Hacking Back – Wanting to Even the Score

Cindy Morgan-Olson, Head of Global PR and Analyst Relations

As the recent victim of a particularly vicious hacker – a criminal who engaged in identity theft, wire fraud, and a whole range of cyber law-breaking (not to mention stalking) – I would like nothing better than to nail the perpetrator to the fullest extent of the law.

But after speaking to a well-known payments firm and other parties through which I’d been manipulated, I was told it is very difficult to punish these guys. Perhaps a bank would have done so, but others don’t seem to care as much? Perhaps this is going to change in the next five years? I do hope so, but I won’t hold my breath!

After following up with a background check, as curiosity got the best of me, I realized that this was clearly no one I wanted to anger – so I changed my online passwords and chalked it up to an intense learning experience. For safety reasons, hacking back and vengeance may be tempting – but I know these are not a rational recourse for a consumer threatened by the criminally intent.

On a larger scale however, corporations are viewing these issues differently and looking at “beaconing” and “hacking back” as a way of retrieving stolen information. But legally and practically, this scenario isn’t as simple as it sounds.

When the phrase, “Don’t get mad, get even” was first coined, no one ever thought it would apply to corporations or even individuals in the world of cybercrime. But it does! As cybercrime escalates, the rallying cry to “hack back,” the term for accessing another computer network without permission, enters the lexicon of lawyers, Congress, and corporate IT folks.

Currently, an IP-focused commission led by Dennis C. Blair, President Obama’s first director of national intelligence, and Jon M. Huntsman, a former ambassador to China, have suggested that companies enduring cybertheft “should be able to retrieve their electronic files or prevent exploitation,” according to a recent article in the Wall Street Journal.  

As government and corporations consider whether or not two wrongs make a right, legal experts point out that the situation is more complicated than what may appear on the surface, with an often tangled web of often innocent third parties involved as the go-between in any hacking scenario and scheme.

According to proponents of “hacking back”, the best way to look at the scenario is “investigating back” – but technically the law is not allowing that at the moment. And perhaps for good reason – do you really want a whole army of criminals hunting you down, for instance? Or, do you want to hack into an innocent hospital or school system, which might be caught between a hacker and a corporation?

Currently, we in the US all live under the Computer Fraud and Abuse Act adopted in 1984 (ironically). But I think pretty much everyone in cybersecurity agrees that law is painfully out of date – how could its proponents have seen the world turn to intense cyber espionage in the span of 28 years (though the science fiction authors of the day sure did)?

For now, the issue of cyber protection is on the agenda of every financial institution in the country – and every corporation of every stripe looking to protect company data and intellectual property. While certain technology vendors look to creating protections, the legal community works hard to assess and create new laws and privacy protections and determine how to apply the law. The Cyber Intelligence and Sharing Act under much debate, contains language that does not permit “hacking back”.

So stay tuned – what Congress is addressing in the Cyber Intelligence Act, what major law firms are addressing with corporate clients, and what is on the minds of all of us who have been hacked, is part of the growing focus of cyber security.

As much as technology companies hope to safeguard our financial institutions and other business entities, at the end of the day, the law must move one way or the other to update our protections with new approaches to the problem.

Unfortunately, this isn’t happening fast enough!

On a closing note, corporations and I have something in common: we are all embarrassed at being hacked and would really like to figure out how to get even with the hacker that caused us misery!

Outpace First-Party Fraud and Mule Activity

February 28th, 2024
Rob Rendell, Global Head of Fraud Market Strategy & Fraud Prevention - Subject Matter Expert

Fraud Predictions 2024

December 12th, 2023
Jake Emry, Fraud Prevention Subject Matter Expert & Rob Rendell, Global Head of Fraud Market Strategy & Fraud Prevention - Subject Matter Expert

Lessons Learned from How a Scam Closed Down a Bank – A Discussion with Peter Tapling of PTap Advisory, LLC & NICE Actimize

November 3rd, 2023
Jake Emry, Fraud Prevention Subject Matter Expert & Peter Tapling, Serial Entrepreneur, Advisor, and Investor, PTap Advisory, LLC & NICE Actimize
Speak to an Expert