The Law of Cyberspace
This new “Law of Cyberspace” blog is going to cover the law as it particularly applies in cyberspace. This is an area that is not well understood, even among lawyers and, certainly, among triers of fact (judges and juries). My background is technical: 50+ years in cyber security, a PhD in digital investigation, and over 10 years teaching digital forensics, information security, and cybercrime/cyber law. I am studying for a second PhD, in law this time, with a focus on cyber law. In this blog, I hope to bring some insights from that experience to you that you can apply to the daily grind of managing information security in both large and small organizations. This month I’ll take up a topic much in the news lately: hack-back.
Representative Tom Graves of Georgia has proposed a bill called the “Active Cyber Defense Certainty Act" (ACDC). He wants to use it to amend the “Computer Fraud and Abuse Act” (CFAA, 18 US Code, section 1030) to allow victims of ongoing cyber attacks to use active defense measures to identify attackers and defend against them. From a technical perspective, this is a bad idea. From a legal perspective, it has some precedent, if not merit.
First, the meat of §1030 is in USC 18 §1030(a). This section defines the offense and, to simplify, it says that you cannot (1) access a computer without authorization that contains information protected against disclosure by a bevy of laws, all of which relate to a government-protected computer. Nothing in that sub-section precludes unauthorized access to a private computer that is not protected under one of the listed sets of laws. Sub-section (2) reiterates (1) and adds financial data. Sub-section (3) addresses government, non-public computers, and (4) addresses fraud directly. Sub-section (5) addresses causing damage, again to a protected computer, (6) deals with trafficking in passwords, and (7) covers extortion. The CFAA goes on to define punishments, but this section is where the focus of hack-back resides.
Like many legislative laws, however, USC 18 §1030 has been interpreted by case law to extend to any computer, not just “protected” ones. This is murky territory and demonstrates the problem underlying Graves’ approach. For example, in Sewell v. Bernardin, No. 14-3143 (2nd Cir. 2015) the plaintiff alleges that the defendant accessed her AOL and Facebook accounts in violation of USC 18 §1030. Plaintiff further alleges that the AOL and Facebook computers comprise “protected computers” under the Act. If they are, indeed, protected computers as defined in USC 18 §1030(a)(1) then the Act applies.
Given the rest of the facts in the case, if the computers at AOL and Facebook are not protected the Act does not apply. In sub-section (5)(A) there is reliance, perhaps, upon the notion of causing damage. But the damage claimed is to the plaintiff, not to the computer(s).
The other issue brought up as justification for hacking back is self-defense. If an individual being assaulted is entitled to respond with force equal to the force used against him/her, why can't a private organization under attack from a hacker respond equally? This is a case where traditional, physical space law is being force-fit into cyber space. We tend to do that when we have no directly applicable cyber law to cover the situation. Rep. Graves seeks to fix that by creating cyber law in the context of the CFAA.
There are consequences to all actions we take. For example, in the Florida “Stand Your Ground” law, there is the potential for a victim of a knife assault to take the only action she believes to be open to her since all she has is a gun in her purse and, certainly, would not be expected to be an accomplished knife fighter. But in shooting and killing her assailant she has exceeded the level of force allowed to her. (She may only respond with equal force; a knife is not equal to a gun.) Moreover, the common law view of use of force for self-defense requires that the victim attempt to run away except under certain circumstances such as being in her own dwelling house.
There also is the assumption that the victim knows who her assailant is—not to the extent of knowing him personally, but rather to the extent that she can see her assailant and is confident that she is being assaulted by him. In a cyber attack, there is no such certainty. The victim of a cyber attack cannot, with certainty, identify the source of the attack.
Therefore, use of force to counter a cyber attack is risky both from the perspective that the force may be directed against the wrong party—in which case does the aggrieved party get to hack-back the original victim?—and from the perspective that the response does not land on the actual attacker. In neither case is an assault response appropriate or effective, and it may cause more complications than the original attack. Moreover, we must address the issue of the response force possibly exceeding the attack force. Finally, we can always “run away” by taking our systems offline if necessary to protect ourselves.
In my opinion, the ACDC does not address the problem of responding to cyber attacks sufficiently, and the CFAA does not apply with sufficient universality to the problem of hack-back in the private sector, which comprises the vast majority of computers in use today. Graves’ proposed law is a bad idea.