Kristin J. Rempe
The Active Cyber Defense Certainty Act—colloquially known as the “Hack Back” bill— was first introduced in 2017[1] and reintroduced in 2019.[2] The bipartisan bill seeks to amend the Computer Fraud and Abuse Act (“CFAA”).[3] Under the CFAA, it is illegal to knowingly or intentionally access another computer without authorization or to exceed authorized access.[4] Although there is some uncertainty as to whether the CFAA overtly prohibits active cyber defense measures,[5] it seems clear that under the CFAA “a victim organization should not unilaterally respond to a cyber incident by accessing, modifying, or damaging a computer it does not own or operate, even if the computer appears to have been involved in an attack or intrusion.”[6] The proposed Hack Back bill would change all that.
The proposed Hack Back bill recognizes that “[c]yber fraud and related cyber-enabled crimes pose a severe threat to the national security and economic vitality of the United States.”[7] While the bill itself seems to have stagnated in Congress, the threat it recognizes continues to exacerbate. This “threat to the national security and economic vitality of the United States” is most recently exemplified by the prolific SolarWinds Orion hack perpetrated by a Russian entity against private sector organizations and U.S. government agencies,[8] including the U.S. Departments of Commerce, Treasury, Homeland Security and Defense, and the Energy Department’s Nuclear Security Administration.[9] A significant, unique threat such as this merits its own method of defense, and the Hack Back bill seeks to provide the means.
The bill essentially provides a “defender”—“a person or an entity that is a victim of a persistent unauthorized intrusion of the individual entity’s computer”[10]—a defense to criminal prosecution under the CFAA when the defender takes active measures against an attacker. These active measures can come in the form of “beacons,” a defense measure allowing the defender to place hidden code on a hacker’s computer which, once activated, record the hacker’s identifying information.[11] However, prior to taking any active defense measures, a defender would be required to notify the FBI National Cyber Investigative Joint Task Force and receive authorization for the counter measure.[12]
Although the Hack Back bill may provide a much-needed means of defense for hacker targets, the debate over the efficacy of hack back measures continues to rage on.[13] Those in favor of “hacking back” argue those measures are necessary to empower private sector organizations to “take a more active approach to their cyber defense,”[14] to provide a means of deterrence for potential hackers, and to monitor the behavior of an attacker.[15] Currently, private sector organizations and individuals are advised to focus their efforts on precautionary, preventative measures with response to cyber attacks considered subordinate. When a cyber attack does occur, responsive actions are focused on identifying how the hack occurred, collecting information on compromised files and systems, implementing measures to minimize continued damage (such as “null routing” and dropping the originating IP address[16]), and notifying law enforcement. Any “active defense” comes in the form of post-hack litigation.[17] Yet, unlike the ex post facto cyber attack responses revolving around litigation and enforcement of the CFAA, “hacking back has the crucial ability to prevent future attacks.”[18]
However, those warning against authorizing “hacking back” caution that sanctioning this behavior will “merely serve as a vehicle for more attacks and greater chaos.”[19] “Hacking back” could lead to retaliation, escalation, and the potential for “private actors to inadvertently wade into the realm of cyberwarfare and foreign relations.”[20] For example, consider the SolarWinds Orion attack. Microsoft Corporation was one private sector organization that fell victim to the SolarWinds Orion hack.[21] Microsoft’s cybersecurity team was able to detect unusual activity in its internal accounts which allowed the company to identify that it had downloaded malicious software from SolarWinds, but the investigation ended without further action.[22] If the Hack Back bill were enacted and Microsoft had requested and received authorization from the FBI to begin active counter measures back when the attack began in October 2019—before the hack was linked to Russia—Microsoft could have engaged in its own cyber attack, potentially against a foreign nation. The ramifications of a U.S.-based corporation hacking the computer systems of a Russian-backed infrastructure monitoring and management software company are potentially cataclysmic.
Although the likelihood that the Hack Back bill will pass continues to diminish the longer it remains unaddressed in Congress, the certainty that the private defense measures it would provide will be needed in the future will continue to increase. While “hacking back” remains controversial and the potential for abuse abounds, the reality of the benefits that come with “hacking back” cannot be put to the wayside. Particularly in light of the international transition of activities to online platforms of all types as a result of COVID-19, private companies are in need of an actionable means of immediate, proactive defense against detrimental cyber attacks. Whether that actionable means of immediate defense comes in the form of a federal law authorizing “hacking back,” or some other means, remains to be seen. Until then, to all private sector and U.S. government agencies alike, the advice remains the same: stay vigilant, enact preventative measures, and hope for the best.
[1] Active Cyber Defense Certainty Act, H.R. 4036, 115th Cong. (1st Sess. 2017).
[2] Active Cyber Defense Certainty Act, H.R. 3270, 116th Cong. (1st Sess. 2019).
[3] 18 U.S.C. § 1030.
[4] Id.
[5] See, e.g., Alexander Berengaut & Tarek Austin, Litigation Options for Post-Cyberattack ‘Active Defense,’ Law360 (Oct. 29, 2018), https://www.law360.com/articles/1093740/litigation-options-for-post-cyberattack-active-defense-.
[6] Comput. Crime & Intell. Prop. Section, U.S. Dep’t of Just., Best Practices for Victim Response and Reporting of Cyber Incidents 23 (2018), https://www.justice.gov/criminal-ccips/file/1096971/download.
[7] H.R. 3270 § 2(1).
[8] Joint Statement by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA) (Jan. 5, 2021), https://www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure.
[9] Ben Kochman, US Officials Say Government Hack ‘Likely Russian in Origin,’ Law360 (Jan. 5, 2021), https://www.law360.com/articles/1341976/us-officials-say-government-hack-likely-russian-in-origin-.
[10] H.R. 3270 § 4.
[11] Hacking Back with the Active Cyber Defense Certainty Act, Acalvio (Sept. 15, 2020), https://www.acalvio.com/hacking-back-with-the-active-cyber-defense-certainty-act/#:~:text=%E2%80%A6also%20known%20as%20the%20Active,which%20subsequently%20died%20in%20committee.
[12] H.R. 3270 § 5.
[13] Peter G. Berris, Cong. Rsch. Serv., R46536, Cybercrime and the Law: Computer Fraud and Abuse Act (CFAA) and the 116th Congress 29 (2020).
[14] Press Release, Congressman Josh Gottheimer, Graves, Gottheimer Introduce the Active Cyber Defense Certainty Act (June 13, 2019), https://gottheimer.house.gov/news/documentsingle.aspx?DocumentID=1349.
[15] Berris, supra note 13, at 30.
[16] Comput. Crime & Intell. Prop. Section, supra note 6, at 23.
[17] See, e.g., Berengaut & Austin, supra note 5.
[18] Sara Sun Beale & Peter Berris, Hacking the Internet of Things: Vulnerabilities, Dangers, and Legal Responses, 16 Duke L. & Tech. Rev. 161, 191 (2017-2018).
[19] Josephine Wolff, When Companies Get Hacked, Should They Be Allowed to Hack Back?, The Atlantic (July 14, 2017), https://www.theatlantic.com/business/archive/2017/07/hacking-back-active-defense/533679/.
[20] Berris, supra note 13, at 29.
[21] Robert McMillan, Microsoft Hacked in Russia-Linked SolarWinds Cyberattack, Wall St. J. (Dec. 31, 2020), https://www.wsj.com/articles/microsoft-hacked-in-russia-linked-solarwinds-cyberattack-11609437601?tpl=cybersecurity.
[22] Id.