The hack-back vs. the rule of law: Who wins?
When considering retaliation against cyber criminals, make sure the rule of law trumps the immediate gratification of doing unto others.
Cyberspace has often been compared to the Wild West, where six-gun law and posse justice prevailed against rustlers and claim jumpers. But beware of calls for vigilante justice for cyber criminals.
The concept of protecting yourself assertively online is not new. The active defense company CrowdStrike advocates strategies with “flexibility of response actions,” including “deception, containment, tying up adversary resources and creating doubt and confusion while denying them the benefits of their operations.”
The subject has gained new visibility lately with the publication of a report from an independent Commission on the Theft of American Intellectual Property.
The commissioners, who include former high-level intelligence, defense and diplomatic officials, offer a balanced set of recommendations to address the problem of intellectual property theft, which they say could be costing our economy hundreds of billions of dollars annually.
The key is raising the cost for the thieves, they say. “IP theft needs to have consequences, with costs sufficiently high that state and corporate behavior and attitudes that support such theft are fundamentally changed.” Their recommendations include making IP theft a national security issue and strengthening law enforcement and other legal responses; strengthening government acquisition requirements and supply chain security; promoting the rule of law; strengthening diplomatic efforts; and improving cybersecurity.
But what gets attention in the 100-page report is the comment that, “without damaging the intruder’s own network, companies that experience cyber theft ought to be able to retrieve their electronic files or prevent the exploitation of their stolen information.” And, “both technology and law must be developed to implement a range of more aggressive measures that identify and penalize illegal intruders into proprietary networks, but do not cause damage to third parties.”
Hardly a call to vigilante justice. But the Center for Strategic and International Studies’ James A. Lewis offers a warning about taking private retaliation too far. “This is a remarkably bad idea that would harm the national interest,” he says in a recent commentary.
Lewis is a strong advocate for global norms of behavior in cyberspace and use of diplomacy to address international issues. Patience is a safer and more practical way to effect change than direct action, he says. For government to allow private retaliation through means that otherwise would be illegal would undercut U.S. efforts to foster international norms and respect for the rule of law. As a practical matter it could expose U.S. citizens to prosecution under foreign and international law, and there could be other — possibly more embarrassing — consequences.
“In a contest over who can go further in violating the law, despite the bluster of some in the high-tech community, private citizens are no match for the Russian mafia, the Russian Federal Security Service or the People’s Liberation Army in China,” Lewis writes. “This is not a contest American companies can win.”
In the face of increasing cyber threats there is an understandable pent-up desire for an active response, but this response should not cross legal thresholds. In the end, we either have the rule of law or we don’t. That others do not respect this rule does not excuse us from observing it. Admittedly this puts public- and private-sector organizations and individuals at a short-term disadvantage while correcting the situation, but it’s a pill we will have to swallow.