Officially, the U.S. government warns companies not to hack, even when done as retaliation against attacks on their systems. Unofficially, the FBI may let it slide, according to cyber-security experts.
The FBI is probing whether any U.S. banks broke the law by hacking back at cyber-intruders to stop a wave of Iran-sponsored attacks on their networks last year, Bloomberg News reported today. The ongoing investigation, which had not been previously reported, suggests that hacking in self-defense is a gray area legally.
The federal law that mandates the Justice Department take a no-tolerance policy on hacking is 30 years old, and doesn’t account for the complexities of modern cyber-warfare and corporate espionage. The law, called the Computer Fraud and Abuse Act, can come into conflict with the government's efforts to forge closer ties with companies to help them investigate and stop cyber-attacks, says Bob Cattanach, a partner at Dorsey & Whitney in Silicon Valley who specializes in cyber-security law. “It’s an awkward position,” he says.
"The FBI and financial institutions have been trying to work a little more cooperatively on information-sharing,” says Cattanach, a former trial attorney with the Justice Department. “The FBI would be very careful about not overplaying its hand here."
Even if the Federal Bureau of Investigation finds that a major corporation hacked back, it's likely that no charges will be brought, Cattanach says. The government's relationships with the private sector are so fragile that the Justice Department would probably exercise prosecutorial discretion and not bring a case to avoid damaging those ties, he says.
The concept of hacking back is one that cyber-security and legal experts have been debating for years, with no consensus on how far companies can go to protect their networks. Experts have been calling for an update to anti-hacking laws that would allow for some forms of self-defense.
In the meantime, the U.S. publicly publicly discourages hacking of any kind. The Justice Department warns in a guidebook that hacking back "may be illegal, regardless of the motive.” FBI spokeswoman Jenny Shearer says, "The FBI cautions private sector entities from taking offensive measures in response to being hacked.” She declined to comment on the investigation.
While it's not surprising that companies to want to be proactive when they're under attack, they risk committing what other countries might classify as acts of cyber-warfare, says Reece Hirsch, a partner with the law firm Morgan, Lewis & Bockius firm who co-leads the privacy and cyber-security practice. In May, the Justice Department charged five Chinese military officers with hacking into U.S. industrial companies and stealing trade secrets, and U.S. companies risk similar legal actions overseas—and the ire of the U.S. government—if they are found to be hacking back, even if it's in self-defense, Hirsch says.
"It's a fine line to cross because the government doesn't want private actors engaging in what could be construed as acts of warfare," Hirsch says. However, government inaction can lead businesses to vigilantism. “One of the reasons companies contemplate active defense is the threats are so omnipresent and they are so severe, a company can't really count on the government to take the steps they feel are necessary for their protection,” he says.