Shot in the Dark: Can Private Sector "Hackbacks" Work?

ABSTRACT

The SolarWinds attack, for example, a Russian government-backed breach discovered in late 2020, infected networks in at least nine federal agencies-including the State Department, the Department of Homeland Security, and parts of the Pentagon5-and may have caused upwards of $100 billion in damage.6 Private companies regularly face similar attacks, with only a fraction of the governments resources to defend themselves. According to IBM the average business cost of a cyberattack is $3.86 million.9 Former NSA Director Keith Alexander has estimated cumulative U.S. company losses to cyberattacks to be the greatest transfer of wealth in history.10 And cybercrime is on the rise-since the start of the global COVID-19 pandemic, the FBI has reported a 300% increase in the number of cybersecurity complaints it receives daily, now up to around 4,000 per day.11 Several prominent examples illustrate the havoc a malicious cyberattack can wreak on a company. "23 It does not define "authorization" or "obtain information," so courts have generally applied the plain meaning of these terms.24 It also notably does not include any type of self-defense provision that would exempt unauthorized access to a network by persons or companies under attack from that network. [...]while hackback responses could take on a variety of forms, most-if not all-would at least seriously risk violating the CFAA. The best-known proposal was the Active Cyber Defense Certainty (ACDC) Act, introduced by Representative Tom Graves in 2017 and again in 2019.30 ACDC would establish an affirmative defense to CFAA charges for responses that qualify as "active cyber defense measures" (ACDMs).31 This would allow victims of cyberattacks to access the attacker's computer without authorization, in order to establish attribution, disrupt attacks, and monitor the attacker.32 A company must first notify the FBI's National Cyber Investigative Joint Task Force and can request voluntary FBI review of a planned hackback, but no government approval or oversight is required.33 The 2019 bill garnered bipartisan support from 18 cosponsors.34 A companion bill was not introduced in the Senate, but Senator Sheldon Whitehouse floated the idea, stating that "[w]e ought to think hard about how and when to license hack-back authority so capable, responsible private-sector actors can deter foreign aggression.