How far should organizations be able to go to defend against cyberattacks?

Faced with this scale of loss, some companies want to step up their defenses. Firms with sophisticated technology systems know what’s needed to protect their customers, networks and valuable trade secrets. They also likely have employees with the skills to track down hackers and penetrate the attackers’ own systems. But the ethics and implications of justifying a cyberattack as defensive get very complicated very quickly.

It’s often unclear, for example, exactly who is behind an attack – uncertainty that can last for days, months or even years. So who should the hack-back target? What if a privately owned U.S. company believed that it was under attack from a firm owned by the Chinese government? If it hacked back, would that be an act of war between the countries? What should happen to repair corporate and international relations if the company was wrong and its attacker was somewhere else? Companies shouldn’t be empowered to start global cyber conflicts that could have dire consequences, but online and offline.

Of course, it’s also important to think about what might happen if other countries allow their companies to hack back against U.S. government or corporate efforts. More U.S. firms could fall victim to cyberattacks as a result, and might find little legal recourse.

Engaging with the law
At the moment, hacking back is illegal, in the U.S. and in many nations around the world. In the U.S., the Computer Fraud and Abuse Act makes it a crime to access another computer without authorization. Every member of the G-7, including the U.S., as well as Thailand and Australia, has banned hacking back. In 2018, more than 50 countries – but not the U.S.– signed an agreement that private firms based in their nations are not allowed to hack back.

However, supporters of active defensive tactics are pushing their message hard. The Republican Party’s 2016 presidential platform promised to ensure “users have a self-defense right to deal with hackers as they see fit.” In March 2018, the Georgia state legislature passed a bill to permit “active defense measures that are designed to prevent or detect unauthorized computer access.” Two months later, then-Gov. Nathan Deal vetoed it, at the urging of technology firms concerned about its “national security implications and other potential ramifications.”

Had it become law, Georgia’s bill would still likely have run afoul of federal law. However, lawmakers in Washington have also proposed letting companies engage in certain types of active defense. In 2017, U.S. Rep. Tom Graves, a Georgia Republican, proposed the Active Cyber Defense Certainty Act, which would let companies engage in certain active defense measures, including conducting surveillance on prospective attackers, provided that the firm informed the FBI first and that the action did not threaten “public health or safety.” The bill died and has not yet been reintroduced; it’s not likely to get far in the new Democratic House.

Active defense remains illegal in the U.S. and much of the world. But the bans are not being enforced at home or abroad.

Going global
Not every country has banned hacking back. Singapore, for example, has been permitting local firms to engage in active defense measures in an effort to prevent, detect, or counter specific threats to its critical infrastructure, including the financial industry. Other nations, such as France, do not wish to see the private sector out front, but are still keen to keep active defense as an option for governments.

The more countries allow active defense, the more likely everyone – in the U.S. and around the world – is to become a cyberattack victim. Instead of deterring attacks, aggressive active defense increases the possibility of the lights going out, or American voting machines returning inaccurate results.

Organizations can and should be encouraged to take passive defense measures, like gathering intelligence on potential attackers and reporting intrusions. But in my view they should be discouraged – if not prevented – from acting aggressively, because of the risk of destabilizing corporate and international relations. If the quest for cyber peace degenerates into a tit-for-tat battle of digital vigilantism, global insecurity will be greater, not less.

Scott Shackelford is Associate Professor of Business Law and Ethics; Director, Ostrom Workshop Program on Cybersecurity and Internet Governance; Cybersecurity Program Chair, IU-Bloomington, Indiana University. This article is published courtesy of The Conversation.