Private organizations taking aggressive actions like hacking back to punish cyber attackers or retrieve stolen data is illegal and unhelpful, an assistant attorney general said at a conference last week while promoting the early successes of the new Cybersecurity Unit within the Computer Crime and Intellectual Property Section (CCIPS) of the Justice Department’s Criminal Division

Hacking back, the process of a cyberattack victim initiating their own cyberattack to either retrieve/destroy stolen data or punish an attacker, is heavily discouraged by the U.S. government, Leslie Caldwell, Assistant Attorney General for the Criminal Division, said at the Georgetown Cybersecurity Law Institute.

Caldwell highlighted how hacking back is discouraged in a new guidance document released by the Cybersecurity Unit in April. “Best Practices for Victim Response and Reporting of Cyber Incidents,” released in April, is the unit’s first contribution to discourse on cyber issues.

Leslie Caldwell, Assistant Attorney General for the Criminal Division. Photo: U.S. Department of Justice
Leslie Caldwell, Assistant Attorney General for the Criminal Division. Photo: U.S. Department of Justice

“The guidance draws upon prosecutors’ experience in investigating and prosecuting cybercrime.  It also includes input from private sector organizations that have handled cyber incidents… It provides step-by-step advice on the measures that organizations should take before, during and after a cyber incident,” Caldwell said.

The Cybersecurity Unit was created in December 2014 to act as a focal point within the department for navigating the legal framework for combating cybercrimes (Defense Daily, Jan. 4). It is also meant to work with international partners, law enforcement, and the private sector as well as Congress as it crafts cyber security legislation.

The guidance document was drafted to help avoid problems like when victim organizations are unsure of how to proceed because they lack an incident response plan or victim companies lacking an adequate authority to monitor their networks to identify intruders. It also advises organizations on what they should not do, especially hacking back.

“Based on a simple, plain-text reading of the Computer Fraud and Abuse Act, such conduct is generally unlawful.” Commenters using creative legal theories might suggest hacking back is lawful but that is contrary to the plain-text of the statute, Caldwell said.

However, even if hacking back was lawful, the Justice Department recommends against doing so for six policy-driven reasons.

“First, hack back tactics pose a significant threat to innocent third parties…we have seen sophisticated cybercriminals frequently hijack the infrastructure of innocent third-parties in order to more easily commit their crimes and to help mask their identity during subsequent investigations.”

Hacking back and related activities can also interfere with ongoing government investigations. The actions can irreparably harm an investigation, Caldwell said.

Third, this increases the danger of dramatic escalation against an unknown opponent. “Sophisticated cybercriminals or foreign intelligence services may simply have far more powerful and destructive technical capabilities than private firms who attempt to hack back.”

Fourth, given the international nature of cybercrime, even if hacking back-style activities were legal within the United States they may be illegal in foreign jurisdictions.

Fifth, unintended and collateral consequences of hacking back by private entities could have serious effects on international relations. “Another country, particularly one unfriendly to the United States, might presume that a privately-conducted act of hack back was actually an offensive cyberattack sanctioned by the United States,” Caldwell said.

Her final reason was that even if the above harms were avoided, hacking back would usually have a low likelihood of being beneficial. “Indeed, the weight of professional technological opinion is that there is little to be gained in any event by authorizing private hacking back or similar activities in the overwhelming majority of cases.”

Caldwell cited a Christian Science Monitor poll of experts on whether companies should be allowed to hack back, with 82 percent saying no.

Caldwell said she is encouraged by innovative cybersecurity proposals but noted that not every idea is a good one. “Hacking back is such an example.  We would urge practitioners to exercise caution.  And we counsel policymakers against significantly altering the law in this area.”

However, she said the Cybersecurity Unit is considering whether to offer guidance on other kinds of effective and defensive countermeasures that cybersecurity experts consider beneficial.

Caldwell also described other major projects the Cybersecurity Unit began and has ongoing: a discussion with leading security experts on the subject of active defense, in conjunction with the Center for Strategic and international Studies (CSIS); a roundtable recently held with leading private sector data breach response practitioners; and collaboration with non-Justice Department regulatory agencies on cybersecurity issues like factoring in cooperation with law enforcement into investigations of breaches.