Legislation [PDF] has already been introduced to the Dutch Parliament that seeks to implement this approach, along with a provision that allows for police to “hack back” at bad actors in foreign nations too. In addition, it could allow police to force suspects – outside of a court order – to decrypt data when asked.
Unsurprisingly, not everyone is enamored with the proposed expansion of police power, raising the specter of widespread privacy violations among private citizens. But in the wake of the Netherlands’ discussions, TechWeek Europe reported that Brussels is considering holding discussions on the merits of giving law enforcement more power to breach suspected criminal systems across the EU, to foster a standardized set of guidelines and regulations to govern hacking back.
Some think that’s a good idea. “European-wide coordination of legislation is going to be critical,” Darren Thompson, CTO of Symantec, told TechWeek. “The tensions and heat that could be generated by the likes of the Netherlands running at a different speed to everyone else could cause political conflict at the very least.”
Others, however, think the concept amounts to overreach.
“Legislators should walk before they can run,” John Yeo, EMEA director at Trustwave, told Infosecurity. “Given the patchwork state of cybersecurity laws, modernization is certainly required. Legalizing hacking back might be something to look at once the fundamentals are addressed such as updating computer misuse acts, but we're a long way off having the maturity of legal frameworks to realistically contemplate hacking back laws.”
Aside from overall lack of security fundamentals in place, Yeo warned against unintended consequences.
“Hackers often pivot their attacks through organizations that have themselves been compromised and do not realize [it], [so] would it be ok for law enforcement to hack those systems too?” he pondered. “Also, how would it work in practice when the systems are overseas? Typically, cross-border law enforcement involves cooperation with the in-territory law enforcement agency – without that, strange scenarios arise, such as the law enforcement agency in one country ending up breaking the law in another.”
The hack-back idea has precedent, sort of. In the UK, the proposed Communications Data Bill, now on legislative life support, would have given police the authority to tap IP addresses of suspected criminals. Actual hacking of systems, however, was not part of the debate.
“It strikes me that non-experts thought it would make sense, but right now it really doesn't,” said Yeo.