Your organization has been cyber-attacked. Sensitive business and customer information has been leaked. Your organization’s reputation and competitive edge suffers irreparable damage. You hire a cyber security firm to investigate. The firm traces the hackers’ tracks and is about to hack into their computer systems in order to mitigate the damage, uncover more information about the hackers’ methods, disable their infrastructure and better assess the scope and nature of the information they managed to leak. Is hacking into the hackers’ computer systems legally permissible?
Command and Control
If you think this scenario is far-fetched, think again:
- Check Point, a leading IT security provider, recently disclosed that, as part of its investigation into cyber attacks by a group dubbed “Rocket Kitten", Check Point had gained unfettered access to the group’s systems by exploiting their security vulnerabilities (e.g., password-less root access and easily guessed super admin passwords).
- In early 2013, itrust consulting, a Luxembourg-based company specializing in IT security, disclosed that it hacked into command and control servers used by a hacking group reportedly sponsored by the Chinese government, by exploiting vulnerabilities in those servers.
Are we diving into a theoretical analysis of unrealistic legal issues? Obviously, the odds of an attacker pressing charges against cyber security companies are slim. But hackers often surreptitiously use the computers of unsuspecting third parties as command and control servers for their hacking campaigns, as storage space for leaked data, or as launch pads for attacks. Counter-offensives could therefore end up causing collateral damage to third parties, while only marginally impacting the hackers. Such innocent third parties can press charges, putting an abrupt end to the notion that ‘attacking the attacker’ is insulated from liability.
In Israel, unauthorized access to computers is primarily governed by the Computers Law and, to some extent, also by the Protection of Privacy Law. The Israeli Computers Law criminalizes “unlawful penetration of computer material located on a computer."
The Israeli Supreme Court recently held that the term “unlawful penetration" is to be interpreted very broadly to mean any use of computer without the owner’s consent. The Court explicitly rejected the notion that the term should be interpreted to cover only instances of penetration of computers where technical access barriers are circumvented. The court favored the broad interpretation due to “…the incredible potential for damage emanating from computer crime." The Court noted that concerns for overreaching criminalization of negligible acts would be resolved by having prosecutors and courts use the de minimis exception to criminal liability, a principle that means “the law does not take notice of very small or trifling matters." But this in no way suggests that courts are likely to determine that “hacking a hacker" falls under the de minimis exception.
Resorting to offensive action as a countermeasure to right a wrong is akin to “self-help" in law. The law perceives “self-help" as people taking the law into their own hands – a notion that can undermine due process, a quintessential element of modern organized society. This is why the law generally tends to disapprove of “self-help". Instances of permissible self-help are few and far between, and are subject to severe restrictions and preconditions, but they do exist.
Applied to criminal law, “self-help" takes the form of exculpations – rules of law that justify or excuse conduct that would otherwise be criminally punishable. An interesting question is therefore whether “hacking a hacker" can be criminally excused or justified under exculpations such as “self-defense" or “necessity". Although we have not come across any case law precisely on point, we believe that these exculpations would be inapplicable.
For instance, under Israeli law, the self-defense exculpation is conditioned on the existence of an immediate need to fend off an attack that poses imminent threat to one’s freedom, life, body or property, and it is subject to the use of proportional measures.
Proportionality in Israeli law is examined using a three-part test. First, the counter offensive must be a suitable measure to fend-off the hacker’s cyber attack. Second, the counter offensive must be the least harmful measure needed to fend off the cyberattack. Finally, the benefit arising from fending off the attack should be commensurate with the harm caused by utilizing the counter-offensive measures. Under these criteria, it is difficult to see how hacking a hacker would be deemed a proportional measure to fend off an attack.
Similarly, the “necessity" exculpation to “hack the hacker" under Israeli law would be conditioned on the premise that the attacked organization had no other option but to take counter-offensive measures. Arguing that might prove to be an uphill battle.
Admittedly, another key factor in the picture is the extent and degree to which prosecutors would pursue criminal charges for counter-offensives against hackers. But that largely hinges on a prosecutorial policy that is yet to be formulated and made public.
This is the case not only with Israeli law:
- Not too long ago, the Federal Bureau of Investigation reportedly examined whether U.S. financial institutions were behind cyber attacks against servers previously used by Iran to launch cyber attacks against banks.
- In the wake of the Sony data breach in late 2014, President Barack Obama hinted that the United States would proportionally retaliate against North Korea “in a place and time and manner that we choose." A few days later, North Korea was cut off from the Internet in an outage that lasted several hours. North Korea accused the U.S. government of cyber attacking the communist country’s Internet connectivity. The White House declined to concede that that U.S. had taken a role in the outage.
Interestingly, the U.S. federal Computer Fraud and Abuse Act (CFAA), the primary federal anti-hacking law in the U.S., provides that the law “does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States… or of an intelligence agency of the United States." The White House has reportedly confirmed that a presidential directive indeed exists governing the launch of cyber attacks against servers outside the U.S.
One of the primary provisions of the CFAA criminally proscribes accessing a “protected computer" without authorization. U.S. case law suggests that the term “protected computer" encompasses any computer connected to the Internet, even a computer used by hackers for cyber attacks.
It is also worth noting that anyone who “aids, abets, counsels, commands, induces or procures" the commission of an offense under the CFAA “is punishable as a principal" perpetrator. Liability could therefore attach not only to the person who actually engages in counter-offensives against hackers but also to the person or entity who hired them.
EU Criminal Offense
In 2013, the European Union adopted a directive aimed at establishing across all EU member
states “minimum rules concerning the definition of criminal offenses and sanctions in the area of attacks against information systems." The directive provides that intentionally accessing a computer without authorization by circumventing a security measure is a punishable offense. It also criminalizes unlawful interference with the functionality of a computer and with digital data. The directive requires EU member states to ensure that companies that engage in these activities can be held criminally liable and can be sanctioned by punishments such as disqualification from the practice of commercial activities and judicial winding-up.
It appears that some private sector actors engage in counter-offensives against hackers. These practices entail legal risks that should not be overlooked. Even if the likelihood of criminal charges is not high, it cannot be ruled out outright, especially if the counter-offensives cause collateral damage to third party bystanders.
This commentary is intended for purposes of general knowledge only, does not constitute legal advice and should not be relied on for such purposes.