Hacking back - tempting, but is it legal?

By Sarah Pearce & Jane Elphick
18 Aug 2014 View Comments

Protecting data is imperative and more difficult as cyber attacks breed. Hackers are becoming more efficient, while companies struggle to instrument fundamental cyber-security measures. Unfortunately, things are not improving. Businesses and governments are becoming frustrated; "hack back" is tempting and looking more attractive.

Fighting back

Further reading

Techopedia describes "back hacking" or "hack-back" as a fundamental part of finding and deterring threats to cyber security. For the military, some consider it self defence under Article 22 of the UN Responsibility of States for Internationally Wrongful Acts: "The wrongfulness of an act... is precluded if and to the extent that the act constitutes a countermeasure." US law enforcement has seen various examples of hacking back, such as the FBI raid on Megaupload in 2012.

In the UK speculation has been rife as to the collaboration of the police and GCHQ in hacking back. Security firms fall loosely within this category and would seem to have some hacking leeway for disabling malware and botnets.

Some governments have made attempts to legalise hack-back. In May 2013, the Dutch government proposed a law which granted law enforcement organisations the right to hack back. This was seen as controversial as it entailed spying on users, deleting data and extended to devices abroad. France has also proposed compulsory spyware on PCs and optional blacklist applications.

The US Department of Justice (DOJ) recently pushed to loosen requirements for search warrants to hack into computers of suspects. Critics argue that this could lead to forum shopping by the government, reduced judicial oversight of cyber-crime investigations and a violation of the Fourth Amendment to the US Constitution. Still, the UK is not without ideas: the Bank of England will oversee a series of "ethical hacking" to judge the computer systems of more than 20 major banks and financial players to assess their ability to withstand cyber terrorism and crime.

The risks of hack-back are significant. You could face retaliation or unintended consequences, such as damaging hijacked computers belonging to innocent individuals. Further, if, for example, a foreign government were to catch a US firm hacking back in violation of international law, it could request an Interpol arrest warrant for the company's CEO.

Private companies and hacking back

For a private firm, hacking back is not currently legal in the US or the EU. However, private entities are becoming impatient and hacking back is attracting forceful dialogue in Washington DC. Although placing malicious software on attackers' machines would violate anti-hacking laws, probing attackers' networks constitutes more of a grey area. Breaking into computers to recover stolen intellectual property is illegal, but mapping networks or planting disinformation could be a legal, effective diversion. A justification could be where personal safety is in jeopardy.

Private companies can also learn more about their attackers, and knowledge is power. Ninety-two per cent of all breaches are related to nine types of attacks and specific industries often face just two or three specific types of attacks. Identifying which attacks affect your industry allows you to form a game plan.

Ethical hacking

Not all hackers are baddies. The internet is a battleground between the "black hats", who try to infiltrate systems, and the "white hats", who bolster security systems and develop anti-virus software. Ethical hacking is a growing career, with several universities in the UK now offering it as a degree.

Hacking back is tempting, but just as illegal as the original attack. Currently, the best and legal ways to hack back are to comply with data security requirements, ensure security procedures (especially encryption), limit access to personal information, increase training and prioritise which data gets the most protection. It may also be worth encouraging ISPs to take further responsibility for the prevention of and the response to cyber attacks. Some companies also share information about cyber threats with the aim of strengthening protection.

In essence, businesses need to gain awareness, gather knowledge and develop a strategy for prevention and recovery – and they need to do it quickly.

Sarah Pearce and Jane Elphick are lawyers at law firm Edwards Wildman Palmer LLP

Reader comments
blog comments powered by Disqus
Windows 10 - will you upgrade?

Microsoft has made an early version of Windows 10 - its next operating system - available for download. The OS promises better integration and harmonisation across platforms, including mobile and desktop. Will your business be upgrading?

35 %
31 %
14 %
20 %