A 2012 study claims cyber attacks have increased over 200 percent since 2012, resulting in an increased cost of $2.4 million per year to organizations. However, the security risks are not isolated with the victims of cyber attacks. After studies that reverse engineered common methods and programs used by hacks for cyber attacks, it was discovered that this process creates security holes which make the hacker’s computer susceptible to counter hacking by the victim, or “hack-backs.” This possibility has led to debate over if hack-backs are legally differentiable from the initial hacks, and how the Computer Fraud and Abuse Act (“CFAA”) should be interpreted in this context. However, because the CFAA is intended to erect a barrier between nonpublic computers, it is unlikely that either Congress or the courts would support a vigilante system such as hack-backs.
Some policy experts argue that a company’s interest in protecting its property should be the controlling factor, noting that government involvement may require detrimental delays. Hack-backs are likely to be most effective when the hacker is still on-line, connected to the victim’s network or machine. Private entities would have a better ability to respond quickly, without having to wait for the government to be notified and respond. Victims would be able to access the hacker’s system and, at the least, acquire vital information which will assist the government in an investigation.
Legally, however, these policy arguments encounter a yet-to-be litigated area of the law. The Justice Department Manual on Computer Crime specifically warns against companies “’hacking back’ into the attacker’s computer—even if such measures could in theory be characterized as ‘defensive’,” but does not state that this activity is actually illegal. Additionally, the CFAA, 18 USC § 1030, which would be the basis for any prosecution against anyone engaged in hacking or hack-backs, revolves around the arguably vague concept of authorization.
Proponents for the legality of hack-backs focus on the protection of corporate interest and property by reading the CFAA to protect data and to allow the hacker to control authorization. This present three main arguments. First, under the CFAA, a corporation has the authorization to modify any part of its own network, including any software installed by a third party. Second, the hacker, by accessing a nonpublic computer through exploitable software has given authorization to the victim to allow the extraction of information from that hacker’s nonpublic computer. Finally, there should not be a presumption that the computer being subject to the hack-back is an innocent third party because the risk of harm to the third party is low and there is a lack of substantive studies that demonstrate the use of innocent third party machines by malicious hackers.
The CFAA, however, simply bans the access of third party machine without authorization. Much like a physical trespass statute, the CFAA erects a legal wall between the properties of separate entities, and prevents someone from entering on to the property of another. The intent is to protect the privacy interest in the nonpublic computer, and not the data on the computer. Allowing victims to conduct legal hack-backs on computers would create a vigilante system where a suspicion of unauthorized access to a nonpublic computer would allow for legal access and control of that suspect nonpublic computer. A legal exception for hack-backs would allow copyright owners to access the nonpublic computer that they believe possess illicit copies of the copyrighted data for the collection of tracking information and file contents. Additionally, identifying the source of intrusion is difficult and allowing hack-backs when an unauthorized access has been made may expose a large number of innocent third parties to intrusion.
The purpose of the CFAA is to erect a barrier to prevent unauthorized intrusion into nonpublic computers. It is unlikely Congress, or the courts, would support a reading of the CFAA to allow hack-backs on the suspicion of unauthorized access, or for the initial hacking to constitute authorization, because of the high potential to expose a large number of innocent parties to unauthorized access. Consequently, legally, hack-backs are unlikely to be viewed any differently than the initial hack, and the practice of hack-backs would likely expose the victims of hacking to liability under the CFAA.