Crossroads Blog | CYBER SECURITY LAW AND POLICY

Current Affairs, Cyber Exploitation

Active Defense Has High Risk, But So Does Inaction: Forbes/CSO

On 11/29, Jody Westby wrote for Forbes on hackback.  She was generally against it.  Before I get into that more, Westby had a useful four level breakdown on hackback activity (from Dave Dittrich of U of Washington’s Applied Physics Lab):

  1. local intelligence gathering;
  2. remote intelligence gathering;
  3. actively tracing the attacker; and
  4. actively attacking the attacker.

1 is legal, with everything thereafter of uncertain (and likely decreasing) legality.

Again, Westby thinks hackback is both illegal and a bad idea.  Notably, she thinks authorizing hackback under some government regime “would turn the Internet into the Wild West.”  She also doesn’t like the hot pursuit parallel.  She also correctly notes that there will be international complications with U.S. companies conducting hackback.  In the alternative, she suggests that we hire and train more law enforcement globally and at the federal, state, and local levels.  We previously beefed up foot patrols to reduce street crime, and “[w]e can do the same with cybercrime.”

A few more of her suggestions:

  • “Clarify what active defense conduct is illegal and will be prosecuted (even though DoJ’s Prosecuting Computer Crimes Manual says hacking back is clearly illegal and advises against “defensive” measures)”
  • “Establish programs to help harmonize cybercrime laws around the world”
  • “Create programs to promote speedy international cooperation and collaboration on cyber investigations”

There are more, but her point is clear: “defensive actions [] will bring down the rate of cybercrime, deter criminals, and make it easier for law enforcement to find them and bring them to justice.”

Not surprisingly, I mostly disagree with what she said.  She was right to point out some of hackback’s flaws, as the practice is controversial, possibly illegal, and carries the potential to cause a lot of damage.  She was wrong to suggest it’s as simple as hiring and training more law enforcement.  Don’t get me wrong, law enforcement should focus more on cyber, but in an era of tight budgets, can we simply hire and train sufficient law enforcement to deal with the pervasive cyberespionage we’re facing?  And to say that we can somehow coordinate that effort globally?  I don’t know if beefed up foot patrols reduced street crime, but even if it did, street criminals were not stealing my Xbox and then fleeing to a foreign jurisdiction where the local authorities had no control.  I don’t think Ms. Westby’s comparison is really appropriate here.

Also, the idea that some government regulated hackback regime would “turn the Internet into the Wild West” seems off.  It’s already the Wild West.  There is pretty clear direct and circumstantial evidence that companies are already engaging in hackback, regardless of its legality.  I think unregulated hackback is far more dangerous than regulated hackback.  Indeed, if we’re talking about diplomatic implications and the possibility for collateral damage of interconnected hospital systems and all the other hackback warts, it’s the absence of a government regulated hackback regime that’s turning things into the Wild West.  Bring this practice into the light.  Get the government involved.  Establish liability rules for engaging in unauthorized hackback and set standards for when you can get an authorized hackback.

A government regulated hackback regime would complicate things on an international level, especially talking attribution and state responsibility.  I think the time is ripe for some clarification of rights similar to the Montreux Document’s clarification regarding PSCs.

Whatever the case, I agree that we should “[c]larify what active defense conduct is illegal and will be prosecuted” and what won’t be.  Wherever you fall on this debate, the law needs clarity, whether it is to authorize it under limited circumstances or outright make it illegal.

There is more to Ms. Westby’s article, and it’s certainly worth reading, so check out Forbes’ website here.

***

CSO’s Jeff Bardin directly responded to Ms. Westby’s article and also disagreed with her, arguing that “Not Executing Offensive Actions Against Our Adversaries is High Risk.”

 

Leave a Reply