hacking back

for a list of resources on this topic, see the technology policy bibliography 

By Marko Horvat

I.                   Social Significance and Background of Hacking Back

The internet has provided individuals and business entities nearly limitless opportunities to connect, inform, and interact in a way that has completely revolutionized the way people live their daily lives. While the vast majority of internet users are online for a benign purpose, a malicious few use the internet to harass or attack others. Some hackers actively try to steal information or disrupt an entity's activities for personal gain, while others are merely bored and do so for amusement. Naturally, in response to this sort of threat, legitimate internet users finding themselves under attack look for countermeasures to these attacks.

The primary mode of defense employed by entities with data they wish to protect is the so-called firewall method, which essentially consists of building increasingly complex passive defenses to try to prevent a hacker from ever entering a network.[1] Network administrators will typically employ one or more physical or software solutions to attempt to filter legitimate queries from unauthorized attempts to access the network. Essentially, the network is defended by a wall, with a few select entry points (ports) that allow access. Unfortunately, however, hackers are continually inventing new methods of attack that circumvent existing firewalls. Much as the cannon rendered the castle obsolete, as hackers develop new techniques administrators must struggle to keep pace with innovation. Furthermore, administrators often can only discover breaches as hackers exploit them, meaning that the typical defense model is most effective at preventing future attacks of a given type, not preemptively stopping all attacks. Administrators are further hampered by one other, fundamental vulnerability they can never remove: uneducated users. A single user's account being compromised, typically by a Trojan, can allow a hacker to circumvent the firewall entirely. A final problem with this defensive structure is the inadequacy of traditional law enforcement in dealing with information attacks. The US Criminal Code prescribes "fine under this title or imprisonment for not more than ten years, or both,"[2] but because of the ease of obfuscating one's identity on the internet coupled with the international nature of the internet, this rarely serves as a deterrent. Hackers can attack anonymously from countries without computer intrusion laws, making typical legal remedy impossible. Furthermore, investigations tend to take time, while a worm or virus can propagate extremely quickly.[3] Hence, for a plethora of reasons, the conventional firewall approach to information security is difficult and of limited effectiveness.

The shortcomings of the conventional approach have led network operators to consider a different form of response, dubbed hacking back or counter-hacking. Essentially administrators, rather than simply trying to close the gaps in a firewall defensive structure, will either actively attempt to disable attacking systems or merely implement a traceback program aiming to ascertain the origin of an attack, depending on the nature of the attack.[4] For example, against a Distributed Denial of Service (DDoS) attack, where a large number of machines attempt to overload a server's capability to handle requests,[5] a counter hacker would attempt to disable the attacking machines, by reflecting the requests back to the network from which they originated. In the case of the unauthorized distribution of copyrighted material, the copyright owner would try to disable the distribution mechanism by distributing a piece of malicious software masquerading as a desirable. The Recording Industry Association of America (RIAA) has repeatedly considered developing such a "hydra," which is a worm that spreads in a variety of ways, to shut down popular peer to peer networks,[6] and a bill has been introduced by Rep. Howard Berman to explicitly allow copyright holders to actively defend their intellectual property on Peer to Peer networks.[7] In cases where an offline enforcement system exists, such as within a University network, even a relatively simple traceback can be used to find out which users are disobeying the terms of use, and then a conventional method of conflict resolution (warning or disciplinary action) can be used.[8] Finally, in the case of a worm propagating itself by capitalizing on vulnerabilities that have already been patched, counter-hacking can even provide a ‘vaccination' code to neutralize a virus. In the case of the Fizzer@MM e-mail virus, after infecting a computer the virus was coded to connect to an Internet Relay Chat (IRC) channel to look for updates to the code. The channel was first shut down, and then code was written to remove the virus from an infected machine. The channel was then reactivated, so that once the Fizzer virus connected to the channel it received updated code ordering it to delete itself.[9] This way, users who were infected with the virus often never noticed the infection, as it was disabled so quickly. Unfortunately, because of the legal ambiguity concerning counter-hacking, the channel operators took the ‘vaccination' channel offline, meaning that users would have to eliminate the virus on their own.

The legal ambiguity with regards to counter-hacking thus illustrates the need to develop a legal framework regarding the issue. The decision facing policymakers will have significant and far-reaching ramifications for the future of data security. A properly established set of guidelines, coupled with the existing law enforcement option for dealing with computer intrusion will lead to a more secure data environment, allowing targets to strike back at previously untouchable hackers. Applied with reckless abandon, however, and counter-hackers could end up disabling the machines of countless innocent bystanders, essentially doing malicious hackers' jobs for them. Countless organizations, from private corporations to the US Department of Defense, have engaged in counter-hacking, with a 1999 Warroom Research study reporting that 32% of 320 surveyed Fortune 500 companies have implemented counter-offensive software.[10]

II.                Conflicting Positions: Economic and Deontological

The economic debate on hacking back centers on the extent to which economic damages are averted or exacerbated by hacking back. The debate is thus primarily a factual one. Proponents of counter-hacking argue that the economic losses caused by hacker attacks are greatly mitigated by implementing a counter-hacking defensive strategy rather than a passive one for a number of reasons. Firstly, an active response can nearly instantaneously neutralize an attacking threat. A virus like the Nimda worm can consume a company's bandwidth, causing that company to incur significant costs even if the company's network is secure simply because infected machines outside the company's network can continually bombard the company's servers with GET requests. Instead of being forced to endure continually increased costs coming from virus-hijacked machines, a quick counterstrike can be used to neutralize the offending machine while leaving the file structure intact for forensic investigation and without radically disrupting the operation of the infected machine.[11] The judicious application of reasonable force can stop an attack where a firm has no legal ability to seek damages. Instead of being forced to accept a degradation of services that could be economically damaging while asking a law enforcement apparatus that is inherently handicapped by the international nature of the internet, companies can quickly and efficiently neutralize the threat.[12] For many companies even the slightest perception of instability caused by a website being offline can prove disastrous, with costs spiraling into the millions. 64% of 538 security experts surveyed by the FBI reported significant economic losses due to data security breaches, with 186 of the respondents reporting a total combined loss of $378 million.[13] With losses being so large and conventional enforcement so handicapped, active-response proponents argue, many companies have no choice but to implement active response countermeasures to stem the monetary losses.

The economic counterargument centers on the fact that indiscriminate, excessive retaliation can cause more economic harm than good for several reasons; namely that hackers can use a preprogrammed hack-back response against its owners, and that by engaging in hacking back an entity opens itself to tremendous legal liability. As previously discussed, tracing back an attack to its true originator is rarely an easy task. Over the internet, it is not particularly difficult to obfuscate the origin of an attack through a variety of technical methods such as IP address spoofing. In an attempt to disrupt an organization's operations, a hacker could exploit the hack-back protocols by making his intrusion appear to be from another organization, or indeed from a computer within the organization's network, causing automated hack-back protocols to attack an innocent target.[14] Indeed, the apparent perpetrators of DDoS attacks are often machines with innocent if negligent users that are being hijacked by viruses. Hackback doctrine disabling these machines certainly causes a significant economic harm, which may indeed be equal to the harm caused by the initial hack. Existing law enforcement channels, by contrast, cause far less wanton economic harm even if they are slow to catch cyber-criminals. Of even greater economic concern, particularly to any company considering implementing a hack-back defensive doctrine is the liability that the company assumes once it actively hacks another computer. Presently, active counter-hacking with the intent of disabling is wholly illegal, and thus any company whose information-security team disables another computer can find itself both civilly and criminally liable. Indeed, if a counter-hack protocol disabled a number of ‘innocent' machines or even infected machines operated by innocent users, under US law the company could expose itself to a truly staggering class-action lawsuit.[15] Traceback responses, of course, eliminate this legal exposure, but at the same time are difficult and do not immediately eliminate the threat, thus rendering much of the original economic cause for hacking back irrelevant. Economically, therefore, both for society and for individual firms, hacking back bears a very real economic cost.

Morally and socially, the debate is similarly split. Counter-hack proponents believe that there is an inherent right to reasonable self defense. The typical set of conditions are essentially the ‘just war' doctrine, namely that "(1) there is grave damage (greater than the damage that might result from the action) that will be inflicted to the defender unless it counter-strikes, (2) there is a serious prospect of success, and (3) other means for stopping the evil are either impractical or ineffective."[16] If those conditions are met, from a consequentialist viewpoint counter-hacking is clearly the socially optimal solution to the problem. There is the further justification of the deterrence factor of counter-hacking; if hackers believe they will suffer real consequences from hacking into secured systems they are far more likely to refrain from hacking at all. Thus no resources are expended on investigations and prosecutions, while the hacker can do something productive with his time.

The moral/social argument against counter-hacking is two-faceted: it encompasses both a traditional repudiation of vigilantism and a question of equity. The argument against vigilantism as it applies in cyberspace is quite similar to the standard argument against it: the concept of due process is fundamental to Western society, and it is undermined by a vigilante dispensing justice on the basis of a simple whim. In the case of counter-hacking in particular, there is the case of the owner of a machine hijacked by malicious code who would experience significant damages if counter-hackers were to attack his machine to attempt to neutralize it. Does this innocent user deserve to suffer potentially serious harm because of the actions of his machine, hijacked by a malicious hacker against the user's will? The second fundamental moral argument against counter-hacking is that of equity. Also fundamental to Western society is the notion of equal protection for all citizens under the law, codified in the 14^th Amendment to the Constitution of the United States.[17] If counter-hacking is legalized, and indeed becomes the primary method of cyberspace defense, information security becomes a question of the resources an entity is willing to divert to it. Naturally, large corporations will be better able to defend themselves, leaving hackers to prey on small businesses and individual users. Even if counter-hacking were allowed merely to supplement traditional law-enforcement methods, it is plausible that law enforcement would have less of an incentive to catch hackers, knowing that counter-hacking protocols are doing their jobs for them.

III.             Implicated Legal Issues and Law on Point

There is no statue explicitly allowing or forbidding counter-hacking. The statue from which prosecution of counter-hackers is most likely to arise is the Computer Crime and Fraud Act, which states that:

Whoever ... (A)(i) knowingly causes the transmission of a program,

information, code, or command, and as a result of such conduct,

intentionally causes damage without authorization, to a protected

computer; (ii) intentionally accesses a protected computer without

authorization, and as a result of such conduct, recklessly causes damage;

or (iii) intentionally accesses a protected computer without authorization,

and as a result of such conduct, causes damage; and (B) by conduct

described in clauses (i), (ii), or (iii) of subparagraph (A), caused (or in the

case of an attempted offense, would, if completed, have caused) - (i) loss

to 1 or more persons during any 1-year period ... aggregating at least

$5,000 in value; (ii) the modification or impairment, or potential

modification or impairment, of the examination, diagnosis, treatment, or

care of 1 or more individuals; (iii) physical injury to any person; (iv) a

threat to public health or safety; or (v) damage affecting a computer

system used by or for a government entity in furtherance of the

administration of justice, national defense, or national security ... shall be

punished as provided in subsection (c) of this section.[18]

Under this statute, it appears that if a counter-hacker causes sufficient damages he could be found to be criminally responsible. No statutes or case law rulings permit organizations to actively disable computers attempting to attack them, but there also has not been an attempted prosecution of a corporation or individual for counter-hacking. Furthermore, though the specifics vary on a state by state basis, typically in US law there are situations in which it is legal to use force to defend property. For example, in Missouri, the law states that:

Use of physical force in defense of property.

563.041. 1. A person may, subject to the limitations of subsection 2, use physical force upon another person when and to the extent that he or she reasonably believes it necessary to prevent what he or she reasonably believes to be the commission or attempted commission by such person of stealing, property damage or tampering in any degree.

2. A person may use deadly force under circumstances described in subsection 1 only when such use of deadly force is authorized under other sections of this chapter.

3. The justification afforded by this section extends to the use of physical restraint as protective force provided that the actor takes all reasonable measures to terminate the restraint as soon as it is reasonable to do so.

4. The defendant shall have the burden of injecting the issue of justification under this section. [19]

This begs the question that if physical force in defense of property is legal to neutralize the threat to one's property, should it not be legal to use non-physical ‘electronic' force to neutralize an ‘electronic' attempt to steal or tamper with one's intellectual property? It appears that there is at least some legal justification in favor of counter-hacking.

The closest legal challenge of counter hacking occurred in US v. Heckenkamp, where a student of the University of Wisconsin was prosecuted for a number of computer intrusions, most notably against eBay. A University system administrator traced an unauthorized intrusion into the University mail server to Heckenkamp's computer, which served as the basis for a warrantless search of Heckenkamp's dorm room. His computer was then seized, and evidence was uncovered implicating him in a number of illegal computer intrusions. The 9^th Circuit upheld the search under the special needs clause of the 4^th Ammendment, stating that:

 "Just as requiring a warrant to investigate potential student drug use would disrupt operation of a high school ... requiring a warrant to investigate potential misuse of the university's computer network would disrupt the operation of the university and the network that it relies upon in order to function. Moreover, Savoy and the other network administrators generally do not have the same type of "adversarial relationship" with the university's network users as law enforcement officers generally have with criminal suspects."[20]

            The ruling, however, is of limited applicability to the greater question of counter hacking for several reasons. Firstly, the University of Wisconsin is a state school, and thus bound by the 4^th Amendment. The ruling's implications about the right to privacy of the contents of a computer on a network therefore are of limited relevance to a network operated by a private entity. Furthermore, the search occurred for an ostensibly non-law-enforcement reason. Savoy searched Heckenkamp's computer for the purpose of ensuring the continued operation of the school's mail server, not for the purpose of obtaining information for use in a criminal prosecution. Indeed, the ruling hinged upon this fact, rendering the admissibility of information gained by traceback counter-hacking procedures of questionable value in legal, and particularly criminal proceedings.

            The law, therefore, offers little guidance on the question of counter-hacking. Certainly, corporations wishing to minimize exposure to liability should err on the side of caution and refrain from engaging in active responses, but there is reason to believe that there is a legally defensible basis for counter-hacking.

IV.             Relationship to other policy issues

The most significant policy question hacking-back raises is the concept of a reasonable standard of care for the computer user or owner. A large portion of computer attacks are at least partially perpetrated by a large number of machines hijacked by a virus unbeknownst to their users. Legally, one can be held negligent for failing to take measures to ensure a measure of safety. According to California law "[e]very one is responsible . . . for an injury occasioned to another by his want of ordinary care or skill in the management of his property or person."[21] If a reasonable standard of care for computers is legally established to be minimal, as is the current climate, the average computer user whose machine is involved in a DDoS attack is certainly not liable. A higher standard of care, however, perhaps requiring the reasonable application of updates that fix well-known vulnerabilities in an operating system, however, opens the computer-illiterate PC owner to liability if his machine is found to have participated in a DDoS attack.[22] The legality of counter-hacking has significant implications to this fundamental question; if counter-hacking is legal and morally allowable a higher reasonable standard of care is implied because the counter-hacker is allowed to defend itself against the ‘careless masses,' while counter-hacking being illegal implies that security breaches are not the responsibility of the computer owner and thus the standard of negligence must be higher. In Virgin Records America, Inc v Thomas, the plaintiff asserted that the defendant, Jammie Thomas, distributed copyrighted files over KaZaA. The defendant claimed that her IP address and information had been ‘spoofed,' but the jury, comprised of computer laypeople including an individual who had never used the internet, found her liable in "only 5 minutes," awarding damages of $222 000.[23] This verdict appears to imply a degree of reasonable care, though the true extent has yet to be established.

V.                Future Implications

The increasing prevalence of counter-hacking illustrates the need to establish a framework for its legality and usage. Applied correctly, counter-hacking can serve as an effective supplement to underequipped law enforcement apparatuses in fighting increasingly anonymous and international cybercrime. Applied incorrectly, however, and counter hacking can be a greater problem than the initial threat, causing rampant and random attacks based on questionable evidence. Fundamental to drafting an effective set of guidelines for counter-hacking is setting a standard of reasonable care for the use of a computer; users must be expected to exercise a reasonable standard of care in maintaining their computer's security. Much as an individual whose car is out of control due to negligence in maintaining brakes, an individual whose computer is hijacked because of a long-since fixed vulnerability and used to commit a cyberattack must be held responsible.

Kesan and Majuca provide an excellent set of criteria for valid counterattack rooted in game theory, stating that for a counterattack to be justified "(1) other alternatives, such as police enforcement and resort to courts, are either ineffective or ineffectual; (2) there is a genuine prospect of hitting the hacker instead of innocent third parties; and (3) the damage that can be mitigated to the defender's systems outweigh the potential damage to third parties. Additionally, when hackback is justified, the following rules govern conduct during hackback: (4) defenders must not use excessive force, that is, they must only use force necessary to defend their property and not needlessly destroy the hacker's digital assets; and (5) counter-strikers would be held liable for damage to other third parties."[24] Under that set of criteria, hackback occurs only when it is of the greatest possible benefit to society, making it a helpful addition to the traditional law enforcement methodology while preventing needless collateral damage.

[1] Defense Science Board,  2006 Summer Study on Information Management for Net-Centric Operations, available at http://www.acq.osd.mil/dsb/reports/2007-04-IM_Vol_I.pdf

[2] 18 U.S.C. § 1030(c) (2003)

[3] Bruce P. Smith, Hacking, Poaching, and Counterattacking, Journal of Law, Economics, and Policy 1

[4] Kenneth Einar Himma, Internet Security: Hacking, Counterhacking, and Society (2007)

[5] Denial of Service Attacks, available at http://www.cert.org/tech_tips/denial_of_service.html

[6] Andrew Orlowski, Is the RIAA "hacking you back", The Register (2003), http://www.theregister.co.uk/2003/01/14/is_the_riaa_hacking_you/

[7] Declan McCullagh, Hollywood hacking bill hits House, available at http://www.news.com/2100-1023-946316.html?tag=nl

US House of Representatives Bill H.R.5211, http://thomas.loc.gov/cgi-bin/query/z?c107:H.R.5211:

[8] Jennifer Granick, Appeals Court Misfired in Hack-Counterhack Dispute, Wired Magazine (2007), http://www.wired.com/politics/onlinerights/commentary/circuitcourt/2007/04/circuitcourt_0411

[9] Tony Bradley, Counter-Hacking: Savior or Vigilante?, available at http://netsecurity.about.com/cs/generalsecurity/a/aa052103.htm

[10] Winn Schwartau, Cyber-Vigilantes hunt down hackers, CNN(1999), http://www.cnn.com/TECH/computing/9901/12/cybervigilantes.idg/index.html

[11] Timothy M. Mullen, The Right to Defend, SecurityFocus (2002), http://www.securityfocus.com/columnists/98

[12] Pia Landergren, Hacker Vigilantes Strike Back, CNN (2001), http://archives.cnn.com/2001/TECH/internet/06/20/hacker.vigilantes.idg/index.html

[13] Ibid.

[14] Kenneth Einar Himma, Targeting the Innocent: Active Defense and the Moral Immunity of Innocent Persons from Aggression, Journal of Information, Communication, and Ethics in Society 2, no. 1.

[15] Rob Rosenberger, First let's kill all the virus writers, available at http://www.vmyths.com/column/1/1999/1/15/

[16] Doctrine originally attributed to Aurelius Augustinius,  Augustine 400, XXII, ¶¶ 73-79

   Stated as such  by Jay P. Kesan and Ruperto P. Majuca, Hacking Back: Optimal Use of Self-Defense in Cyberspace, Paper presented at the "Security in a Networked World: Balancing Cyber-Right & Responsibilities" conference, September 9, 2005, available at http://www.oii.ox.ac.uk/research/cybersafety/extensions/pdfs/papers/jay_kesan.pdf

[17] U.S. Const/ amend. XIV, § 1

[18] 18 U.S.C. § 1030(A) (2003)

[19] Missouri Revised Statues  § 563.041

[20] United States of America v. Jerome T. Heckenkamp, CR-00-20355-JW (9^th Cir. 2006)

[21] Cal.Civ.Code § 1714(a).

[22] Lisa Vaas, Should We Be Legally Obligated To Fix Vulnerabilities?, eWeek(2007), http://www.eweek.com/article2/0,1895,2194578,00.asp

[23] David Kravets, RIAA Juror: ‘We wanted to send a message,' Wired (2007) http://blog.wired.com/27bstroke6/2007/10/riaa-juror-we-w.html . For Case, see Virgin Records America, Inc. v Thomas, 0:2006cv01497 Minnesota District Court (2006)

[24]  Jay P. Kesan and Ruperto P. Majuca, Hacking Back: Optimal Use of Self-Defense in Cyberspace, Paper presented at the "Security in a Networked World: Balancing Cyber-Right & Responsibilities" conference, September 9, 2005. Available online at http://www.oii.ox.ac.uk/research/cybersafety/extensions/pdfs/papers/jay_kesan.pdf