Note: Young Fella, If You’re Looking for Trouble I’ll Accommodate You: Deputizing Private Companies for the Use of Hackback
A computer operator sits in front of a computer screen, monitoring a tank of toxic chemicals. A series of computers control the tank’s physical hardware. All of a sudden, the lights in the control room fail, the computers go offline, and the computer operator yells, “[t]hey’re hitting one of our servers!” Hundreds of miles away, a team of hackers hired by Barney Advanced Domestic Chemical Co. (“BAD Company”) stare as lines of code scroll by on their laptops. BAD Company has just infiltrated and taken command of their business rival’s servers. With the click of a mouse, hackers from BAD Company order the toxic chemical tanks to overflow. Toxic chemicals seep out of the tanks and contaminate the surrounding countryside. The computer operators immediately call for a hazmat team. The exercise ends.
This episode was just a Department of Homeland Security (“DHS”) cybersecurity exercise, but it highlights a massive national security threat: the ability for malicious computer code to infiltrate computer systems, cripple critical infrastructure, and steal massive quantities of intellectual property. The United States National Counterintelligence Executive (“ONCIX”) noted that “[s]ensitive [U.S.] economic information and technology are targeted by the intelligence services, private sector companies, academic and research institutions, and citizens of dozens of countries.” The loss of this technology has already cost the United States (“U.S.”) anywhere from $2 billion to $400 billion. Furthermore, the pace of U.S. data loss is increasing. Foreign intelligence services, private individuals, and foreign corporations have increased their efforts directed at stealing intellectual property, costing U.S. companies millions of dollars in development costs and tens or hundreds of millions of dollars in potential profits.
There is no doubt that these cyber threats pose a huge problem for both the U.S. government and U.S. companies. How, then, can we effectively prevent these threats? Should we pour more money into network defenses? Should we focus on attack response and recovery from the inevitable network penetration? Should we pursue an offensive doctrine that establishes a deterrent policy? Perhaps the best approach is a combination of all three?
Furthermore, who should prevent these intrusions? Should the U.S. government protect private networks, and does it have the legal ability to do so? Should U.S. companies shoulder the burden of protecting themselves? Do we want to empower companies to defend themselves outside their own perimeters? If so, how far does a company’s ability to defend itself extend?
These questions highlight a disturbing reality: many of the networks that control our electricity, water, financial systems, and other critical industries operate in a largely unregulated and unprotected cyberspace. In fact, cyberspace has drawn comparisons to the American Wild West; in both areas, black hat criminals have taken advantage of the lawlessness of their respective domains. To bring order to this chaos and tame the Wild West, private companies must have the ability to protect themselves in cyberspace. As such, this note advocates for a form of cyber self-defense called active defense. Active defense, colloquially known as “hackback,” is when a targeted entity uses a counter-cyberattack against an attacker’s system, thereby stopping the cyberattack in progress and discouraging future attacks.
Part I of this note will analyze the cyber threat that both the U.S. government and U.S. companies currently face. Part II will consider who is best suited to respond to these cyber threats—whether it is the private or the public sector—and what options each entity can pursue. Part III assesses how the law of self-defense applies in cyberspace, paying particular attention to both the benefits and drawbacks of hackback. Part IV transitions to a discussion of the Computer Fraud and Abuse Act (“CFAA”), the basic federal anti-hacking statute, and explains how the Department of Justice (“DOJ”) might view hackback. In doing so, I will propose a legal framework that allows companies to hackback under a deputy arrangement with the U.S. government, providing the benefits of hackback with the oversight of government regulation.
Zach West: Juris Doctor Candidate 2013, Syracuse University College of Law.
. Ellen Nakashima, Homeland Security Tries To Shore Up Nation’s Cyber Defenses, Wash. Post, Oct. 1, 2011, http://www.washingtonpost.com/world/national-security/homeland-security-tries-to-shore-up-nations-cyber-defenses/2011/09/27/gIQAtQ6bDL_story.html.
. Nakashima, supra note 2.
. Office Of The Nat’l Counterintelligence Exec., Foreign Spies Stealing US Econ. Secrets In Cyberspace, Report to Cong. on Foreign Econ. Collection and Industr. Espionage, 2009-2011, i (2011), available at http://www.ncix.gov/publications/reports/fecie_all/Foreign_Economic_Collection_2011.pdf [hereinafter “Foreign Spies”].
. Id. at 4.
. Id. at 1.
. Gen. Michael V. Hayden, The Future of Things “Cyber”, 5 Strategic Stud. Q. 3, 5 (2011), www.au.af.mil/au/ssq/2011/spring/spring11.pdf.
. See Greg Y. Sato, Should Congress Regulate Cyberspace?, 20 Hastings Comm. & Ent L.J. 699, 709 (1998) (“the Internet is highly unregulated; cyberspace is not subject to any central control and operates without any supervision . . . Since there is no supervising or police-like authority which overlooks activity on the Internet, ‘anything goes’ in cyberspace”); see also In Praise of Chaos: Governments’ Attempts to Control the Internet Should be Resisted, Economist, Oct 1, 2011, available at http://www.economist.com/node/21531011 (“For something so central to the modern world, the internet is shambolically governed . . . It is in short a bit chaotic.”).
. Neal Katyal, Community Self-Help, 1 J.L. Econ. & Pol’y 33, 60 (2005).
. Alexander Melnitzky, Defending America Against Chinese Cyber Espionage Through the Use of Active Defenses, 20 Cardozo J. Int’l & Comp. L. 537, 538-40 (2012).
. See generally Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (2006).