At the beginning of May 2013, the Dutch government proposed a new law that brought fresh impetus to an old idea: law enforcement’s right to hack back. “The controversial proposal”, said Dutch cyber rights organization Bits of Freedom, “doesn’t only allow the hacking of mobile phones and computers, it extends to spying on users and the deletion of data. It would also include devices which are located abroad. Furthermore, keeping your password secret from the police and fencing on the internet becomes, to a certain degree, punishable.”
This proposal has precedent. Three years ago the Dutch police took over Bredolab command-and-control (C&C) servers, and from there deposited a warning notice on the infected PCs that had phoned home to the servers. One of the notices was in English, suggesting that the police were aware they were interfering with PCs outside of the Netherlands. At the time, Yaman Akdeniz (a former associate professor at the School of Law at Leeds University and now professor of law at Istanbul University) commented, “There is no ‘good hacker’ or ‘ethical hacker’ defence built into the Computer Misuse Act 1990, nor into the provisions of the Council of Europe CyberCrime Convention, for example. So, whatever their intentions are, the access by the Dutch Police into the infected PCs of computer users would be unauthorised in the UK.”
Defense by Offense
Other precedents in Europe include the French proposals linked to HADOPI (copyright infringement laws) that have proposed both compulsory spyware on all PCs and optional blacklist applications. In the UK, users are already compelled to hand over encryption keys, on demand, to the police. Failure to do so can lead, and has led, to prison sentences. It is common practice throughout much of the world for both law enforcement and anti-malware companies to take over any C&C malware servers they can locate.
The concept of hack back – although not new – was rapidly taken up in the US following news of the Dutch proposal. The IP Commission Report on the theft of American intellectual property, also published in May 2013, suggested an area for future consideration would be to “recommend that Congress and the administration authorize aggressive cyber actions against cyber IP thieves”. Two major US companies, McAfee and Symantec, both issued qualified support for discussions on hack back in Europe.
More recently Gen. Michael Hayden, former director of both the NSA and CIA, told Quartz magazine, “I’m not yet convinced that the private sector reducing the threat, i.e. disabling the threat, is a good idea. But it’s certainly an idea that’s circulating out there... And so much advantage goes to the offense that playing strictly defense, you’re always disadvantaged.”
| "So much advantage goes to the offense that playing strictly defense, you're always disadvantaged" |
| Gen. Michael Hayden |
Hayden pointed to Stewart Baker (former general counsel to the NSA), who has a long history of advocating, or at least supporting, the concept of hacking back. In June 2012, in a blog post titled ‘Defending networks by taking the offense’, Stewart commented, “We’ll never deter such attacks until we deter the attackers, which means identifying them and then doing things that hurt them.”
That’s not to say that Stewart doesn’t recognize the problems. In the same post he says, “A graduate of [the Justice Department’s] computer crime section once shut down a discussion on this topic by saying, ‘What if you followed the hacker back to a hospital network, and in trying to catch him you shut down computers in the intensive care unit? That’s a felony murder rap’”. Remember that hypothesis, because it crops up again later.
The big difference between the European attitude toward hacking back and the US attitude seems to be that Europe is considering the concept for law enforcement, while the US is considering it for private companies.
Hacking Back Entities
There are three groups that might involve themselves in hacking back: the military (including intelligence agencies), law enforcement and private companies. It’s worth trying to understand where we are with each.
Military
It’s fairly clear that the military, everywhere, has the right to strike back – article 22 of the UN Responsibility of States for Internationally Wrongful Acts more or less says so: “The wrongfulness of an act… is precluded if and to the extent that the act constitutes a countermeasure.”
Nicholas Böhm, general counsel to the internet think-tank, the Foundation for Information Policy Research, puts it more simply: for the military “I would think the right of self-defense covers hacking back.”
Furthermore, if the military is already engaged in purely offensive cyber-attacks (consider Stuxnet and Edward Snowden’s revelations of NSA hacking), then there is little doubt that it has the right and capability to engage in aggressive but defensive countermeasures.
At this point it is also worth considering Nicky Hager’s seminal study, ‘Secret Power’ – an early work on the Echelon spy coalition that is now better known as the Five Eyes (US, UK, New Zealand, Australia and Canada).
Law Enforcement
Questioning US law enforcement’s right to hack back is irrelevant – it actively does so already. In the US, the FBI and NSA collaborate and share information (consider the FBI raid on Megaupload in New Zealand, probably using information gathered by the Five Eyes intelligence agencies).
In the UK it is known that SOCA (police) and GCHQ (spies) collaborate, and that GCHQ taps the fiber connections that run from the UK to North America. Furthermore, many law enforcement agencies are known to use their own spyware trojans: the FBI has CIPAV, the Germans have the Bundestrojaner discovered by the Chaos Computer Club, and other police forces, intelligence agencies and just plain criminals use the Finfisher spyware developed in the UK.
Adrian Culley, a former Scotland Yard detective and now a consultant with Damballa, says, “Law enforcement stepping into this arena for investigation purposes would be lawful if undertaken with appropriate RIPA authorities within the UK. Covert computer investigation has been taking place under that legislative and regulatory framework for some time, and is subject to independent oversight by the RIPA commissioners, separate to ministerial/judicial/senior official authorizations.”
Similar, of course, happens in the US under the Patriot Act with authorizations from the FISA court.
Private Companies
This is where the concept of hacking back becomes more contentious. Security firms already do so for the purposes of taking down or disabling malware and botnets. Some private individuals also hack back – for example, the so-called hacktivist for good known as Jester and the whole Anonymous collective hack back, with greater or lesser acceptance from different parts of the community.
But private firms hacking back against criminals that are hacking them is a different matter. It is currently not legal in either the US or the EU – reminiscent of vigilantism. Vigilantism is largely frowned upon by law enforcement; but there are controlled versions of it in the US with the old concept of posses and the more modern use of the National Guard. Neither of these concepts are widely understood in Europe – where even traffic wardens are thought to have and wield too much power. This probably explains the differing degree of acceptance, at least for the idea, of private hack back between the US and Europe.
Circumspect Ethics
It would be no exaggeration to say that hacking back generates some strong negative emotions, especially in Europe. Legal expert Nicholas Böhm takes a measured view: “There is a common-law right to use self-help, typically by using no more than reasonable force to remove from your land a trespasser who will not leave when asked. In this context this seems a rather limited recourse, because it’s hard to see it extending (by analogy) to breaking into a burglar’s premises to recover stolen property.”
Adrian Culley, with the experiences of a policeman, is more forthright: “The morals and ethics of a company [hacking back] are somewhat circumspect. To ‘hack back’ implies you’ve been hacked. If you didn’t have the skill to prevent yourself being hacked, what level of confidence is there that you have the appropriate skills, knowledge and expertise to ‘hack back’? Notwithstanding, crime is crime, and on what legislative basis would any such action be undertaken?”
Ross Anderson, professor of security engineering at Cambridge University, takes a practical view. Consider the ‘felony murder rap’ mentioned earlier. “One of the first big DDoS [distributed denial-of-service] attacks was against the Panix ISP in New York fifteen years ago”, explains Anderson, “and the bots were mostly in hospitals.” FDA rules required that clinical equipment containing computers should not be patched. “As a result”, he said, “there were lots of Berkeley Unix machines with known trivial vulnerabilities that were embedded in hospital equipment, such as scintillation counters in haematology departments. Do you really want to flatten such a machine, even in your own country, let alone in someone else’s? Suppose your hack back kills someone in a country like Iran or Venezuela, that isn’t so easily pushed around by our diplomats – and the locals simply throw a UK citizen in jail for revenge and demand ten million in blood money as a ransom?”
An Atlantic-sized Difference of Opinion
Hacking back has been debated for many years – and will continue to be vigorously discussed for years to come. It is already lawful for the military, the intelligence agencies and law enforcement. But it is illegal in both the US and the EU for private companies and individuals. That doesn’t mean that hacking back doesn’t happen, but that it probably requires at least the acquiescence of law enforcement. Anti-malware companies clearly hack back at malware authors. Jester also breaks the law; and had the FBI expended the same energy against him as they did against LulzSec, he would be behind bars by now.
Nevertheless, the concept of hacking back is almost certainly more acceptable to North Americans than it is to Europeans. If you have a burglar on your property who doesn’t leave when challenged in the US, you can probably chose your own degree of force. If you do the same in the UK, and hurt the burglar in the process of ejecting him, you are quite likely to be prosecuted for assault. A similar difference appears to be present in attitudes toward hacking back.
The European attitude can be fairly summarized by Anderson: “You really don’t want to go there.” The US attitude to hacking back can be summarized by Stewart’s comment: in order to stop the hackers, we need to be “doing things that hurt them.”