Yet again on October 10 (see also earlier articles here and here) the Washington Post ran a major article on the topic of Corporate hackbacks, also known as active defense. There are a range of definitions for what constitutes a hackback, but all revolve around the notion that a victim of a cyberattack should be able to take action in return against the attacker.
Discussion of this topic involves a complex set of legal, ethical and practical/technology factors, and although the practice is currently illegal and likely to remain so, the discussion keeps surfacing. First, what constitutes a hackback? The definitions range from destroying or removing stolen information (such as Intellectual Property) from another computer, to installing beacons or tracking devices in proprietary data perhaps along with some associated code to help with forensic identification of attackers, to disabling or destroying suspected attacker computers.
Under current law (generally the Computer Fraud and Abuse Act) it is illegal to access other computers without authorization, making the above activities illegal. There are also National Security concerns about allowing Corporate use of the practice, since for example destruction of foreign computers by US Corporations (or perhaps even foreign organizations operating on US soil) could be viewed as an Act of War. On a practical level, attribution for attacks is extremely difficult, and the likelihood of hackbacks against innocent targets is very high (and brings potential Corporate liability if it is a Corporate act). Ethically too, there is something to be said for the moral high ground if we ever hope to establish norms for acceptable behavior in cyberspace.
Interestingly, there are some countervailing practices. Amazon and others have deleted accounts of users and content on their machines under the guise of Digital Rights Management and the Digital Millennium Copyright Act. Clearly encryption of content is acceptable, which doesn’t prevent theft or transmission but at least makes it less practical (in theory) to monetize wholesale theft of content. These are approaches aimed at protecting Corporate property rather than using or attacking resources owned by others.
Why does this discussion keep resurfacing? My speculation is a mix of factors. Some people involved in the discussion have more military or Big Government backgrounds, where the rules are a bit different. Some people may stand to benefit financially by selling products in this category if it becomes legal. But Congress is rightly hesitant, and the preponderance of informed opinion seems to be that this is a can of worms better left unopened.
So for lots of reasons, protecting your information is a really good idea, while the thought of open season for Corporate hackbacks wins this week’s award for: Worst…Idea…Ever.