Authored by John Westercamp
Experts estimate the economic costs of cybercrime are between $250 billion and $1 trillion a year. While the most public forms of cybersecurity breaches are data breaches similar to the Home Depot and Target incidents, much of the costs are driven by economic espionage. The most potent threats in the cyber espionage context are state actors from developing countries.
Many corporate Chief Information Officers (“CIOs”) invest millions of dollars a year to protect their company’s trade secrets and intellectual properties, but foreign governments in developing countries are highly motivated to steal trade secrets and can do so without fear of prosecution by the Department of Justice. Further, organized cybercriminal groups or other “hacktivist” groups can invest minimal resources to disrupt corporate operations and impose significant costs on American companies. To protect against such threats, CIOs have to be successful one-hundred percent of the time; cybercriminals or foreign governments only have to be successful once.
The nature of threats from cyberspace are similar to the nature of terrorism where significant sums of money can be spent to protect and prevent crises, but a well-motivated group of individuals can, with a minimal amount of resources, cause significant damage. Passive strategies are insufficient to address these threats.
Because of this dilemma, some CIOs are tempted to engage in tactics known as “active defense.” One of the techniques used in active defense is a process known as hacking back or counterhacking. CIOs who use counterhacking are attempting to undermine in real-time hackers who are trying to hack the corporation’s systems. Counterhacking could also ostensibly include anticipatory or pre-emptive hacking from likely threats in cyberspace.
Counterhacking is a tempting tactic because of its sense of parity. It also likely increases the costs of cybercriminals and potentially deters economic espionage; however, it constitutes a federal felony. Counterhacking violates the Computer Fraud and Abuse Act. Moreover, counterhacking could violate international law and undermine the diplomatic goals of the President.
Some scholars and legal commentators like Stewart Baker have argued for novel legal theories to justify counterhacking. The analogies abound. The proponents argue that counterhacking is similar to justice in the Wild West, Stand Your Ground laws, and letters of marque from the era of piracy. Yet none of these analogies have been recognized by courts.
The only exception to the Computer Fraud and Abuse Act is within the text of the statute and is limited to government law enforcement and intelligence agencies. The government may legally engage in counterhacking without violating federal law. While it is theoretically possible for a law enforcement agency to “deputize” a corporate actor, there is no evidence that the government has “deputized” anyone, nor would this be a prudent policy decision.
The threats from cyber espionage impose a substantial cost of the U.S. economy. The Computer Fraud and Abuse Act prevents companies from engaging in counterhacking, but there are many other tactics corporations can use to counter threats from cyberspace. Further, both private and public entities should collaborate to find solutions which protect American companies’ trade secrets and intellectual properties.
Authored by John Westercamp