Shot in the Dark: Can Private Sector 'Hackbacks' Work?
| Author | Sam Parker |
| Position | J.D., Georgetown University Law Center, 2022; MPP, Harvard Kennedy School, 2018; B.A., Colby College, 2015 |
| Pages | 211-230 |
Shot in the Dark: Can Private Sector
“Hackbacks” Work?
Sam Parker*
INTRODUCTION
Former FBI Director Robert Mueller once said that “[t]here are only two types
of companies: those that have been hacked and those that will be.”
1
Nicholas Schmidle, The Digital Vigilantes Who Hack Back, NEW YORKER (Apr. 30, 2018), https://
perma.cc/ZLK2-B7FT.
In a cyber do-
main where offense has generally dominated defense and the U.S. government is
often unwilling or unable to help defend private company networks from cyberat-
tacks, some of those companies would like to go on the offensive to deter and
defend against such attacks. They are precluded from engaging in these “hack-
back” responses, however, by the Computer Fraud and Abuse Act (CFAA),
which prohibits accessing computer networks without authorization.
Critics of this legal restriction claim the government is tying the hands of com-
panies trying to effectively defend themselves; proponents warn that legalizing
hackbacks would create a cyber Wild West where private companies firing back
blindly would lead to chaos with potential foreign policy ramifications. One
recent legislative proposal, the most prominent on this issue, is the Active Cyber
Defense Certainty (ACDC) Act, which would establish an affirmative defense to
CFAA liability for “active cyber defense measures,” allowing private hackbacks
in limited circumstances.
2
This paper will proceed as follows. Part I provides policy background on pri-
vate sector active cyber defense and the relevant domestic and international legal
frameworks. Part II outlines three recent proposals for enabling active cyber
defense. Part III illustrates what a potential model hackback attack could look
like under these proposals. Part IV evaluates the strengths and weaknesses of
each proposal. Part V assesses what a model proposal might look like, and
whether it would be an improvement over the status quo. Part VI concludes that
ACDC and other proposed solutions are too open-ended because any hackback
legislation should retain approval authority with federal law enforcement agen-
cies to be granted on a case-by-case basis.
I. BACKGROUND
This section briefly describes recent developments in cyber policy and promi-
nent attacks on private sector companies, explaining why some want to hack
* J.D., Georgetown University Law Center, 2022; MPP, Harvard Kennedy School, 2018; B.A.,
Colby College, 2015. The author would like to thank Professor Mary B. DeRosa for her invaluable
assistance and mentorship. © 2022, Sam Parker.
1.
2. Active Cyber Defense Certainty (ACDC) Act, H.R. 3270, 116th Cong. (2019).
211
back and why the government has prohibited it. It also outlines how the CFAA
restricts active cyber defense and discusses the international legal implications if
the government were to permit or endorse private sector hackbacks.
A. A Rising Tide of Costly Attacks
In the cyber domain, a general consensus exists that offense has a sizeable
advantage over defense.
3
Cyberattacks are relatively low-cost to launch and often
difficult to attribute to their source. Defensively, government and private sector
companies alike have struggled to modernize and shore up their networks, leav-
ing a plethora of soft targets for malicious actors. The federal government spends
over $18 billion per year specifically on cybersecurity,
4
Jason Miller, VA, HHS, SBA Among Biggest Winners in $92B IT Budget Request for 2021, FED.
NEWS NETWORK (Feb. 11, 2020, 8:37 AM), https://perma.cc/HNU7-64ZF (“[T]he White House
requested $18.78 billion for governmentwide cybersecurity funding [in Fiscal Year 2021], down slightly
from $18.79 billion in 2020.”). Information technology funding is classified separately and amounts to
over $90 billion per year. Id.
with uneven success dis-
rupting or deterring malicious actors. The SolarWinds attack, for example, a
Russian government-backed breach discovered in late 2020, infected networks in
at least nine federal agencies—including the State Department, the Department
of Homeland Security, and parts of the Pentagon
5
David Sanger, Nicole Perlroth & Eric Schmitt, Scope of Russian Hacking Becomes Clear:
Multiple U.S. Agencies Were Hit, N.Y. TIMES (Dec. 14, 2020), https://perma.cc/8CW4-WYB9.
—and may have caused
upwards of $100 billion in damage.
6
Gopal Ratnam, Cleaning up SolarWinds Hack May Cost as Much as $100 Billion, ROLL CALL
(Jan. 11, 2021, 6:00 AM), https://perma.cc/8AQX-D4C6.
Private companies regularly face similar attacks, with only a fraction of the
government’s resources to defend themselves. Global cybercrime is expected to
cost $6 trillion this year, double the total from 2015.
7
Steve Morgan, Global Cybercrime Damages Predicted to Reach $6 Trillion Annually By 2021,
CYBERSECURITY VENTURES (Oct. 26, 2020), https://perma.cc/2GJM-KTYB.
By one estimate, there are
2,444 attempted cyberattacks per day,
8
Hackers Attack Every 39 Seconds, SEC. MAG. (Feb. 10, 2017), https://perma.cc/A55J-D7CD.
one every 39 seconds. According to IBM
the average business cost of a cyberattack is $3.86 million.
9
IBM SECURITY, COST OF A DATA BREACH REPORT 40 (2020), https://perma.cc/ENV6-R7V4.
Former NSA
Director Keith Alexander has estimated cumulative U.S. company losses to
cyberattacks to be “the greatest transfer of wealth in history.”
10
Josh Rogin, NSA Chief: Cybercrime Constitutes the “Greatest Transfer of Wealth in History”,
FOREIGN POL’Y (July 9, 2012, 6:54 PM), https://perma.cc/6DHZ-MDZ4.
And cybercrime
is on the rise—since the start of the global COVID-19 pandemic, the FBI has
reported a 300% increase in the number of cybersecurity complaints it receives
daily, now up to around 4,000 per day.
11
Maggie Miller, FBI Sees Spike in Cyber Crime Reports During Coronavirus Pandemic, HILL
(Apr. 16, 2020, 3:27 PM), https://perma.cc/2USE-YUR9.
Several prominent examples illustrate the havoc a malicious cyberattack can
wreak on a company. In 2014, North Korean hackers attacked Sony Pictures in
3. See Rebecca Slayton, What Is the Cyber Offense-Defense Balance? Conceptions, Causes, and
Assessment, 41 INT’L SECURITY 72, 72 (2017).
4.
5.
6.
7.
8.
9.
10.
11.
212 JOURNAL OF NATIONAL SECURITY LAW & POLICY [Vol. 13:211
To continue reading
Request your trial