IF THE LAW CAN ALLOW TAKEBACKS, SHOULDN'T IT ALSO ALLOW HACKBACKS?

• Author: Rodrigues, Adam

1. INTRODUCTION II. DEFINING AND DISTINGUISHING PRIVATIZED AND PUBLIC ACTIVE DEFENSE III. PRIVATIZED ACTIVE DEFENSE AS EQUITABLE REMEDY IV. THE ATTRIBUTION PROBLEM ISN'T WHAT IT USED TO BE A. WHAT IS THE HARM, REALLY? B. INTERNET PRIVACY AND HACKBACKING AS JUSTIFIED EXIGENT RESPONSE C. LICENSING PRIVATE PROFESSIONALS TO LIMIT COLLATERAL DAMAGE V. POTENTIAL FOR ESCALATING INTERNATIONAL CONFLICT VI. LEGALIZING HACKING BACK WITHIN THE CFAA VII. CONCLUSION I. INTRODUCTION

   In 2004, the Computer Emergency Response Team Coordination Center gave up tracking cyberattacks after tracking several hundred thousand successful attacks a year for several years. (1) In that same year, the Department of Defense (DoD) reported that it recorded several million scans of its computers every day by potential attackers. (2) In the years since, hacking efforts have only grown in scale and sophistication. (3)

   This unprecedented level of espionage helps provide some context for the United States' current intellectual property crisis. In 2008, the U.S. government estimated the loss in economic value from cyberespionage to be upwards of $1 trillion. (4) In March of 2018, the United States Trade Representative, who led a seven-month investigation into China's intellectual property theft, found that Chinese theft of American IP currently costs between $225 billion and $600 billion annually. (5) Just twenty years ago, such looting could only have happened through military occupation. (6) Today, China does not need to storm our borders and steal our files. They only need computers and a connection to the Internet.

   In response to this growing problem, the purpose of this note is to advocate that the legalization of privatized active defense is a better approach for deterring this growing cybercriminal enterprise. Current deterrence efforts are not working. Maintaining a conservative reading of the Computer Fraud and Abuse Act (CFAA) and telling companies they are only allowed to either bolster their defenses (7) or turn their concerns over to the government is no longer sustainable. (8) Companies need more freedom to respond at the point of cyberattack to better deter cybercriminals.

2. DEFINING AND DISTINGUISHING PRIVATIZED AND PUBLIC ACTIVE DEFENSE

   As a first point, it is important to note that the government engages in active defense. (9) The Pentagon has already come to the conclusion that solely passive defense does not provide sufficient protection for military secrets. (10) In its 2011 report entitled The Department of Defense Strategy for Operating in Cyberspace, the DoD openly used the term "active defense" and defined it as "synchronized, real-time capability to discover, detect, analyze, and mitigate threats and vulnerabilities," (11) so as "to prevent intrusions onto DoD networks and systems." (12) It has been used widely since and was even broadened in the most recent report published in 2018. (13) Active defense, then, is not as new or extreme as some might think it to be. (14) The government has already decided it is in the nation's best interests to employ active defense, and that it can do so in a way that does not escalate into an international catastrophe. Accordingly, the point of this note is to argue the same could be said for allowing the use of active defense in the private sector.

3. PRIVATIZED ACTIVE DEFENSE AS EQUITABLE REMEDY

   A primary reason for allowing private companies to "hackback" (15) is that it is an equitable response. The American legal system has always provided room for people to be able to take action in defending their personal property and possessions. (16) This is a justification defense--a category of legal defense in which something that would usually be considered unlawful is considered lawfully justified for moral and/or utilitarian purposes. (17) In this case, it feels morally wrong to not allow someone to defend their possessions. It is recognized that people have a right to their property, and therefore allowing someone to defend their property against theft is the right thing to do. Additionally, a great deal of social harm would come if criminals knew people were not allowed to resist thieves. Most importantly, though, for the defense of property, is that much of the deterrent value for this defense hinges on the capacity for instant response, as that is not something law enforcement can offer. As the National Rifle Association (NRA) puts it, "when seconds count, the police are only minutes away." (18)

   An important underlying point to a justification defense is whether or not the defensive action in question actually falls within the established parameters for that defense and is in fact justified. That is ultimately the question here. If privatized active defense were perfectly analogous to defense of property, there would be no reason to debate whether or not it can be lawfully justified. As it is, there is extensive debate on this point. In fact, this is arguably the point of disagreement on whether the U.S. should legalize privatized hackbacks. With that in mind, the remainder of this note will argue privatized active defense is analogous enough to the equitable rationales for defense of property to merit its legalization.

4. THE ATTRIBUTION PROBLEM ISN'T WHAT IT USED TO BE

   Proper attribution is a core component to satisfying a defense of property claim. (19) This includes not harming or causing an unreasonable risk of harm to innocent third parties. (20) Consequently, a victim cannot justify tackling someone running down the street if she thinks that person is the person who just stole her purse. She needs to in fact tackle the right person to justify her actions, and even then, it could be up to her lawyer and the jury to determine if she subjected any other parties to an unreasonable risk of harm (such as if she pushed other people out of the way during the chase). (21)

   Opponents of hackbacking invariably point out that identifying a cybercriminal is not nearly so straightforward. Unlike the physical world, a cyber victim cannot simply look and see the person who breaks into her server, "runs off" with her data, and then chase down and "tackle" that person. In reality, a cyber victim usually does not even know anything has been stolen for weeks or months after the incident. (22) Consequently, this can often lead to the wrongful attribution of a cybercrime to an innocent third party. Because of this heightened risk of subjecting innocent third parties to harm, detractors argue hackbacking should not be legalized.

   However, the concern of proper attribution has been dissipating in recent years. In a recent interview, the general counsel for the Government Communications Headquarters (GCHQ), the British equivalent to the National Security Agency (NSA), had this to say about attribution: "I think the idea that attribution in cyberspace is somehow this impossible task that we shouldn't even try to get past ... something that people involved in this area have moved away from some time ago." (23) He went on to mention the "recent attributions of the GRU generally, the NotPetya attacks, [and] WannaCry [attacks]" are evidence that "we've demonstrated this can be done." (24) To give another government example, in 2016, attribution was "reliable enough for the US government to accuse named individuals of a particular attack in the recent indictment of Iranian government employees for cyber attacks against US banks and an attempted attack on a dam." (25)

   Granted, attribution is still not as reliable in cybercrime as it is in the physical world. But given how much it has improved in recent years, permitting the vast resources...