In a speech yesterday to the annual Cybersecurity Law Institute, Assistant Attorney General Leslie Caldwell showed how far the Department of Justice has come in its dealings with the private sector on cybersecurity. Caldwell praised public-private collaboration on issues like botnet takedowns and highlighted recent outreach the DOJ’s Cybersecurity Unit has done to private sector groups. In particular, one recent event, cohosted by the Center for Strategic and International Studies, involved a discussion with security experts about “active defenses” deployed by companies. This discussion may trigger a very positive outcome: While reiterating that “hacking back” is problematic as a matter of both law and policy, Caldwell announced that DOJ’s Cybersecurity Unit is considering issuing guidance on the legality of various other defensive measures companies might want to take to protect their systems and networks.
Such guidance would be a welcome development. Greater clarity about the scope of the Computer Fraud and Abuse Act (CFAA) as it relates to defensive measures could empower companies to engage in more robust network defenses, consistent with existing law.
However, Caldwell also made clear that the DOJ and its federal agency counterparts are not all about carrots. They’re also retaining the right to use sticks. Caldwell highlighted a statement on the FTC website declaring that as the FTC increasingly flexes its enforcement muscles with respect to data security, it will take into consideration whether a company has cooperated with law enforcement and “likely . . . view that company more favorably than a company that hasn’t cooperated.”
The FTC statement is here, and the full text of Caldwell’s speech is here.
In the key section, Caldwell couples her legal conclusion that the CFAA prohibits hacking back with six policy arguments for why hacking back is officially a bad idea:
Given recent headlines, it is understandable that some commentators have proposed novel tactics – often in the form of carefully constructed hypotheticals – to counter the very serious cyber threats we currently face. But based on our decades of practical experience, we assess that freelance “hacking back” and similar intentional intrusions onto third-party computers and networks can carry serious legal consequences and policy risks.
Let me first summarize our legal position: based on a simple, plain-text reading of the Computer Fraud and Abuse Act, such conduct is generally unlawful. Some observers, at times employing quite creative legal theories, have suggested that hackback conduct is lawful. That is simply contrary to the plain-text of the statute. However, even if it were lawful, we would still recommend against it, because we think that sound policy also militates against use of hackback tactics.
First, hackback tactics pose a significant threat to innocent third parties. Across numerous investigations, we have seen sophisticated cybercriminals frequently hijack the infrastructure of innocent third-parties in order to more easily commit their crimes and to help mask their identity during subsequent investigations. In fact, cybercriminals commonly use multiple unwitting third-party drop sites at which they temporarily store stolen data for later retrieval. We believe a general rule allowing private hacking back would needlessly expose such third-parties, who often are unaware that their systems have been compromised, to intrusions, privacy violations and potentially property damage.
Second, hacking back and similar activities can – and have – interfered with ongoing government investigations. While these consequences may have been unintentional, the conduct can irreparably harm an investigation.
Third, aside from the risk to innocent third parties and law enforcement investigations, private hacking back carries the danger of dramatic escalation against an unknown adversary. Sophisticated cybercriminals or foreign intelligence services may simply have far more powerful and destructive technical capabilities than private firms who attempt to hackback.
Fourth, given the international nature of cybercrime, it bears mentioning that even if “hacking back” and similar tactics were statutorily permissible in the United States, such activities might be illegal in foreign jurisdictions. Similarly, the innocent third parties I mentioned might also be located abroad and protected by such laws.
Fifth, the possible unintended and collateral consequences that I have outlined could have serious effects on international relations. Another country, particularly one unfriendly to the United States, might presume that a privately-conducted act of hackback was actually an offensive cyberattack sanctioned by the United States. This could have serious foreign policy consequences.
And lastly, even if all these harms could somehow be avoided, our experience – and private discussions with a wide range of security experts, both inside government and in industry – suggests that “hacking back” would in most cases have a low likelihood of being beneficial. Indeed, the weight of professional technological opinion is that there is little to be gained in any event by authorizing private hacking back or similar activities in the overwhelming majority of cases.
After running through the legal analysis and policy arguments against hacking back, Caldwell notes that she is “encouraged by the range of innovative cybersecurity proposals that are currently being considered,” but “would urge practitioners to exercise caution” in considering new techniques. She then concludes by suggesting that, in the “spirit of collaboration,” the Cybersecurity Unit “is considering whether to offer guidance on other types of effective and truly defensive countermeasures that are considered to be beneficial by cybersecurity experts.”
Such guidance could help to ensure that practitioners’ caution is properly calibrated and that innovative defensive measures are not hampered by legal uncertainty.