For at least two decades, American ﬁrms and institutions have been victimized by attacks on their computer systems. Hackers disrupt their websites, interfere with their communications, and—most costly of all—steal their data. General Keith Alexander, then director of the National Security Agency (NSA), characterized the scale of intellectual property theft by cyber attacks as “the largest transfer of wealth in world history.” Estimates place losses to American business at over one hundred billion dollars per year.
In response, American businesses have invested heavily in technology to secure their computer networks from intruders. The most clever and determined hackers manage to work around almost all defense measures, however. Such determined attackers, who spend a great deal of time burrowing deeply into adversary computer networks, are known in the security community as “advanced persistent threats.” A sizable portion of the most skillful and relentless computer criminals operate from foreign countries, beyond the reach of American law enforcement. Last year, the director of National Intelligence, James Clapper, acknowledged to Congress that cyber attacks on American business were increasing and will likely continue to increase.
For the past decade, at least, frustrated computer security specialists have muttered about the appeal of retaliatory measures—so-called hack-back operations. There has been much talk about the appeal of such tactics and the possible risks involved. So far, all these exchanges have simply generated more talking points—at least in public. The debate has been pursued at a high level of abstraction. Even advocates tend to restrict themselves to generalities about the need for “active defense” measures without spelling out concrete proposals.
After years of debate about the need to address computer security, Congress enacted the Cybersecurity Information Sharing Act (CISA) in December of 2015.
CISA encourages sharing of information, in various ways, about cyber security threats. It vaguely refers to “defensive measures” but neither authorizes nor prohibits actual hack-back tactics.
In brief, more talk, no more action.
The Obama administration seems intellectually exhausted by its effort to assure everyone it is taking the problem seriously—without offending anyone. The debate now seems stalled for lack of concrete proposals.
Our new paper, "Hacking Back Without Cracking Up," aims, in the ﬁrst place, to put a concrete proposal on the table. It is not a panacea; it is a plausible way forward, designed to give victims of cyber attacks access to more effective remedies against their attackers. Department stores hire private investigators to catch shoplifters, rather than relying only on the police. So too private companies should be able to hire their own security services. There should be a list of approved hack-back vendors from which victims are free to choose. These vendors would primarily be in the business of identifying attackers and imposing deterrent costs on attackers by providing the threat of retaliation.
Cyber intrusions are often disguised in various ways, as attackers route their activity through computers on a network. Often the immediate source of an attack—or what appears to be the immediate source—may be in a different country or even on a different continent than the actual source. Tracing these pathways is a job for qualiﬁed specialists. Sometimes, the path will go through the computers of third-party bystanders, who are disinclined to cooperate with an investigation. Private investigators should have the right to access these machines.
This is, to be sure, crossing a line—what is often regarded as the line between mere“passive defense” (acting within one’s own system) and “active measures” that affect the data or computer networks owned by others. There is certainly potential for abuse. We therefore propose that such intrusions, even when aimed solely at securing information, should be left to specialists who can be trusted not to interfere with innocent third parties beyond what is required for the investigation.
In some cases, it might be enough for the investigation to end with a lawsuit or are ferral to law enforcement for prosecution. Many cyber attackers, however, operate from countries, such as Russia and China, that are disinclined to cooperate with American law enforcement. For these attackers, a mere notice to local authorities is unlikely to have much effect. In such cases, it might be more effective to follow up an initial warning by gathering more information about the perpetrators and then sending a sterner warning: “We have learned a lot about you by probing your email and your computerized records, your ﬁnances, personal whereabouts, typical tactics and past victims. We are posting some of this information on public websites in retaliation for your attacks on American corporations.”
If more intrusive cyber sleuthing by private security ﬁrms is authorized, who would direct their efforts? We envision a system in which private clients would pay licensed security ﬁrms. These ﬁrms would act only for clients willing to assume the risks involved. Particular industries, such as defense contractors, may elect to hire ﬁrms to act on behalf of a client consortium. The ﬁnancing would remain private, the risks involved would be borne by private ﬁrms, and the decision to embrace such ventures left to each ﬁrm.
We start our paper by explaining our proposal in detail and the problems we believe it would solve. We then discuss the proposal’s strategic rationale at a higher level, how it compares to various past and current practices, and why concerns about the dangers are considerably exaggerated. We conclude by considering the speciﬁc legal changes the proposal would require.