Legal Merits of 'Hack Back' Strategy
Attorneys Discuss Whether Best Cyberdefense is Strong Offense
As distributed-denial-of-service attacks and other threats continue to hit organizations in 2013, many security leaders are beginning to consider the "hack back" strategy to repel attackers and mitigate any potential harm to the company.
Attorney David Navetta, who co-chairs the American Bar Association's Information Security Committee, says the "hack back" strategy is a concept that's being discussed openly among legal professionals.
"Taking the DDoS-attack scenario, if you're an organization who has suffered an attack and you're able to pinpoint where it's coming [from], security professionals are exploring the idea of when it would be appropriate to hack the systems that are attacking you," Navetta says during a roundtable discussion with Information Security Media Group [transcript below].
"Do you need to take the harm, potentially even lost revenue, that arises during that attack when you can potentially disable the attack and perhaps do it without harming the computer?" Navetta asks.
Attorneys Ronald Raether and Lisa Sotto say the idea is certainly being discussed theoretically, but warn about the legal implications of such a counter-attack. "The system may not be owned by the actual criminal," Raether says. "It may be my grandma's system that was hijacked. And if that's being hacked into, you're now the equivalent of bombing Switzerland in a war."
In part one of a five-part series drawing from this roundtable discussion, the three attorneys also talk about:
- Top privacy, fraud and breach issues of 2012;
- Changes in how courts handle data breach cases;
- The most significant security-related legal stories of the year.
About the participants:
David Navetta is co-founder of the Information Law Group and co-chairman of the American Bar Association's Information Security Committee. He has been a keen observer of information security-related litigation, including financial fraud and state privacy laws.
Ronald Raether is partner at Faruki Ireland & Cox in Dayton, Ohio. His experience with technology-related issues spans an array of legal areas, including patents; anti-trust; licensing and contracts; employment; trademark; domain name disputes; and federal and state privacy statutes.
Lisa Sotto is managing partner for the New York-based law firm Hunton & Williams, where she focuses on privacy, data security and information management issues. She has earned a No. 1 U.S. national ranking for privacy and data security from Chambers and Partners.
Subsequent installments of this series focus on:
- Privacy legislation;
- Fraud litigation trends;
- Breach response best-practices;
- Top security/privacy issues of 2013.
Top Legal Issues in 2012
TOM FIELD: To start out, I'd like to talk about some of the issues that have occupied your time this year. Lisa, what have you found to be the top legal issue occupying the bulk of your time in 2012?
LISA SOTTO: Unfortunately, it's data breach still. We certainly never expected to be saying this in 2012 going into 2013. As you know, the world of data breach just exploded in 2005, and I thought by now we'd have this well in-hand, but certainly we do not. We have handled to date probably over 900 data breaches since 2005, and they appear to me to be continuing absolutely unabated. One of the differences though that we're seeing is an increase in malicious attacks. Companies continue to be caught by system vulnerabilities that existed several years ago. They continue to exist now. But at the same time, we're also seeing cybercriminals out there who are enormously motivated. They're very creative and they're very, very sophisticated. They operate through organized crime rings so they're carefully orchestrated in their activities. Frankly, we need to do a better job in combating cybercrime, and now we add to the mix advanced persistent threats, which are cyberthreats sponsored by nation-states, and we also are seeing cybercriminals targeting IP and trade secrets.
FIELD: Ron, what has occupied your time this year?
RONALD RAETHER: Generally, it's the same with data breaches, but, in particular, the reactions of various third parties to those breaches. I agree with Lisa that it kicked off in 2005, and what we're seeing is really the evolution of the legal issues surrounding data breach and the growth of interest in a variety of different sectors to those breaches. In 2005, there was certainly interest in some of the breaches and that interest was focused from the FTC, for example, and some of the AGs.
What we're seeing in 2012, and what I think the trend will continue to demonstrate, is that in particular the state attorney generals are gearing up and preparing themselves to be more actively involved in looking at breaches and evaluating whether the companies who were oftentimes the victim of those breaches nonetheless need to be reviewed, investigated, and then sometimes brought to an enforcement action or a settlement with respect to those breaches. I think state AG involvement is certainly growing in 2012.
Likewise, we're seeing changes in how the courts are dealing with complaints and claims relating to data breaches. It really started in October of 2011 with the Hannaford decision from the First Circuit. Although that was trending based on some decisions that were coming out of the 9th and the 6th, ultimately those cases culminating with Hannaford are now finding that plaintiffs have standing to bring claims based on data breaches. More recently, in the Curry matter in the 11th Circuit, we're seeing not only standing but also sufficient pleading with regard to damages. What does all that mean? Consequence and litigation is that these cases are now moving beyond the pleading stage where we're all fighting about whether a plaintiff said enough on a piece of paper to be able to engage in discovery to now actually engaging in discovery in these cases and allowing these plaintiffs and their counsel to start getting more and more information about how the breach has occurred, and, as a consequence, increasing the risk profile for companies.
Finally, I agree with Lisa that one of the new trends that we're seeing in 2012 that somewhat is recycling but I think is being bolstered by relative variations is malware. We're seeing terrorists, organized crime and even governments and companies beginning to see malware and hacking as an opportunity for them.
FIELD: David, I will toss this to you, and I suspect your answer begins with the word "breaches" as well.
DAVID NAVETTA: It does. In terms of data breach, I agree with both Lisa and Ron that it's taking up a lot of time. It always does, and it seems to be somewhat increasing. I'm going to talk actually about a little bit more particular type of breach and where it's hitting, and that's the payment card data breach and those types of breaches hitting medium and smaller types of organizations. I've had a lot of those this year, and the challenge there is not only dealing with the notification potentially, but also with working through card brands, assessment processes and penalties. What I'm seeing is a lot of point-of-sale attacks by cybercriminals, almost in an automated Henry Ford-like fashion, that are targeting point-of-sale devices looking for remote access points into those devices, sometimes seeing default passwords that are known for particular types of remote access ports, and getting access to companies' point-of-sale systems, putting memory scrapers or memory dumpers right on those systems and taking data in real-time and doing it in secret, usually from a distance in an Eastern European-type country.
I'm still surprised to see a lot of smaller and mid-size companies not PCI compliant and not taking straight-forward steps that would prevent some of these types of breaches. In the news, if we want to talk about one in particular, there was a breach involving Barnes and Noble that involved the PIN pads. The thing about these attacks is usually they're scalable. If you find one point-of-sale system related to a particular company that's set up in a particular certain way of weakness, then you can go to a different location and find that point-of-sale system and get on to that system and start taking card data. For half of the trends from an attack point-of-view, instead of going for the big whales that have the huge data repositories, they're using a very scalable automated attack to go for smaller repositories of data, and credit card data in particular, and attacking those in a systematic way. Whenever I encounter these breaches, it's pretty amazing the ingenuity that I see in terms of how these attacks organize and then how they play out.
The other area that's not breach-related, which we might touch on a little bit, is BYOD, bring-your-own-device, and this is more on the compliance side, privacy and security side, and the incident response side. The reality that a lot of my clients are dealing with right now is the fact that their employees are pushing the types of devices that they want to use onto the organization, going from a very centralized approach where Blackberries are bought, locked down and provided to employees, to a decentralized approach where employees, whenever the new devices come out, are demanding that they be able to use that device to either access the company network and/or potentially store sensitive information on those devices, and I've done a lot of work helping companies understand privacy, security and incident response issues there and developing policies and controls to help in at-risk and under-compliance obligations.
Biggest Legal Stories
FIELD: We've talked about a lot here. We've talked about security and privacy. We've talked about breaches, mobility and BYOD. David, from your perspective, what do you think has been the biggest security and legal story of the year?
NAVETTA: This year, we didn't have a huge Heartland-type breach or a Sony-type breach, or even a bunch of Anonymous attacks. Finding the big story was a little more difficult. From my point-of-view, from a legal point-of-view, I'm not sure if it's a big threat, but a story worth keeping your eye on is regulatory enforcement. This year, we saw California create a special office within the AG's office for purposes of privacy enforcement. The AG has been active, getting back to mobility, highlighting the need for mobile applications that have privacy policies, and engaging in proper information-handling practices.
We saw HHS much more active in terms of fines and penalties, even just run-of-the-mill breaches where they were much more proactive in following up after getting notification under HIPAA/HITECH and doing a little more investigation. If I had to pick a story that is a big story or an upcoming story that would be beyond litigation, [it's] the increased regulatory scrutiny, and I think in 2013 we may see even more of that.
SOTTO: I feel similarly to David. There are really so many stories and there hasn't been one gigantic story. But if I had to choose one, I would focus on the DDoS attacks on banks recently. What we've seen is really a seismic shift in the world of data breach and hacking from back in 2005, a focus for malicious actors on personally identifiable information and the use of that data to commit account fraud and identity theft. Now we're seeing cybercrime and cyberattacks at a whole different level where we have very organized, systemic attacks on a half a dozen of the biggest banks in the United States, clearly done for some sort of political aim in mind. These are very much indicative of where we're going to go in the future. The hackers that were involved in the bank hacks suggested that the actions that they undertook were in retaliation for the banks' enforcement of Western economic sanctions against Iran. There are many other reasons that certainly we could point to for these DDoS attacks, but they were extremely disruptive of the banks' websites and networks and I think we're seeing a trend.
RAETHER: I generally agree with what both Lisa and David have said in terms of really what is the focus. It's not a specific breach. It's not a specific company. But it's starting to see some of these general trends, and I think I mentioned the AG enforcement actions. That's certainly a big one, as well as the shift in the courts and how they perceive complaints and claims that are being brought by plaintiffs. And quite frankly, I think plaintiffs' counsel are becoming wiser in reacting to the decisions that have come out in the past, beginning to focus on the types of claims that they perceive will provide them with more success in the courts. Specifically, [it's the] claims that are based on violations of statutes, where those statutes include damage provisions within the structure so that you can prove liability of the burden of having to prove causation, and specific damages is removed because the statute has provided that in its language.
As a consequence, litigation arising from breaches and then the ultimate resolution of that litigation is and will continue to be a big story. Likewise, [it's] the extension of the security boundaries, so it's not just the BYOD, employee-owned device, issue that David referenced. We're certainly dealing with that and saying that's an extension of security and what a company needs to address, but also outsourcing in general. Specifically, with regard to that, I mentioned the firmware issue that has come up somewhat in the PIN pad hacking cases, not just recently but also a couple of years ago. It's this concept of even with firmware in other devices, and most recently they've been built outside of the country and the legitimate concern is that malware is being embedded within those devices either by country-states, organized crime or otherwise. Those are being embedded at the time that the firmware is being manufactured. It's being shipped back to the United States. It's sitting maybe in our water-treatment facilities, power plants, within the infrastructure of a company, maybe even an HVAC unit, but sitting somewhere where with a push of a button remotely from across the pond the bad stuff can be released into the system. Because a lot of these systems are not integrated, it allows it to infiltrate this malware throughout the entire company or the organization and it can be a worst-case scenario type of an event. I think we will start to see some of these worst-case scenarios come into fruition.
'Hack Back' Strategy
NAVETTA: I would like to add to one thing. Lisa raised the point of DDoS attacks on banks, and I wanted to raise a potentially even more cutting-edge concept that we've been talking about with the American Bar Association and with the information security committee, and that's the concept or the idea of what's being called "hacking back." Taking the DDoS-attack scenario, if you're an organization who has suffered a denial-of-service attack and you're able to pinpoint from where that attack is coming, where the e-mails are flooding from in order to block your system or what have you, some lawyers and some security professionals are exploring the idea of when it would be appropriate or potentially how you can make an argument in the form of legality of actually going into hacking the systems that are attacking you and disabling the attack.
There's a lot of talk and articles on this concept, the idea being why as an organization, if you can identify the source of an attack, do you need to take the harm, potentially even lost revenue, that arises during that attack when you can potentially disable the attack and perhaps do it without harming the computer that you're actually going after and hacking into, and hopefully then everyone arises out of the situation intact on some level. The problem here is many times the actual attacks are being launched from innocent computers, people whose computers have been taken over by botnets that are being used to launch a denial-of-service attack. It could be a company or an individual. What's the legality of gaining unauthorized access to that computer and shutting down the attack? What if something goes wrong and you take out the system or cause damage to data on the computer? What kind of liability issues exist there? This one is kind of a cutting-edge issue going into 2013. Some companies may want to take the hack into their own hands and attack back.
FIELD: I would love to get some feedback from Ron and Lisa as well. With this concept of hacking back, what are your thoughts on it?
RAETHER: It's an interesting concept and it's certainly something that theoretically we've been talking about, the legal consequences or the legal permissibility of being able to hack into somebody else's system, especially in the example that David presented where the system may not be owned by the actual criminal. It may be my grandma's system that was hijacked and if that's what's being hacked into, you're now the equivalent of bombing Switzerland in a war.
I think Stuxnet is a very important example for everyone to continue talking about, not only in the case of nation-sponsored cyberattacks, but also generally with regard to this hacking-back concept. In the case of Stuxnet, it probably took a considerable amount of resource and ingenuity to build that malware. The fact of the matter is once it's released, it's much easier to reverse-engineer and re-code that malware and turn it back and use it against the company, individual or country that originated that malware. In other words, you can take something that otherwise might not be developed but for having limitless resources you decide to use it, but as a consequence you have now put this piece of malware out there that can be very detrimental, harmful and hard to get rid of. You've given aid to your enemies by putting that out there and allowing them to easily reengineer that and reuse it for their own, oftentimes illegal and harmful, purposes. Those higher-picture lessons could be important for companies to consider when they're thinking about hacking back.
SOTTO: I think that's a very important point. Stuxnet was very sophisticated and highly destructive. The point that you've just made about the virus now being out there, essentially being able to be disseminated in other ways and catching like a virus would do, is a very difficult issue to manage. These very destructive weapons, like Stuxnet, are really only enhanced by the more ordinary attacks, like the denial-of-service attacks, which are much more run-of-the-mill but highly disruptive for those companies that are subject to the attacks. We just saw Palestinian supporters attack Israeli websites through denial-of-service attacks.
RAETHER: What we found is that even before 2005, or around that period, denial-of-service attacks really [were] meant to be a frontal assault to distract the resources of the company away from the true attack, which was a back-door attack into some other system. If I know that you have a limited amount of resources that you can dedicate to defending your wall, and I use a denial-of-service to use up those resources, then it leaves open other gaps in the system that I can then take advantage of and get to. What I really want is the data that's behind that wall. I was interested to see or hear whether any of the financial institutions saw those secondary attacks that came behind the denial-of-service that obviously made the publicity and came to light to the public because denial-of-service is so visible. I'm not able to log into my bank accounts, so as a consequence I'm tweeting and getting on Facebook and it gets a lot of media attention, but the secondary attacks likely wouldn't come to the light of day in terms of the media and public attention.