minimize potential damages, as law enforcement agencies are slow to respond to these events.
Hacking Back policy would allow individual entities to seek retribution against cyber attacks by pursuing the hackers themselves. This means that if Google were to be attacked by a state-affiliated hacking group, then Google would be legally authorized to take offensive action against said group. Of course, a lot of oversight and coordination with federal agencies would be needed to effectively carry out such policy; however, it could be argued that this is ethically necessary for society.
The Justification
As previously stated, under current law no one is allowed to hack regardless of circumstance – aside from military and federal agencies. If someone were to enter your home and attempt to steal your possessions, you have a right to “stand your ground” and take action against said person. In regard to cyber, your home is the hardware that you use to access digital content. If someone were to break into your system, you should have full authority to defend yourself either through defensive measures or offensive action.
The primary issue here is that most individuals do not have the technical skills or infrastructure to carry out effective cyber attacks. Additionally, corporations would need to focus funding departements dedicated to offensive attacks. So why go through the effort of even doing this? The answer is to create a standard of mutual disruption for cyber threat actors. If people and corporations began to unilaterally fight back against cyber crime, then the frequency of attacks would reduce.
While this argument may seem far-fetched (it by all reason is…) loosening the restrictions on the CFAA and allowing people to defend their digital infrastructure would reduce the rate of cyber attacks, especially those performed by non-backed criminals.