The Computer Fraud and Abuse Act prohibits “intentionally access[ing] a computer without authorization.” The law has been turned on its head to support overreaching prosecutions by the U.S. Department of Justice in cases involving violations of terms of use agreements and, quite recently, a case that led to the highly publicized suicide of Aaron Schwartz.
But it’s done little for the New York Times, the Washington Post, Twitter, and Apple, all of whom have been the victims of high profile hacking attempts this year. The CFAA and relevant international law hasn’t done much work to protect against hackers in China, and according to technology lawyer Stewart Baker, “our government seems unwilling or enable to stop the attacks or identify the attackers.”
The government’s failure to protect has led to a debate about private victims taking a proactive approach to their cyber-security efforts: “hacking back” (also referred to as “backhacking”). Hacking back doesn’t necessarily mean destructive retaliatory measures; it could also include attempts at intelligence gathering, such as the recent success of two private cyber-security entities in Luxembourg that uncovered the inner workings of a Chinese hacker group’s network.
Baker says “[t]he same security weaknesses that bedevil our networks can be found on the systems used by our attackers. . . . [In other words:] ‘Our security sucks. But so does theirs.’ ” Since the government isn’t taking advantage of exploiting hacker networks to vindicate and protect private security and privacy interests, some private entities want to take matters into their own hands. Unfortunately, the Justice Department thinks hacking back may be just as illegal under CFAA as the attacks that prompt it.
Backhacking could be viewed as an active defensive tactic. Like using a private investigator, backhacking could be used to determine not only the identities of hackers, but to analyze their methods and learn more about how to stop them, as the Luxembourg groups’ hackback demonstrates. But others take a different view, such as Orin Kerr, who finds an analogy in traditional property law: you don’t have a right to break into your neighbor’s house to take back something she took from you.
Should CFAA protect the privacy of hackers from the “active defensive tactics” of private entities? If not, what limits should be set? Among the various ways to immunize hackbacks by amending the CFAA, which would work best (e.g., a specific intent requirement, affirmative defense, etc.)? Would a push for a governmental approach to cyber-security law enforcement more responsive to private victims be more appropriate?
Given that the threat identified in the hackback example above is suspected to be a Chinese military unit, maybe the vindication of cyber security and privacy should take a back seat to foreign policy. And maybe the U.S. Government is engaging the Chinese cyber threat in ways that implicate stakes much greater than those of the blueprints for the iPhone 8 Nano or your App Store purchase history.
Read more:
Detailed report on debate at BNA—Bloomberg
Luxembourg Hackback Story—Stewart Baker at Volokh.com
Luxembourg Groups' Report (for the tech savvy)—Malware.lu
Hackback Debates—Orin Kerr, Stewart Baker, and Eugene Volokh at Steptoe Cyber Blog
Madiant's Report on the APT1 hacker group—Madiant
No comments:
Post a Comment