Questioning the Legality of Hack-Back
Commission's Findings Promoting an Active Defense ChallengedThe concept of hack-back as an approach to mitigate the theft of intellectual property has gained momentum, yet privacy attorney Ronald Raether sees several problems with the practice.
A report from the Commission on the Theft of American Intellectual Property notes that a variation of hack-back - in which a victim of a cyber-attack assaults the assailant's computer or network - could be used as a defensive tactic [see Panel: Use Hack-Back to Mitigate IP Theft], an approach that Raether says comes with many downsides.
"First of all, in the U.S., Canada and in the EU, there are laws that prohibit unauthorized access to other companies' [or] individuals' computer systems," Raether says in an interview with Information Security Media Group [transcript below].
For example, in the U.S., the Computer Fraud and Abuse Act is defined based on the unauthorized access into someone else's computer system, Raether says, regardless of what the intent is.
"Obviously, what the commission is suggesting would be ... a violation," he says.
Another concern is the notion of utilizing the hack-back defense without damaging the intruder's network. "I guess that depends on the degree or the extreme of the hack-back technique that has been in use," Raether says. "I [see] innumerable problems with this."
Those problems include whether the victim can discern if the intellectual property they're going after is theirs. "What about the situation in which the bad guys are using a third-party - for example, my grandma's computer system - as part of their scheme?" Raether asks.
In the interview, Raether explains:
- Why other measures presented by the commission to battle intellectual property theft, including electronic watermarks and so-called poison pills, provide more reliable ways to safeguard IP than the hack-back strategy;
- Problems hack-back poses, such as collateral damage caused to other parties, including innocent bystanders whose computers may have been hijacked by the hacker;
- How owners of intellectual property could take legal actions to protect themselves against IP thieves.
Raether is partner at Faruki Ireland & Cox in Dayton, Ohio. His experience with technology-related issues spans an array of legal areas, including patent, antitrust, licensing and contracts, employment, trademark, domain name disputes and federal and state privacy statutes.
For further content on hack-back, also see Legal Merits of Hack-Back Strategy and To Hack-Back or Not?
Legality of Hack-Back
ERIC CHABROW: The commission chaired by former U.S. Ambassador to China, Jon Huntsman, and Dennis Blair, the former U.S. Director of National Intelligence, suggest companies that experience cybertheft ought to be able to retrieve their electronic files to prevent exploitation of their stolen information without damaging the intruder's own network. Two questions: First, is it legal? And if so, how practical would such an action be?
RON RAETHER: It's an interesting set of issues and one that we've been dealing with even before and outside of this commission report. It's often frustrating to deal with IP theft issues, especially in the context of dealing with the lack of enforcement in countries like China, either with respect to intellectual property rights generally, or as to the enforcement of foreign judgments. In other words, I get a judgment here in the U.S. It's a natural reaction to want to do something aggressive.
However, hack-back active defense comes with a lot of downside, and I think the key point in your question that needs to be emphasized is this assumption that you can do so without damaging the intruder's own network, which I think is likely a false assumption, but even exposes the difficulties I think in what the commission is suggesting.
First of all, in the U.S., Canada and in the EU, there are laws that prohibit unauthorized access to other companies' [or] other individuals' computer systems. In the U.S., that's the Computer Fraud and Abuse Act. That statute is defined based on the unauthorized access, the unauthorized entry, into someone else's computer system, regardless of what the intent is behind that access. It's the unauthorized access itself that's a violation. Obviously, what the commission is suggesting would be, at least under the current terminology of that statute, a violation.
What's interesting for me is this notion that you can hack-back or be involved in active defense without damaging the intruder's network. I guess that depends on the degree or the extreme of the hack-back technique that has been in use. But with respect to the commission, they're talking about going in, destroying or retrieving intellectual property that presumably belongs to the entity or the person who's engaged in the hacking.
I [see] innumerable problems with this from a variety of levels. For example, how do I discern my intellectual property from data that's residing in bad guys' system and destroy it, as opposed to disabling the entirety of that system, i.e. causing damage to the intruder's network? What about the situation in which the bad guys are using a third-party, for example my grandma's computer system, as part of their scheme? Whether it's temporarily resident on my grandma's system that they've used as part of their zombie network, now I'm talking about harming innocent by-standers, collateral damage, in these escalating technology wars.
There are legal restraints and then I think there are practical, technical restraints. While it's cathartic to be able to say, "I want to hack-back [and] attack somebody else who's attacking me," there are obviously a lot of downsides, both from a practical standpoint as well as I think a larger policy standpoint of this suggestion being made by the commission.
Practicality of Hacking Back
CHABROW: What doesn't make sense to me is that intellectual property in these instances consists of bits and bytes. There's nothing tangible there. A cyber thief could make copies of intellectual property and store them elsewhere. What's the practicality of just going in and either disabling or even trying to retrieve that information?
RAETHER: I think the traditional mechanisms are probably still the best, but that obviously assumes that you're dealing with a defendant, an opposing party, who abides by the rules of law. In other words, the best reaction to the issue that you're raising is to go to a court, get a determination of infringement, and get an order from that court to shut down the infringer. To require the infringer to remove, delete and destroy all of the infringing materials, you're addressing the copying issue because, obviously, a company that wants to abide by the law isn't going to take the risks of angering a judge and possibly, for example, ending up in jail for contempt.
The problem really focuses on bad actors, people who don't want to follow the law. Whether that's somebody who's hiding behind a nation-state who's refusing to acknowledge the importance of intellectual property or the importance of abiding by judgments from courts from other countries, or it's just the hacker, the criminal out there, who doesn't appreciate the rule of law regardless, that's where your scenario begins to create interesting and unique issues, particularly in the context of what we're talking about earlier, the Computer Fraud and Abuse Act. If we create an exception to that act that says, "I'm allowed to go in and gain unauthorized access to somebody else's system so long as it is only to retrieve my intellectual property," the issue then becomes how do you define what's your intellectual property. More importantly, how do you determine that what you're accessing and what you're deleting is your intellectual property?
In other words, it provides an opportunity for bad guys to exploit a loop-hole. "You caught me gaining unauthorized access to Microsoft systems. That's because I thought they had stolen my IP and I was just digging around in there trying to figure out whether they had my IP or not." I've created a loop-hole for the bad guy. That's what I think is the issue or concern with changing the laws or trying to create some solution within the law to addressing these issues, because you end up creating a loop-hole that really only helps the criminals.
From a practical perspective, I think some of the other commission suggestions - in terms of watermarking and creating a poison pill that carries along with the intellectual property - some of those technical fixes to me seem to be more practical and more viable than trying to change the law.
Watermarking and Poison Pills
CHABROW: You mentioned two things, watermarking and poison pills. Why don't you explain what they are, how that would work and why you feel that would be better?
RAETHER: It's not a complete solution because there's always a way to hack around anything. A watermark is basically an electronic digital signature that's appended to whatever the intellectual property is. In other words, if somebody were to steal the source code from my software, if it's watermarked, anywhere that source code goes, if it's copied, it's always carrying with it a digital signature that says it belongs to me. The issue is: Can somebody hack around that? Can they remove that digital signature without destroying the source code or being able to reverse engineer the source code? It's possible. It makes it harder for the bad guys to do it. It requires them to be more sophisticated in order to do that.
The poison-pill approach is similar to a watermark except that it allows a couple of things. One is that you could remotely blow up - in other words, defragment - the data in some sort of destructive mechanism so that the source code could not be read and could not be used once it leaves a certain place. It allows you to do that remotely. It also could be triggered based on certain events. For example, if somebody tries to remove the watermark, it could trigger the poison pill which causes the underlying code to be fragmented or somehow otherwise made unusable. What you've done is you've escalated the effort that a criminal is required in order to steal the IP so it doesn't prevent it from being stolen. It doesn't prevent it from being misused; it just requires more effort on behalf of the criminal to be able to exploit their unlawful behavior.