Amidst the balloons and excitement (and smoke machines and procedural kerfuffles) at the GOP Convention in Cleveland, one provision in the party platform has caught the eye of cyber experts. For the first time, an American political party has explicitly extended the concept of self-defense to cyberspace, stating that “users have a self-defense right to deal with hackers as they see fit.”
Experts have long been divided on the wisdom of encouraging reprisals by cyber-attack victims against attackers – so-called “hack backs.” One reason is that attribution is exceptionally difficult. A sophisticated hacker can cloak the origination point of an attack, making it hard to hit the actual attacker. Moreover, since legitimate technical systems are rarely designed for offensive purposes, hack-back measures can cause more problems than the original hack.
The state and justice departments have likewise counseled against hack backs for several reasons:
- Reluctance to grant individual victims authority to wreak retribution;
- The danger that hack backs would hit hijacked computers or other innocent parties instead of the actual attackers;
- The risk that hack backs could hamper investigations by destroying key data trails;
- Diplomatic issues;
- Their assessment that hack backs are likely illegal under existing federal law since they entail unauthorized access to computers.
Critics have decried this position as absurd – in effect shackling cyber-attack victims from pursuing their tormentors when the government cannot protect them (or, in many cases, itself), let alone trace, apprehend, try and convict countless hackers scattered across the globe. Former NSA General Counsel Stewart Baker characterizes the government position as “We don’t know how to protect you, but we do know how to keep you from protecting yourself.”
Against this debate, the GOP platform language is notable for three reasons. First, its presence in the platform indicates cyber-security has evolved from an esoteric concern to one that has permeated the public consciousness. Second, though vague, it frames hack backs as self-defense rather than vigilante justice. Third, it indicates that the debate over who can hack the hackers (and how) has just begun.
| © Poyner Spruill LLP. All rights reserved.