What does one do about malware, about intrusion into one's IT systems, about cyber-attacks? My last column looked at the criminal law aspects of 'hacking back' – is 'active defence' legal? Here we turn to other considerations. What are the civil rights and wrongs? In these days of state-sponsored attacks, are there military aspects? For that matter, what are the practicalities of attacking the attackers?
Civil rights and wrongs
The legal questions about civil liability for intruding on someone else's computer system work in both directions, i.e. the cyber-attacker may in principle be exposed to the same civil liability as the active defender who hacks back. So if the victim of an attack could prove who did it, and prove that there was damage, and demonstrate that suitable rules of law should apply, and get the person into one's jurisdiction, and the person had assets there, then the civil law might provide a remedy.
That is a long string of contingencies, none of which is simple to establish. None could be established quickly. If one is under a current attack that is damaging one's computer or one's operations, there may be little comfort in waiting for the court system to help. If the attacker is out of the jurisdiction, it could be very costly to wait. What one usually wants is an injunction to make the attacks stop. One's local court can't give that for enforcement abroad, and not all foreign courts will issue one, especially quickly.
We therefore look at liability questions here from the point of view of the victim who defends actively.
Is it a civil wrong to enter someone else's computer without its owner's consent? As noted previously, 'enter' is a kind of metaphor for delivering electronic commands to a system capable of receiving and acting on them. Not surprisingly, the criminal laws mentioned in the last column do not indicate if their breach should have civil consequences. One would expect a plaintiff to allege that they do. One would then resist civil liability by denying criminal liability on the grounds discussed last time.
Purely civil wrongs may apply. The most obvious is trespass. Is giving an electronic command to a system that has not consented to receive it trespass on that system? Electrons are physical, they enter a physical space and make physically detectable changes by commanding a machine to act. A computer configuration that is open to public messages of certain kinds would not be held to consent to different kinds, and a court would probably not have much trouble deciding that in the normal course, an unauthorized use would be illicit.
The case is stronger if the person entering must get around security measures in order to do so. Such measures are pretty clear equivalents of 'no trespassing' or 'private property' signs. While there is some authority for the application of the law of trespass to chattels, its operation in the digital world still raises some eyebrows.
Other harms may be alleged. Some cases have seen arguments that making the owner's computer do things the owner did not want done deprived the owner of computing power for its own purposes. That argument might be defeated if the 'deprivation' were trivial.
If the owner was cut off from communicating with others, such as suppliers or customers, and lost business, that kind of harm would normally be compensable.
The active defender is less likely than the original attacker to copy or re-use intellectual property, where the mere copying gives rise to damages, both statutory and special. Aside from IP issues, our law is still not clear whether data can be 'stolen' at all, for civil as well as criminal purposes. Slaw has discussed this before.
Both to determine liability and to prove damages, one has to consider what the active defendant has actually done. 'Entering' the attacker's computer to discover who is responsible for the attack, without more, may cause no harm. The defender might want to do that to found a civil action, or to go to law-enforcement authorities. One might want to 'get one's data back', or prevent the forwarding of one's data to others, or to disable the malware command and control mechanism, or to take revenge on the attacker's system. As the counter-measures escalate, so does the likelihood of liability and of provable damages to the attacker.
Proving damages is not essential, however, to the person seeking only an injunction or restraining order of some kind. A mere breach of a civil right may support such a remedy.
If the attacker is itself a victim that is being used by a remote hacker, the situation becomes even more complicated. It has been said, however, that though the immediate attacker may be a victim, it is not innocent. Somehow its own security practices have been deficient, possibly negligent – both to allow its system to used to infect others' systems, and perhaps to allow the defender access in turn.
This comparative fault discussion suggests the use of a couple of tort defences so old as to be known by their Latin names: ex turpi causa and in pari delicto. Where the plaintiff is engaged in illicit activity, harm it suffers as a consequence may not be compensable. Where both parties are equally at fault, neither may recover harm it suffers at the hands of the other. The fault that is to be compared may be criminal, civil or both. Depending on the facts, both of these defences might well be effective.
The 2013 RSA Conference offered a mock trial of a civil action based on hacking back. Here is my paraphrase of the scenario. The reader may apply the above lessons to it and to decide what additional principles might be needed to decide the case.
Retail company X finds that its e-commerce services are not working, just before the big retailing season of US Thanksgiving through Christmas. Preliminary investigation shows interference originating from competing retailer Y. Executive, technology and legal communications between X and Y do not make Y admit there is a problem, much less offer to do anything. It is a busy season for everybody. A 'remedy' through the courts – perhaps an injunction to stop interfering with X's system – would not be available until well into the following year … if X survives the loss of the big retail season.
So X's IT people penetrate more deeply into Y's system, discover a third-party command-and-control function that is interfering with X's (and others') systems, and disable it. In doing so, X also disables Y's retail e-commerce system. Y's disaster-recovery program turns out to be defective, so recovery is long and expensive, and Y loses a lot of sales. Y sues X for its losses; X counterclaims for its earlier losses and for the expense of its defensive measures.
The challenges of describing cyber-attacks as acts of war were mentioned in the earlier article. Is there a risk that hacking back will be considered a kind of private act of war, or lead to state-directed counter-counter-attacks that will escalate out of control? Or must attribution be followed by retribution to make cyber-defence meaningful?
There is a legal difference between espionage and acts of war. In the United States, they are governed by different titles of the U.S. Code. Title 18 deals with espionage under the general principles of crime. Title 50 deals with the law of war. As also noted previously, one must beware of an escalation of vocabulary that could affect sound legal analysis.
The current hot topic is how cyber-threats will affect relations with China. The Mandiant report was mentioned in the earlier column. The 2013 RSA Conference heard how cyber-attacks fit into the traditional Chinese concepts of war. As I write, the presidents of the US and China are discussing the topic.
Nevertheless lots of states engage in espionage online, probably including our own.The whole topic is in early days of development – and is also beyond my current understanding.
I therefore raise this set of issues only as a flag for those who care to explore it. The national risks or the risks that private citizens incur in getting involved in activities that may turn out to be state-directed will need further exploration, by others.
The civil liability issues will arise if the active defender operates in a jurisdiction with a relatively effective justice system and faces an opponent with the resources to use it. So hacking back against 'script kiddies' will produce less risk of litigation than of further attacks, possibly from the original attacker's informal allies.
The biggest concern about hacking back is unintended consequences. It is very easy for things to go wrong: to hit the wrong target, to ignore the real source of attacks, to do collateral damage, to poke the hornets' nest. Anyone giving legal advice must have a thorough grasp of the facts and the technology. There is no simple answer.
So what can really be done about cyber-attacks? This is not the occasion for a full discussion of national and international cyber-security. A lot of knowledgeable writers have advocated universal strong authentication, rigorous privacy controls, global law-making, enhanced private-sector responsibility (including legal liability): all fascinating topics for another time.
Some people say that intermediaries like Internet Service Providers should take on more of a role, shutting down the sources of malware or denial-of-service attacks. Intermediaries or third-parties who attempt such actions may themselves be targeted for attack. In any event, they do not want to expose themselves to legal action for cutting someone off – involving having to prove in court that the ex-client was the source of malware. (A Canadian court in the last century upheld an ISP that cut off a customer for spamming, so the legal position of the helpful ISP has some merit.)
Intellectual property owners, and especially their collectives, push for laws that make the intermediaries responsible for detecting and stopping copyright infringement. They have been successful in several places, less so in others. It is probably a good idea not to mix IP infringement questions with cyber-security issues – the policies and the balance of interests are not the same, but the focus on the intermediaries is a common element. (There is another school of thought, especially in the US, where it is backed up by statute, that intermediaries should be excused from any responsibility for harm done through their systems, in order to encourage a robust offer of their services.)
Sometimes the big Internet companies do get involved, in cooperation with law enforcement. Recently it was announced that Microsoft had collaborated with the FBI to take down large parts of an international malware network. Private technology and official permission obviated the risk of civil (or probably criminal) liability. Private investigation and attribution helped launch this process.
Google helps too. It tests web sites that it catalogues to see if there is malware on them. I recently had my own site compromised. I received an email from Google telling me about it, and suggesting means to respond. The warning system is fully automated, of course, but effective. (I eventually moved the whole site to another host, since the host of the corrupted site did not seem interested in doing anything about it.) That was not active defence, just admission and avoidance – passive defence. But it got me back online.
Private security defence services offer methods of response – 'tracking back', intelligence gathering and blocking further intrusions from that source – whose legality they defend.
Finally, informal pressures may be of some use as well, if not against the criminals and state espionage units, at least against those whose insecure systems are used to transmit the attacks. If executives are not impressed with the economic benefits of security, perhaps the reputational benefits in days of active social media and global campaigns will have an effect. Putting security higher on an organization's agenda is a form of self-defence for others that deal with that organization.
In our legal system there are few, if any, common-law crimes. An act is not criminal unless legislation says so. Deciding whether hacking back is a criminal offence thus involves interpreting statutes that may have had something else in mind. There are common-law defences, however, like necessity and self-defence, that can be brought into play.
The civil liability regime is more flexible. Torts are usually developed at common law, even the holding that a statutory offence may give rise to civil liability. Doing harm through illicit means is likely to make one liable. However, civil defences are also flexible, and the civil law is able to make refined judgments on comparative fault on legal and equitable, almost moral, grounds.
These features make the estimation of civil liability less restricted than that in the criminal domain. However, this very flexibility makes liability depend closely on the facts of a particular situation, which we have seen may have subtle but important variations from case to case.
It has been suggested – by an advocate of hacking back – that the idea of active defence is becoming more accepted in mainstream thinking, because of the pervasiveness of cyber-threats and the lack of speedy effective alternatives. Some acceptance of limits on what is legitimate for self-help may be developing as well.
Nothing is so firm as to be free of legal risk, however. There remains much work for lawyers and their technical advisors as the law and practice around hacking back evolve.