Self-defence in Cyberspace: Hacking Back the Hacker
Exploring the merits of decriminalizing hacking back by non-state
actors in the Netherlands
LL.M. Law and Technology
Tilburg Institute for Law, Technology, Markets and Society, Tilburg University
Philippe Martens
January 2021
SNR: 1253401
Supervisor: Lucas Jones LL.M.
Second Reader: dr. Colette Cuijpers
Foreword
This thesis is the final piece of the puzzle needed to complete my master’s degree in
Law & Technology at Tilburg University. After many years of hard work my time as a student
has come to an end. For now, at least. I look back with great joy on this period in my life which
provided me with many great experiences that I will cherish forever.
I would like to extend my gratitude towards my primary supervisor, Lucas Jones, for
his useful feedback and the engaging discussions. His guidance helped me to challenge my own
thinking and enhance the overall quality of this thesis.
Finally, I want to thank my parents, Paul and Sylvie, for their continuous support during
my studies and for their encouragement to pursue this academic journey. Especially their
support for my decisions to study and work abroad helped me to get a lot of fulfilment out of
my time as a student.
1
Table of Contents
Foreword .......................................................................................................................................... 1
Chapter I - Introduction ................................................................................................................. 4
1.1 Background and Problem Statement ...................................................................................... 4
1.2 Research Objective and Research Questions .......................................................................... 8
1.3 Methodology ........................................................................................................................... 9
1.4 Preliminary Remarks and Limitations .................................................................................. 10
1.5 Overview of Chapters ........................................................................................................... 10
Chapter II - Hacking back and Alternative Cyber Defence Measures .................................... 11
2.1 Introduction........................................................................................................................... 11
2.2 Understanding Hacking Back ............................................................................................... 11
2.3 Legal Issues .......................................................................................................................... 12
2.4 Alternative Cyber Defence Measures ................................................................................... 13
2.4.1 Passive Cyber Defensive Measures ................................................................................... 13
2.4.2 Active Cyber Defensive Measures .................................................................................... 14
2.5 Active Cyber Defence as an Enhancement of Cybersecurity ............................................... 17
2.6 Limitations of Active Cyber Defence ................................................................................... 18
2.7 Concluding Remarks ............................................................................................................ 19
Chapter III – Hacking Back and the ACDC bill in the United States ..................................... 20
3.1 Introduction........................................................................................................................... 20
3.2 The CFAA Framework ......................................................................................................... 20
3.2.1 Protected Computers .......................................................................................................... 21
3.2.2 Damage .............................................................................................................................. 21
3.2.3 Unauthorized Access ......................................................................................................... 22
3.3 The ACDC Bill ..................................................................................................................... 22
3.3.1 Conditions for Hacking Back under the ACDC Bill ......................................................... 22
3.3.2 Definitional and Linguistic Ambiguities ........................................................................... 23
3.3.3 Limitation of Liability ....................................................................................................... 24
3.4 Arguments in Favour of Decriminalizing Hacking Back in the US ..................................... 25
3.4.1 Hacking Back as Self-defence ........................................................................................... 25
3.4.2 Hacking Back as Compensation for Ineffective Law Enforcement .................................. 26
3.4.3 The Deterrence Effect and Retributive Justice .................................................................. 26
3.4.4 Concerns on the Effectiveness of Traditional Forms of Cybersecurity ............................. 27
3.5 Arguments Against Decriminalizing Hacking Back in the US ............................................ 27
3.5.1 Risk of Escalation .............................................................................................................. 27
3.5.2 Difficulties in Establishing Attribution and Risk of Collateral Damage ........................... 28
3.5.3 Issues of Extra-territoriality ............................................................................................... 29
3.5.4 Risk of Degradation of State Authority ............................................................................. 29
3.5.5 Risk of Interference with Ongoing Investigations ............................................................. 29
3.5.6 Lack of Financial and Human Resources and Potential for Misuse .................................. 30
3.6 Concluding Remarks ............................................................................................................ 30
Chapter IV - Assessing the merits of decriminalizing hacking back in the Netherlands ....... 32
4.1 Introduction........................................................................................................................... 32
4.2 The Dutch Position: No Private Hack-back Allowed ........................................................... 32
4.2.1 The Dutch Criminal Code .................................................................................................. 32
4.2.2 The Cybercrime Convention.............................................................................................. 33
4.2.3 The Paris Call for Trust and Security in Cyberspace ........................................................ 33
4.3 Considering the Legal Conditions for Regulating Hacking Back ........................................ 34
4.3.1 Proportionality ................................................................................................................... 35
4.3.2 Necessity ............................................................................................................................ 36
2
4.3.3 Additional Conditions ........................................................................................................ 37
4.4 Testing the Waters: is the Dutch Prohibition on Hacking Back Justified?........................... 37
4.5 Concluding Remarks ............................................................................................................ 39
Chapter V - Conclusion ................................................................................................................ 41
Bibliography .................................................................................................................................. 44
3
Chapter I - Introduction
1.1 Background and Problem Statement
Back in January 2010, Google made a public announcement that a hacker group,1 now known
as “Elderwood Gang”, had gained access to the company’s network in an attack nicknamed
“Operation Aurora”.2 The hackers had managed to exploit a previously unknown vulnerability
in Microsoft’s Internet Explorer which allowed them to access private Gmail accounts and steal
Google’s source code after routing the attacks through servers at two Chinese educational
institutions in order to cover their tracks.3 However, when Google discovered they had been
hacked, they did not sit idle and decided to launch a secret counteroffensive. The company
began its own hacking operation and managed to obtain access into a computer in Taiwan which
was the suspected source of the attacks.4 When they accessed the computer, Google engineers
actually found evidence of the attacks on Google and at least thirty other companies.5 Thus, the
scale of the threat had become more clear as private sector security systems were actively
targeted and exposed with sophistication that stunned Google’s security experts.6 The longterm damages of these attacks remain hard to estimate, but some companies paid over seven
figure prices in reparation fees.7 The events were perhaps best summarized by George Kurtz
who is the co-founder and CEO of cybersecurity company CrowdStrike as he fittingly
commented: “like an army of mules withdrawing funds from an ATM, this malware had
enabled the attackers to quietly suck the crown jewels out of many companies while people
were off enjoying their December holidays”.8
As illustrated by the anecdote above, businesses are faced with major cyber threats as
malicious hackers engage in phishing, computer intrusion, online fraud, cyber espionage and
theft of intellectual property and trade secrets.9 It is estimated that by 2025 cybercrime will cost
the world the unfathomable amount of $10.5 trillion per year.10 The emergence of such criminal
1
David Drummond, ‘A new approach to China’ (Google Official Blog, 12 January 2010)
<https://googleblog.blogspot.com/2010/01/new-approach-to-china.html> accessed 6 May 2020.
2
Jan E Messerschmidt, ‘Hackback: Permitting Retaliatory Hacking By Non-State Actors as Proportionate
Countermeasures to Transboundary Cyberharm’ (2013) Columbia Journal of Transnational Law (forthcoming) 1,
2. See also David E. Sanger & John Markoff, ‘After Google’s Stand on China, U.S. Treads Lightly’ (N.Y. Times,
14 January 2010) <https://www.nytimes.com/2010/01/15/world/asia/15diplo.html?_r=1> accessed 23 April 2020.
3
Tim Maurer, ‘Breaking Bad: How America's biggest corporations became cyber vigilantes’ (Foreign Policy, 10
Sep 2012) < https://foreignpolicy.com/2012/09/10/breaking-bad/> accessed 23 April 2020.
4
Ibid.
5
Ibid. Furthermore, Matt Buchanan of the technology blog Gizmodo even commented: “It’s pretty awesome: If
you hack Google, they will hack your ass right back”. See Matt Buchanan, ‘Google hacked the Chinese hackers
right back’ (Gizmodo, 15 January 2010) <https://gizmodo.com/google-hacked-the-chinese-hackers-right-back5449037> accessed 23 April 2020.
6
Michael Joseph Gross, ‘Enter the Cyber-Dragon’ (Vanity Fair, 2 August 2011)
<https://www.vanityfair.com/news/2011/09/chinese-hacking-201109> accessed 5 May 2020.
7
William Jackson, ‘How Google attacks changed the security game’ (GCN, 1 September 2010)
<https://gcn.com/articles/2010/09/06/interview-george-kurtz-mcafee-google-attacks.aspx> accessed 6 May
2020.
8
Mauer (n 3).
9
Messerschmidt (n 2) 10-12.
10
Steve Morgan, ‘Cybercrime To Cost The World $10.5 Trillion Annually By 2025’ (Cybercrime Magazine, 13
November 2020) <https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/> accessed 3
January 2021.
4
activity in cyberspace challenges traditional models of law enforcement in various ways as
cybercrime does not have the same characteristics as crime taking place in the physical world.11
Firstly, all that is needed to commit virtual crimes is a computer that is connected to the internet
which enables cybercriminals to launch online attacks on unassuming victims in different parts
of the world.12 Thus, cybercrime has a territory-free nature since it does not require the
perpetrator and the victim to be within physical proximity of each other as they could even be
in different countries when the virtual crime is committed.13 Law enforcement agencies are
therefore hampered in their pursuit of these cybercriminals as they are constrained by their own
jurisdictional boundaries. Secondly, cybercriminals can use technology to commit thousands of
crimes in a short amount of time which can impact a large number of victims simultaneously,
thus making the traditional assumption of one-to-one victimization an irrelevant notion.14 The
technology used by these criminals has also become more sophisticated and accessible as illicit
software kits are increasingly commercially sold by lone offenders or criminal organisations on
the internet.15 This has resulted in such a huge amount of illegal activity occurring on the
internet that law enforcement does not possess the resources to adequately deal with both real
world crime and virtual crime.16 Thirdly, cyberspace affords criminals anonymity which allows
them to avoid the physical constraints of real-world crime.17 This anonymity is enabled by
various technologies of concealment such as VPN services and Tor which makes it possible for
internet users to roam the internet without giving away their identity or location.18 Fourthly, the
nature of e-evidence poses unique authentication and integrity issues due to its volume (i.e., the
size of the data), its volatility (i.e., data can swiftly be overwritten or removed), its velocity (i.e.,
data can be created and transmitted in a matter of seconds) and its vulnerability (i.e., e-evidence
is prone to manipulation and damage).19 These cybercrime characteristics make it incredibly
difficult for national law enforcement agencies to respond against virtual crime.20
Against this background, it is understood that private actors are largely left to fend for
themselves and are exploring new methods of responding against malicious hackers.21 Thus,
businesses may not only resort to passive forms of cybersecurity such as implementing firewalls
and encryption techniques, but are also exploring the use of more aggressive forms of active
defence methods.22 One specific technique that companies could use against hackers is socalled “hacking back”. Unfortunately, there is no formal definition for hacking back which
11
Susan W Brenner & Leo L Clarke, ‘Distributed Security’ A New Model of Law Enforcement’ (2005) John
Marshall Journal of Computer & Information Law (forthcoming) 1, 2.
12
Ibid, 7.
13
Ibid.
14
Ibid.
15
Peter Grabosky, ‘The Evolution of Cybercrime, 2004-2014’ (2014) RegNet Research Paper No. 2014/58 1, 34.
16
Brenner & Clarke (n 11) 7.
17
Ibid.
18
Grabosky (n 15) 4.
19
Xandra Kramer, ‘Challenges of Electronic Taking of Evidence: Old Problems in a New Guise and New
Problems in Disguise’ (2018) Il Conferencia Internacional & XXVI Jornadas Iberoamericanas de Derecho
Procesal IIDP & IAPL, La Prueba en el Proceso / Evidence in the process Atelier 2018, 391, 404.
20
Brenner & Clarke (n 11) 7.
21
Messerschmidt (n 2) 12.
22
Wyatt Hoffman & Ariel E Levite, ‘Private Sector Self Defense: Can active measures help stabilize cyberspace?’
(2017) Carnegie Endowment for International Peace 1, 5.
5
complicates the debate, but in general terms, it is understood as a digital counterattack against
one’s cyber-attackers.23 Thus, the expression “hacking back” indicates that the victim of an
intrusion responds by obtaining unauthorised access (“hacking”) into the attacker’s computer
or network.24
Hacking back would allow victims of cyber-attacks to respond in kind in order to deter
malicious attackers.25 For instance, hackers may be deterred by the threat of active defenders
exposing their identity and having success denied.26 Hacking back can also be done for the
purposes of retrieving or deleting stolen data, or even destroying the attacker’s computer system
in order to render it permanently inoperable.27 Hacking back allows defenders to respond
immediately against the intruder and compensate for ineffective law enforcement agencies and
slow courts.28 Above all, the most important argument that supports hacking back can be found
in the natural right to defend one’s own person and property, especially in the absence of
adequate law enforcement.29 When the state does not have the resources or will to enforce its
imposed rules then individuals arguably become responsible once more for their own defence.30
However, hacking back, often branded as a type of “digital vigilantism”31, is one of the
most controversial methods of digital self-defence and brings up questions related to the legality
of such practices.32 The main legal issue is that non-state actors that engage in hacking back
most likely violate domestic criminal laws on illegal access of computer systems and the laws
of foreign jurisdictions as attackers may operate from foreign countries.33 As such, persons that
engage in hacking back would risk criminal prosecution themselves. Moreover, other problems
related to hacking back include escalatory risks and retaliation by the attacker as well as
difficulties in accurately establishing attribution which may result in innocent third parties
being wrongfully targeted.34
In order to stay within the boundaries of the law, non-state actors may therefore resort
to alternative types and less aggressive forms of cyber defence measures such as blocking
23
Patrick Lin, ‘Ethics of Hacking Back: Six Arguments From Armed Conflict to Zombies’ (2016) Ethics +
Emerging Sciences Group 1, 2.
24
Renée Albersheim, 'The Legal Implications of Corporate Reverse Hacking' (1999) 18 Preventive L Rep 8;
Karine Bannelier & Théodore Christakis, ‘Cyber-Attacks Prevention-Reactions: The Role of States and Private
Actors’ (2017) Les Cahiers de la Revue Défense Nationale 3, 59.
25
Hardik Gandhi, ‘Active Cyber Defense Certainty: A Digital Self-Defense in the Modern Age’ (2019)
Oklahoma City University Law Review, Vol. 43, Issue 2 279, 300.
26
Ibid.
27
Lin (n 23) 3.
28
Bannelier & Christakis (n 24) 61.
29
Lin (n 23) 10-11; Gandhi (n 25) 298.
30
Ibid.
31
Nicholas Schmidle, ‘The Digital Vigilantes Who Hack Back’ (NewYorker, 30 April 2018)
<https://www.newyorker.com/magazine/2018/05/07/the-digital-vigilantes-who-hack-back> accessed 3 January
2021.
32
Bannelier & Christakis (n 24) 68.
33
OECD, ‘Roles and Responsibilities of Actors for Digital Security’ (2019) OECD Digital Economy Papers, N°
286 1, 24; Chris Cook, 'Cross-Border Data Access and Active Cyber Defense: Assessing Legislative Options for
a New International Cybersecurity Rulebook' (2018) 29 Stan L & Pol'y Rev 205, 215; Bannelier & Christakis (n
24) 71.
34
Albersheim (n 24) 8; Robert Dewar, ‘CSS Cyber Defence Trend Analysis 1’, (2017) Risk and Resilience Team
Center for Security Studies 1, 8; Bruce P Smith, 'Hacking, Poaching, and Counterattacking: Digital Counterstrikes
and the Contours of Self-Help' (2005) 1 JL Econ & Pol'y 171, 179-183; Bannelier & Christakis (n 24) 64-68; Paul
Rosenzweig, ‘International Law and Private Actor Active Cyber Defensive Measures’ (2013) Stanford Journal of
International Law, Vol. 47, (forthcoming) 1, 2-3.
6
suspect IP addresses, setting up firewalls, installing anti-intrusion systems and using encryption
techniques.35 However, such measures may prove to be ineffective against the more
sophisticated and targeted cyber-attacks.36 As such, it is somewhat of a well-known secret in
the information technology industry that private companies do hack back and break laws in the
process.37 However, due to their secret nature, these activities usually do not become public
which hinders the debate on whether the practice of hacking back should be allowed or not.38
In the United States (US), legislators are actively contemplating to regulate hacking
back by non-state actors with the federal legislative proposal for the Active Cyber Defense
Certainty Act (ACDC bill) which would amend section 1030 of the Computer Fraud and Abuse
Act (CFAA).39 In a nutshell, the proposal would allow the defender that has become a victim
of a persistent unauthorized intrusion to gain unauthorised access into the attacker’s computer
in order to gather information to (1) establish attribution of the cyber attack which is to be
shared with law enforcement, (2) disrupt continued unauthorized access to the defender’s
network or (3) monitor the behaviour of the attacker in order to assist in developing future
intrusion prevention or cyber defence techniques.40 However, the ACDC proposal remains
heavily debated by academia and cybersecurity experts, and has received much criticism as
legalizing hacking back by non-state actors could on the one hand lead to a chaotic internet
environment, reminiscent of the “wild-west”, whereby companies may use self-defence under
false pretence to engage in out-of-control hacking operations.41 On the other hand, allowing
hacking back may have a deterrent effect, help identify malicious hackers, increase prosecution
and reduce overall cybercrime.42 Such legislative developments highlight that decriminalizing
hacking-back can be considered as a serious policy option to deal with ongoing cyber threats
against private actors and could serve as an example for other jurisdictions.
In the Netherlands, non-state actors do not have a right to hack back and there have been
no developments so far that indicate that this is about to change, nor has there been any
academic debate about the practise of hacking back.43 Thus, under the current legal framework,
35
Hoffman & Levite (n 22) 9-10; Rosenzweig (n 34) 2-3; Bannelier & Christakis (n 24) 57-60.
Robert Lee, ‘The Sliding Scale of Cybersecurity’ (2015) SANS Institute: Information Security Reading Room,
2; Dennis Blair and others, ‘Into the Gray Zone: the Private Sector and Active Defence Against Cyber Threats’
(2016) The George Washington University: Centre for Cyber & Homeland Security 9.
37
To illustrate: Chief Technology Officer of security firm IBM Resilient Bruce Schneier said the following with
regards to hacking back by private actors: "It is, right now, kind of like international bribery. It is illegal and you
can't do it, but it is happening." See Robert Lemos, ‘Why the hack-back is still the worst idea in cybersecurity’
(TechBeacon) <https://techbeacon.com/security/why-hack-back-still-worst-idea-cybersecurity> accessed 23
April 2020.
38
Bannelier & Christakis (n 24) 74; Joseph Cox, ‘Revenge Hacking Is Hitting the Big Time’ (The Daily Beast, 19
September 2017) <https://www.thedailybeast.com/inside-the-shadowy-world-of-revenge-hackers> accessed 7
April 2020.
39
H.R.3270 - Active Cyber Defense Certainty Act.
40
See section 4(3) H.R.3270 - Active Cyber Defense Certainty Act.
41
One may refer to Gandhi (n 25) 301; Samantha A Schwartz, ‘Federal 'hack back' bill back on table, but critics
wary of blind spots’ (Ciodive, 12 August 2019) <https://www.ciodive.com/news/federal-hack-back-bill-back-ontable-but-critics-wary-of-blind-spots/557855/> accessed 7 April 2020.
42
Gandhi (n 25) 281; Benjamin Baker, ‘Considering the Potential Deterrence Value of Legislation Allowing
Hacking Back’ (2018) 1, 3.
43
However, the academic debate within the Netherlands has covered the merits of police hacking. One may refer
to Ronald L D Pool & Bart H M Custers, ‘The Police Hack Back: Legitimacy, Necessity and Privacy Implications
of The Next Step in Fighting Cybercrime’ (2017) European Journal of Crime, Criminal Law and Criminal Justice
36
7
non-state actors would risk criminal prosecution if they were to engage in hacking back as
article 138ab of the Dutch Criminal Code criminalizes hacking if one intentionally and
unlawfully enters inside a computerised device or system or a part thereof.44 The Netherlands
is also a signatory to the Cybercrime Convention, which is an international treaty that aims to
realize a common criminal policy addressing cybercrime by harmonizing national laws and
fostering international co-operation. It is important to note that in this context, the Cybercrime
Convention criminalizes all forms of illegal access to computer systems that is carried out
without right. Moreover, the Netherlands is a signatory to the Paris Call for Trust and Security
in Cyberspace which is a non-binding international agreement that states in one of its main
principles that signatories should avoid allowing private sector hack backs. From these binding
and non-binding legal sources it can be inferred that the Netherlands is a jurisdiction that is
against allowing non-state actors to hack back. However, there is no literature in the
Netherlands that has examined the merits of this anti-hacking back approach and the US are an
example of a country that is even considering to regulate hacking back.45 It would therefore be
relevant to assess to what extent the US approach and arguments in favour of decriminalizing
hacking back would actually hold water in the Netherlands given the total lack of academic
debate on the matter within Dutch society and the merits hacking back may have as a potential
aid for non-state actors in combatting cybercrime. In order to make this assessment, it is not
only necessary to consider the arguments in favour and against decriminalization, but also how
hacking back could be regulated if it were to be decriminalized. The ACDC bill in the US
provides one such example, but more proposals can be found within academic literature. For
instance, Kesan & Majuca (2009) and Huang (2014) provide similar proposals that would allow
a hack back privilege in cyberspace if it adheres to legal principles of proportionality and
necessity.46 These proposals should be taken into account when considering the legal conditions
that can be construed to circumscribe hacking back if it were to be decriminalized.
1.2 Research Objective and Research Questions
So far, the centre of the academic debate on whether hacking back by non-state actors should
be decriminalized or not has primarily taken place from a US perspective.47 This thesis intends
to expand on this discussion by placing this highly sensitive issue in a Dutch perspective. The
current Dutch approach towards private sector hack backs seemingly is that it should be
(25) 123; Bart H. M. Custers, ‘Nieuwe online opsporingsbevoegdheden en het recht op privacy: Een analyse van
de Wet computercriminaliteit III’ (2018) JV afl. 5 100.
44
Article 138ab Wetboek van Strafrecht - The English unofficial translation of the Dutch Criminal Code was
retrieved here: <https://www.legislationline.org/documents/section/criminalcodes/country/12/Netherlands/show> accessed 14 January 2021.
45
There has been some debate in the Netherlands, however, on legal issues associated with hacking by nation
states, but this lies outside the scope of this thesis. For instance, see Larissa van den Herik, ‘De digitale oorlog:
waan of werkelijkheid?’ (2013) NJB 2013/291 afl. 6 290.
46
Ruperto P Majuca & Jay P Kesan, ‘Hacking Back: Optimal Use of Self-Defense in Cyberspace’ (2009) Illinois
Public Law and Legal Theory Papers Series Research Papers Series No. 08-20 1, 39; Shane Huang, ‘Proposing a
Self-Help Privilege for Victims of Cyber Attacks’ (2014) The George Washington Law Review Vol. 82 No. 4
1229, 1259.
47
One may refer to Gandhi (n 25); Smith (n 34); Albersheim (n 24); Rosenzweig (n 34).
8
prevented in pursuit of a more secure cyberspace.48 However, this position is not analysed in
the literature and the US is an example of a jurisdiction that is presenting arguments in favour
of decriminalizing hacking back in both academic literature and the ACDC bill. This lack of
academic discussion within the Dutch society serves as the primary justification to explore to
what extent it would be efficacious to decriminalize hacking back in the Netherlands. This will
first require an exploratory analysis of how hacking back can be understood and what
alternative cyber defence measures exist. Moreover, this research intends to examine the
arguments that exist in favour and against decriminalizing hacking back by inferring them from
both the ACDC bill and academic literature. This thesis will subsequently consider what legal
conditions can be construed to circumscribe hacking back if it were to be decriminalized, which
is necessary for providing an assessment on the degree in which the Dutch stance on hacking
back can be justified. These matters will be explored and analysed in order to fill a gap in the
literature.
Hence, the main research question answered in this thesis is: in light of the arguments
that can be inferred from academic literature and the ACDC bill, to what extent would it be
efficacious to decriminalize hacking back by non-state actors in the Netherlands?
Consequently, this means answering the following sub-questions:
1. How can hacking back be understood and what alternative cyber defence measures exist
for non-state actors to defend themselves against malicious cyber-attacks?
2. What are the main reasons for decriminalizing hacking back by non-state actors in the
legislative proposal for the ACDC bill in the US and which arguments go against such
decriminalization?
3. What legal conditions can be construed to circumscribe hacking back if it were to be
decriminalized in the Netherlands?
4. To what extent can the Dutch stance against allowing non-state actors to hack back be
justified in light of the arguments that exist in favour and against its decriminalization?
1.3 Methodology
This thesis is primarily based on doctrinal legal research and legal desk research by analysing
relevant provisions of the CFAA, ACDC bill, Cybercrime Convention, Dutch Criminal Code,
Paris Call for Trust and Security in Cyberspace and academic literature on hacking back. The
research questions demand an extensive literature review which allow for an analysis of how
hacking back can be understood, its advantages and disadvantages, what alternative cyber
defence strategies exist and suggestions on how it could be regulated. In order to carry out this
literature review the author makes use of scholarly articles and online news articles on hacking
back that can be found through search engines of Google Scholar, HeinOnline and SSRN. The
author also uses a snowball method which will help identifying relevant literature by means of
searching for relevant sources in the reference lists of relevant scholarly articles. The arguments
48
This position is derived from analysis of the Dutch Criminal Code, Cybercrime Convention and Paris Call for
Trust and Security in Cyberspace. This position will be further elaborated in the fourth chapter.
9
for and against decriminalizing hacking back and suggestions on its possible regulation as well
as the use of alternative cyber defence strategies that can be distilled from the literature review
will be used in carefully assessing to what extent it would be efficacious to decriminalize
hacking back by non-state actors in the Netherlands. In that regard, it should also be noted that
arguments for and against decriminalization are not necessarily purely legal, but can also
include elements of a normative, technological and economic nature. The research also requires
a “black-letter analysis”,49 interpreting and explaining the existing prohibition of hacking under
the CFAA legal framework in the US and how the legislative proposal for the ACDC bill would
amend the CFAA which will be crucial in identifying legal conditions that would be needed to
regulate hacking back by non-state actors. The Dutch Criminal Code, Cybercrime Convention
and Paris Call are also analysed in order to assess the current Dutch stance on hacking back and
to assess the extent in which there is leeway for regulating hacking back in the Netherlands.
1.4 Preliminary Remarks and Limitations
This thesis will only focus on non-state actors that engage in hacking back without that act
being attributable to a nation-state. As such, nation-states, intelligence and security agencies,
and law enforcement agencies that engage in hacking or hacking back and the (international)
law issues involved with that, will be outside the scope of this thesis. In addition, it must be
stressed that there are no public data or examples available that indicate whether there is any
evidence of Dutch non-state actors that have (secretly) engaged in hacking back which makes
this thesis more theoretical than practical.
1.5 Overview of Chapters
The second chapter will describe how hacking back can be understood and what alternative
cyber defence strategies non-state actors could use to defend themselves against malicious
cyber attacks. The third chapter will introduce the current CFAA framework in the US and how
the ACDC bill would amend the CFAA. Subsequently, an extensive literature review will be
provided with regards to the arguments in for and against decriminalizing hacking back. In the
fourth chapter, an assessment will be made on the degree in which it would be efficacious to
decriminalize hacking back in the Netherlands by examining legal conditions that can be
construed to regulate hacking back and assessing to what extent the Dutch prohibition on
hacking back can be justified in light of the arguments discussed in the third chapter. The fifth
chapter will provide a conclusion by formulating an answer on the main research question based
on the results of the previous chapters.
49
Jan M Smits, ‘What is Legal Doctrine? On the Aims and Methods of Legal-Dogmatic Research’ (2015)
Maastricht European Private Law Institute Working Paper No. 2015/06 1, 5.
10
Chapter II - Hacking back and Alternative Cyber Defence Measures
2.1 Introduction
This chapter will provide a descriptive framework on how hacking back can be understood,
associated legal issues and its position within the spectrum of cybersecurity measures. In order
to do so, it is necessary to examine the relationship between hacking back and active cyber
defence as these terms are often used interchangeably while they should be seen as two separate
concepts. Moreover, a non-exhaustive typology will be provided of alternative passive and
active cyber defence measures that exist for non-state actors to defend themselves against
malicious cyber-attackers. The reason for this is that one must consider the value of alternative
cybersecurity measures before one can objectively consider the value of hacking back within
the context of cybersecurity. Finally, the value and limitations of implementing active cyber
defence measures (including hacking back) as a cybersecurity strategy will be considered.
2.2 Understanding Hacking Back
In academic literature hacking back does not have a formal definition.50 However, hacking back
can be best described as a technique rather than a tool.51 It also involves an element of intrusion
analysis in order to identify the malicious hacker that is responsible for the attack before
hacking them back.52 After establishing attribution, the defender retaliates and hacks back its
cyber-attacker by intruding the network of the cyber-attacker without being authorized to do
so. Therefore, the hack-back operation, crucially, takes place in the computer system and
network of the cyber-attacker.53 Notable sources have defined hacking back as “the retaliation
of the victim of a cyber-attack against the attacker”54 and “this kind of hacking is not an
unprovoked first strike but a counter response to an attack”. 55
Following the aforementioned descriptions, this thesis will define hacking back as the
retribution of the victim of an unauthorized intrusion against the cyber-attacker by obtaining
unauthorised access to the cyber-attacker’s computer or network. Still, the purpose of a hackback operation can vary greatly. For instance, the hack-back operation could have the goal of
gathering information about the cyber-attacker which is subsequently shared with law
enforcement. Thus, hacking back can enable identification of intruders and aid in their
prosecution which may deter attackers. However, the purpose could also be to disrupt the attack,
take down malicious networks, neutralize malware and retrieve, alter or erase the data that was
stolen.56 Furthermore, hacking back can be useful to deal with attacks while they are
50
Robert Chesney, ‘Cybersecurity Law, Policy and Institutions (version 3.0)’ (2020) 96; Bannelier & Christakis
(n 20) 59.
51
Dewar (n 34) 8.
52
Ibid.
53
Ibid.
54
Bannelier & Christakis (n 24) 59.
55
Lin (n 23) 3.
56
Hoffman & Levite (n 22) 8.
11
occurring.57 For instance, if a cyber-attack is discovered and ongoing, the defender can deploy
a hack back operation in order to scan the network of the malicious hacker, collect intelligence
on the manner in which the attacker interacts with the defender’s system and understand the
objective of the cyber-attack.58 Such information is not only used for the complex process of
establishing attribution, but also for the purpose of identifying potential targets in the future and
to evaluate which of the defender’s assets require the most defensive focus and resources.59
Finally, in its most aggressive form, hacking back could even have the purpose of (irreparably)
damaging the computer system of the cyber-attacker.60
2.3 Legal Issues
While it is clear that hacking back may have multiple advantages for mitigating and preventing
malicious intrusions, it is also associated with legal issues. In general, hacking back will most
likely violate domestic law in almost all countries as hacking is internationally regarded as a
criminal offence.61 In that regard it must be noted that the Cybercrime Convention which has
been ratified by 65 states so far (including all G7 countries) criminalizes hacking, under article
2, by stipulating that illegal access “when committed intentionally” is “the access to the whole
or any part of a computer system without right”. In this context, the expression “without right”
means actions undertaken without the required authorisation or conduct that does not fall under
established legal defences or justifications under domestic law.62 Thus, an active defender that
responds against a hacker by accessing suspected computer systems without authorization could
violate the domestic laws of the jurisdiction where the active defender is located and the law of
jurisdiction(s) where the hack back operation is carried out if those jurisdictions have
criminalized hacking.63 Furthermore, the trans-boundary nature of the internet dramatically
increases the likelihood of cross-border violations. Cross-border hack back operations can
therefore have transnational consequences as they could violate domestic criminal laws of
multiple jurisdictions.64 Moreover, states might even start proceedings for mutual legal
assistance and criminal cooperation against persons that have hacked back which might result
in the issuance of warrants for arrest and extradition.65 These legal issues highlight the
considerable risks that victims of cyber-attacks might expose themselves to by hacking back.
As such, it is no surprise that the amount of publicly known cases of hacking back is
very limited. Google’s response against operation Aurora is only one of the few publicly known
examples.66 Moreover, as of today, there are no known cases of non-state actors that have
actually been prosecuted for hacking back.67 This may be explained by the assumption that both
perpetrators of hack back operations and hack backed persons probably do not want to make
57
Dewar (n 34) 8.
Ibid.
59
Ibid.
60
Albersheim (n 24) 8.
61
OECD (n 33) 24.
62
Council of Europe, ‘Explanatory Report to the Convention on Cybercrime’ (2001) CETS No. 185, para 38.
63
Bannelier & Christakis (n 24) 73-74.
64
Ibid.
65
Ibid.
66
Messerschmidt (n 2) 3.
67
Bannelier & Christakis (n 24) 74.
58
12
these practises publicly known precisely due to the risk of criminal prosecution.68 Conversely,
hack-back operations may not be prosecuted because they were state-sanctioned.69
2.4 Alternative Cyber Defence Measures
In order to get a proper overview of the plethora of available cybersecurity measures besides
hacking back one must take into account alternative forms of cyber defensive measures. In this
context, “alternative cyber defence measures” should be understood as cybersecurity measures
including both passive and active cyber defensive measures. However, one must take into
account that there is no consensus on where the threshold lies between active and passive cyber
defence measures.70 The aim here is not to provide an exhaustive list of such cybersecurity
measures, but to merely provide an overview that demonstrates the broadness of the spectrum
of cybersecurity measures which is relevant for considering the value and position of hacking
back within that spectrum.
2.4.1 Passive Cyber Defensive Measures
Passive cyber defence does not have a fixed definition.71 However, one view is that passive
defensive cyber measures can be characterized as those measures that are implemented in the
IT security architecture “to provide reliable defence or insight against threats without consistent
human interaction.”72 Such defensive measures only produce effects within the defender’s own
network and they are of a passive nature meaning that, even though they require maintenance
and fine-tuning from time to time, they do not require constant human attention.73 A typical
passive defensive cyber measure is the implementation of intrusion-prevention systems which
detect hostile activities on the defender’s network and ensure that firewalls block such
activities.74 More examples of passive defensive measures include patch management
procedures, network access controls, anti-malware systems, anti-virus software and similar
traditional security systems.75 One should acknowledge that such passive defensive measures
are a necessity to ensure a basic and solid cybersecurity regime, but by themselves they will not
be sufficient to provide adequate protection against the most sophisticated and targeted cyberattacks.76
68
Ibid.
Ibid.
70
Hoffman & Levite (n 22) 9; Rosenzweig (n 34) 3.
71
Pete Cooper, ‘Cognitive Active Cyber Defence: Finding Value Through Hacking Human Nature’ (2017)
Journal of Law & Cyberwarfare, Vol. 5, No. 2, 79.
72
Lee (n 36) 2.
73
Dennis Blair and others (n 36) 9; Lee (n 36) 8.
74
Hoffman & Levite (n 22) 8.
75
Blair and others (n 36) 9; Lee (n 36) 8.
76
Ibid.
69
13
2.4.2 Active Cyber Defensive Measures
Active cyber defence, like passive cyber defence, does not have a clear and formal definition.77
However, it should be noted that the term “active cyber defence” is often used interchangeably
with “hacking back” even though they are two separate concepts.78 Active cyber defence can
be seen as an umbrella term that captures various forms of pro-active cybersecurity measures
that range between less aggressive and more aggressive measures.79 Thus, hacking back should
be seen as a specific type of active cyber defence and it is also widely regarded as the most
aggressive form of active cyber defence.80
Measures ascribed to active cyber defence can be deployed pre-emptively, during
ongoing cyber-attacks or after an attack has taken place.81 In that regard, one must consider that
active cyber defensive measures can produce effects that take place (1) within the defender’s
own network, (2) outside the defender’s network or (3) both.82 Nevertheless, it should be taken
into account that the threshold between what constitutes in-network and out-of-network is not
clear-cut and subject to dispute.83 Therefore, there is no consensus on the range of measures
that fall under the scope of active cyber defence and what is considered to be a form of active
cyber defence by one author may be considered to be a form of passive or “internal” selfdefence by another author.84 However, the widely accepted view seems to be that active cyber
defence requires (1) direct or indirect technical interactions with the attacker in the defender’s
network, the attacker’s network or both or (2) is aimed at actively gathering intelligence on
threat actors.85
Such active defence measures can be taken in order to pursue varying objectives that
can be defensive or offensive in nature. Defensive measures are those activities that have the
aim of ensuring the security of one’s own system and maintaining operational control.86 The
more aggressive forms of active cyber defence, on the other hand, can help with establishing
attribution of the cyber-attack and possibly result into the compromise of the integrity,
confidentiality or accessibility of data held by third parties.87
Hereafter follows a non-exhaustive typology of measures and techniques that are
typically ascribed to fall within the scope of active cyber defence. This typology will be useful
in order to illuminate the position and efficacy of hacking back within the wider spectrum of
active cyber defence, which will be particularly helpful in assessing to what extent hacking
back is a justifiable response to cyber-attacks.
77
Dewar (n 34) 7.
Cook (n 33) 209; Blair and others (n 36) 9.
79
Blair and others (n 36) 9.
80
Ibid, 10.
81
Hoffman & Levite (n 22) 8.
82
Dewar (n 34) 9.
83
Rosenzweig (n 34) 3.
84
Hoffman & Levite (n 22) 7; Rosenzweig (n 34) 3-4.
85
Hoffman & Levite (n 22) 8; Blair and others (n 36) 9.
86
Blair and others (n 36) 9.
87
Ibid.
78
14
a. Honeypots, Tarpits and Sandboxes
Honeypots are isolated servers in the defender’s own system that are designed to attract and
decoy intruders and allow for observation of the intruder while restricting access to other areas
in the computer system.88 A well designed honeypot contains nothing of worth but gives the
impression that it holds valuable assets which has the benefit that the hacker will waste time
and resources.89 Furthermore, honeypots allow the defender to collect evidence and intelligence
on hackers’ behaviour which can be used for the development of countermeasures without
putting the crown jewels of a company at risk.90
Tarpits are designed to act as barriers that slow down or stop and examine suspicious
incoming network traffic.91 Everyday network traffic usually is slightly delayed and tarpits
purposely increase this delay significantly in order to make analysis, deterrence or denial of
malicious network traffic possible.92
Sandboxes are parallel networks in the defender’s system that look exactly like the
company’s real network but they are in fact completely separated from each other.93 The
parallel network contains nothing valuable that can be stolen or compromised by the hacker.94
The difference with honeypots is that honeypots are designed to attract and divert attackers
while sandboxes are used when a private actor suspects that its software already contains
malware.95 Sandboxes are then used to completely isolate the process that is suspected of
infection for evaluation and to make sure that the rest of the IT infrastructure remains
unaffected.96 Similarly to honeypots, sandboxes can be used to waste time and resources of
attackers, manage their activity and gather intelligence about their behaviour.97
b. Threat Hunting
Threat hunting is the process of manually and proactively searching through networks in order
to find and remove malicious actors that have already managed to breach passive security
measures.98 The key is to identify the hacker as early as possible in order to mitigate the cost of
compromised data.99 Threat hunting requires that actionable procedures and responses are ready
to be used to expose and eliminate both dormant and active threats in networks.100
88
Hoffman & Levite (n 22) 8; Blair and others (n 36) 11.
James Kaplan and others, Beyond Cybersecurity: Protecting Your Digital Business (John Wiley & Sons 2015),
136.
90
Hoffman & Levite (n 22) 8; Blair and others (n 36) 11.
91
Hoffman & Levite (n 22) 8.
92
Kaplan and others (n 89) 136.
93
Ibid.
94
Ibid.
95
Panda Mediacenter, ‘What is the difference between sandboxing and honeypots?’ (Panda Mediacenter, 12
September 2018)
<https://www.pandasecurity.com/mediacenter/security/differencesandboxinghoneypots/#:~:text=So%2C%20whi
le%20the%20goal%20of,the%20rest%20of%20the%20company> accessed 14 July 2020.
96
Ibid.
97
Kaplan and others (n 89) 136.
98
Ibid.
99
Robert Lee and Rob Lee, ‘The Who, What, Where, When, Why and How of Effective Threat Hunting’ (2016)
SANS Institute: Information Security Reading Room Whitepaper, 12.
100
Blair and others (n 36) 10.
89
15
c. Beacons and Dye Packs
Digital beacons or watermarks are strings of code that can be embedded into files in which
confidential data is contained.101 Beacons will act as an integrated burglar alarm when an
unauthorized actor attempts to access or delete a beaconed file on a network.102 This technique
can be particularly helpful for establishing attribution of a hack.103 Simultaneously, this
technique carries more risks for collateral damage and privacy violations if it is not carried out
with sufficient precision because the beacon can potentially operate outside of the defender’s
network.104
Dye packs are often confused with beacons in the cybersecurity context since they are
similar in the sense that they enable information collection about the hacker’s computer.105
However, the use of dye packs is regarded as a riskier strategy from a legal perspective since
they place malware on the attacker’s computer after exfiltration of the sought information.106
d. Dark Net Intelligence Gathering
Dark net intelligence gathering is a form of active cyber defence that does not require direct or
indirect technical interaction with the attacker, but still requires a pro-active search operation
that can be useful to collect information and evidence on malicious hackers.107 The dark net can
serve as a source for security experts to gather intelligence about criminal activities.108
Cybersecurity specialists are increasingly realizing that information stored on the dark net can
be used for the development of defensive strategies or for finding information about past
successful security breaches that may not have been discovered yet.109 This way, security
experts may be able to discover breaches of their network and focus their searches on
vulnerabilities that are yet unknown.110
e. Sink holing and Botnet Takedowns
Sink holing is the re-direction of malicious network traffic to a system that is controlled by the
defender.111 Security analysts are then able to analyse the captured malicious data.112 Sinkholes
are a popular method for neutralizing denial-of-service (DoS) attacks by botnets.113 Once a
botnet is discovered, the traffic is analysed by IT security experts in order to determine which
server is controlling them.114 After identifying the command and control server, the malicious
botnet traffic originating from that server is re-directed into the sinkhole.115
101
Ibid.
Hoffman & Levite (n 22) 8.
103
Blair and others (n 36) 10.
104
Ibid.
105
Ibid, 53.
106
Ibid, 60.
107
Hoffman & Levite (n 22) 8
108
Ibid.
109
Ibid.
110
Blair and others (n 36) 10.
111
Hoffman & Levite (n 22) 8.
112
Ibid.
113
Andrew Kozloski, ‘Sinkholing: a critical defensive tool’ (Hitachi, 5 December 2015) <https://www.hitachisystems-security.com/blog/sinkholing-a-critical-defensive-tool/> accessed 15 July 2020.
114
Ibid.
115
Ibid.
102
16
2.5 Active Cyber Defence as an Enhancement of Cybersecurity
The aforementioned active cyber defence measures are naturally simplified and in practise they
may be carried out in a less or more aggressive fashion or in combination with other
cybersecurity measures. Moreover, the described active defence measures may not always be
relevant or suitable for every cyber incident.116 For example, a hack-back operation is probably
not the best suited response towards a large-scale DDoS-attack such as the one that took place
in Estonia back in 2007 because it would not be feasible to hack back the millions of zombie
computers used in the attack.117
As such, active cyber defence should be seen as complementary to passive cybersecurity
measures rather than as an alternative.118 If undertaken responsibly, active cyber defence offers
viable measures and unique advantages to enhance the overall cybersecurity of non-state actors
compared to implementing mere passive defensive measures.119 For starters, active defence
provides defenders with a greater range of options and flexibility to engage the attackers.120
Active cyber defence can also aid in gathering threat intelligence and establishing attribution
through the use of techniques and strategies such as beacons and dark net intelligence gathering
which can be very helpful in protecting critical assets. Similarly, active cyber defence can be a
useful tool to disrupt and mitigate incoming or ongoing cyber-attackers through the use of
honeypots, tarpits, sandboxes, threat hunting and sinkholes. Thus, these specific measures could
be regarded as more favourable than hacking back since they do not require defenders to go
outside of their own networks and are therefore less risky. It also showcases that viable
measures exist other than hacking back that would allow defenders to disrupt and mitigate
cyber-attacks after the defender’s network has been penetrated. As such, it should be
acknowledged that, to some degree, such active cyber defence measures can increase the costs
that are imposed on malicious hackers by making it more complicated for them to steal
confidential information and increasing the likelihood that they will be identified and exposed.
In particular, the use of beacons and dye packs can be an effective strategy to identify malicious
actors and establish attribution.121 Finally, on the far end of this spectrum, a hack back can be
deployed to retaliate against the attacker for a variety of purposes such as deterring attackers,
establishing attribution, behavioural monitoring or disrupting attacks. These functions taken
together shape a broad and advanced pro-active strategy that non-state actors can take towards
their cybersecurity operations with hacking back being regarded as the most aggressive and
risky measure from a technical and legal point of view.
116
Dewar (n 34) 9.
Emily Tamkin, ‘10 Years After the Landmark Attack on Estonia, Is the World Better Prepared for Cyber
Threats?’ (Foreign Policy, 27 April 2017) <https://foreignpolicy.com/2017/04/27/10-years-after-the-landmarkattack-on-estonia-is-the-world-better-prepared-for-cyber-threats/> accessed 16 July 2020.
118
Hoffman & Levite (n 22) 9.
119
Ibid.
120
Ibid, 10.
121
Ibid, 10-11.
117
17
2.6 Limitations of Active Cyber Defence
At the same time, one must acknowledge that active cyber defence has inherent limitations and
risks, and therefore should not be taken as gospel.
First and foremost, the legal issues with hack back operations have been covered in this
thesis already, as such operations expose defenders to the risk of criminal prosecution.
However, there are also legal risks involved with other aggressive active cyber defence
measures such as beacons and dye packs since they may involve operations that take place
outside of the defender’s network.122
Secondly, there are doubts about the effectiveness of active cyber defence measures as
a deterrent since the implemented measures must be secret in order for them to be effective.123
If malicious hackers know that honeypots, sandboxes, tarpits or beacons are used by the
defender then that could enable them to reverse engineer the defensive software or circumvent
that software.124 In such cases, less aggressive active defence measures can thus be deemed
ineffective which arguably makes a case for a stronger response in the form of hacking back.
However, the efficacy of a hack operation can also be called into question if the purpose is to
delete or retrieve stolen data since there is no way of confirming that no additional copies exist
and stolen data should therefore be considered as compromised for good.125 Similarly, hacking
back does not fix security systems or restore the trust in the integrity of the information systems
that has been lost.126
Thirdly, active cyber defensive measures are extremely resource-intensive for
defenders.127 For instance, honeypots must be consistently monitored and maintained in order
to ensure that there are no leaks out of the segmented network and to ensure that no suspicion
is raised among malicious hackers.128 Similarly, hack back operations require the employment
of security specialists with hacking skills that are at least equal to those of malicious actors and
hiring such security experts with a high degree of knowledge will be a difficult and costly
exercise.129 As such, smaller firms may have the resources to implement passive cybersecurity
measures and less aggressive active cyber defence measures, but a more risky and aggressive
measure such as hacking back may only be a feasible option for big technological and
cybersecurity firms with the technical capacity to hack back.130 One could therefore posit that
there is an inequality of access to active cyber defence measures once they become more
aggressive, resource intensive and technically complex. The implementation of active cyber
defence measures should therefore always be considered carefully and the potential costs and
risks should be balanced against the potential gains.131 In this context, hacking back is often
regarded as the most risky of all active cyber defence measures and non-state actors should
perhaps be reluctant to deploy a hack back operation, especially if the attack can be
122
Dewar (n 34) 9.
Ibid.
124
Ibid.
125
Lin (n 23) 21.
126
Ibid.
127
Dewar (n 34) 9.
128
Ibid.
129
Ibid.
130
Bannelier & Christakis (n 24) 67.
131
Ibid.
123
18
efficaciously mitigated through alternative and less risky active cyber defensive or passive
defensive measures.
2.7 Concluding Remarks
This chapter has focused on understanding what hacking back entails and illuminating its
position within the wider spectrum of passive and active cyber defensive measures that nonstate actors may deploy to bolster their cybersecurity regime. Hacking back is regarded as the
most aggressive form of active cyber defence as it aims at obtaining remote and unauthorized
access into the attacker’s computer or network. However, the legal risks involved with hacking
back as well as technical feasibility and costs must be carefully considered before its
deployment. As such, defenders should consider first using other forms of passive and active
cyber defensive measures if they can be perceived as efficacious in mitigating ongoing digital
threats without requiring defenders to engage attackers outside the defender’s network. Nonstate actors should therefore ensure the implementation of various forms of passive
cybersecurity measures such as basic intrusion-detection systems, firewalls, anti-virus software
and other similar traditional security systems. On top of that, the deployment of various active
cyber defence measures can increase resilience against the more targeted and sophisticated
forms of cyber-attacks with hacking back possibly serving as a final measure if other forms of
cybersecurity measures are deemed inefficacious in mitigating the attack. After all, despite the
legal risks and technical difficulties, hacking back may be advantageous for establishing
attribution, gathering behavioural intelligence and disrupting attacks. Taking these
considerations into account, non-state actors would do well to take a goal-orientated approach
in deciding which cybersecurity measures to use when responding against malicious cyberattackers as well as analysing the potential costs and benefits involved with the implementation
of each given measure.
19
Chapter III – Hacking Back and the ACDC bill in the United States
3.1 Introduction
So far, the US is the only known country where legislators are actively contemplating to
decriminalize hacking back by non-state actors through its much debated ACDC bill which
aims to amend the Computer Fraud and Abuse Act (CFAA). However, this decriminalization
does not give private entities a carte blanche to engage in hacking back whenever and however
they wish. Rather, the ACDC bill provides a set of specified conditions under which a non-state
actor may engage in hacking back without being subjected to criminal prosecution. However,
at this time of writing, it is still uncertain whether the ACDC bill will be enacted into law as the
US Congress has not yet voted on the bill. Nevertheless, the creation of the ACDC bill illustrates
that the debate concerning the practise of hacking back has become highly prominent in the US
and showcases a possible novel legal approach to this practise.
This chapter will first provide a descriptive analysis of the current CFAA framework
that criminalizes hacking under US law. Subsequently, a descriptive analysis will be provided
on how the ACDC bill would amend the CFAA framework and decriminalize hacking back
under certain conditions. Finally, the chapter will explore what arguments in favour and against
decriminalizing hacking back can be inferred both from the ACDC bill and academic literature.
3.2 The CFAA Framework
The CFAA is incorporated in title 18 of the United States Code under section 1030 which
criminalizes various forms of hacking in the US. More specifically, the CFAA stipulates under
section 1030(a)(2) that it is illegal for anyone to “intentionally access a computer without
authorization or exceeding authorized access, and thereby obtain information from any
protected computer”. Furthermore, section 1030 (a)(5) CFAA criminalizes an intruder who “(a)
knowingly causes the transmission of a program, information, code, or command, and as a
result of such conduct, intentionally causes damage without authorization, to a protected
computer, (b) intentionally accesses a protected computer without authorization, and as a result
of such conduct, recklessly causes damage; or (c) intentionally accesses a protected computer
without authorization, and as a result of such conduct, causes damage and loss”.
The CFAA was enacted with the purpose of protecting sensitive information by enabling
the prosecution of those that, without authorization, access this information or exceed their
authorization without being authorized to do so.132 Online intruders that violate any of these
computer trespassing norms are subject to both civil and criminal prosecution under the CFAA
for illegally accessing a protected computer.133 However, the term ”protected computer” must
first be examined in order to understand which computers enjoy legal protection under the
CFAA. Furthermore, concepts of damage and unauthorized access under the CFAA will be
shortly discussed hereafter.
132
133
Gandhi (n 25) 291.
Smith (n 34) 182.
20
3.2.1 Protected Computers
The CFAA defines a computer as “an electronic, magnetic, optical, electrochemical, or other
high speed data processing device performing logical, arithmetic, or storage functions, and
includes any data storage facility or communications facility directly related to or operating in
conjunction with such device, but such term does not include an automated typewriter or
typesetter, a portable hand held calculator, or other similar device”. Under section
1030(e)(2)(B) CFAA the term “protected computer” is defined as a computer “which is used in
or affecting interstate or foreign commerce or communication, including a computer located
outside the United States that is used in a manner that affects interstate or foreign commerce or
communication of the United States”. The US government has stated that a protected computer
under the definition of the CFAA means any computer that has an internet connection, which
has been upheld in several court cases.134 For instance, in United States v. Yosal the court stated
that a protected computer is a computer that is “affected by or involved in interstate commerce”
which effectively amounts to all computers that are connected to the internet.135 This is in line
with the notion that computers with an internet connection are part of “a system that is
inexorably intertwined with interstate commerce” or communication and thus enjoy legal
protection under the CFAA.136
3.2.2 Damage
The CFAA defines damage under section 1030(e)(8) as “any impairment to the integrity or
availability of data, a program, a system, or information.” However, the CFAA does not provide
any definitions for impairment, integrity or availability. Courts in the US have established
damage in cases where the defendant’s actions decrease a plaintiff’s capacity to utilize
computer systems or data.137 Such examples include sending thousands of emails to one inbox
in order to impair the user’s capacity to access his “good” emails or a program that deletes files
which impairs the integrity and availability of programs and data on computers.138 Furthermore,
the minimum amount of damage in order to have a claim under the CFAA is $5,000 as stipulated
under section 1030(c)(4)(A)(i)(I) which includes costs of responding to an incident (e.g.
damage assessments and restoration of data and systems) and lost incomes or other
consequential damages.139
134
United States v. Yücel 97 F. Supp. 3d 413 (S.D.N.Y. 2015). See also United States v. Fowler Case Case No.
8:10-cr-65-T-24 AEP (M.D. Fla. Oct. 25, 2010); Multiven, Inc. v. Cisco Systems, Inc., 725 F.Supp.2d 887, 891–
92 (N.D.Cal.2010).
135
United States v. Nosal, 676 F.3d 854, 859 (9th Cir.2012).
136
United States v. Trotter 478 F.3d 918 (8th Cir. 2007).
137
Brenda Sharton, Gabrielle Gould & Justin Pierce, ‘Key Issues in Computer Fraud and Abuse Act (CFAA)
Civil Litigation’ (2018) Thomson Reuters, 4.
138
United States v. Carlson, 209 Fed. App’x 181, 185 (3d Cir. 2006); International Airport Centers, L.L.C. v.
Citrin, 440 F.3d 418 (2006) at 419–20.
139
Sharton (n 137) 5.
21
3.2.3 Unauthorized Access
The CFAA does not provide a definition for access “without authorization”, but in general
courts interpret this narrowly as obtaining access or causing damage to a computer without
permission from either an authorized user or the system owner.140 For instance, a student who
uses a hacking program to remotely enter a university’s internal computer system for the
purpose of stealing social security numbers would be interpreted as accessing a computer
“without authorization”.141
3.3 The ACDC Bill
The ACDC bill (H.R. 4036) was first introduced to Congress in the US on 12 October 2017 by
representatives Tom Graves and Kyrsten Sinema. The bill did not receive a vote by Congress
at the time which resulted in its reintroduction on 13 June 2019 (H.R. 3270). However, the vote
by the current Congress is still pending. The bill has two distinct functions. Under section 3 the
bill would specifically regulate the use of attributional technologies such as beacons in order to
obtain locational or attributional information on cyber-attackers. Moreover, under section 4 the
bill would essentially allow victims of persistent unauthorized intrusions to hack back their
cyber-attackers. At first sight, this may seem rather straightforward but the act of hacking back
is tied to multiple (problematic) conditions and several linguistic ambiguities exist within the
ACDC bill which will be discussed hereafter.
3.3.1 Conditions for Hacking Back under the ACDC Bill
The ACDC bill does not mention the term “hacking back”, but rather speaks of active cyber
defence measures. However, in the context of this bill active cyber defence measures and
hacking back amount to the same conduct, namely: any measure by the defender that consists
of the “accessing without authorization of the computer of the attacker”. In this context, a
defender is qualified as “a person or an entity that is a victim of a persistent unauthorized
intrusion of the individual entity’s computer” while an attacker is defined as “a person or an
entity that is the source of the persistent unauthorized intrusion into the victim’s computer”.142
The bill stipulates under section 4(l)(3)(B)(i)(II) that the hack back operation can only be used
for the purpose of (1) establishing attribution “to share with law enforcement and other United
States Government agencies responsible for cybersecurity”, (2) disrupting a “continued
unauthorized activity against the defender’s own network” and (3) monitoring “the behaviour
of an attacker to assist in developing future intrusion prevention or cyber defence techniques”.
However, under section 4(l)(3)(B)(ii) the defender is not allowed to engage in hacking
back in order to (1) intentionally destroy information that is stored on third party computers,
(2) “recklessly cause physical injury or financial loss”, (3) create “a threat to public health or
safety”, (4) intentionally exceed “the level of activity required to perform reconnaissance on an
140
United States v. Thomas, 877 F.3d 591, 598 (5th Cir. 2017); United States v. Nosal, 844 F.3d at 1028.
United States v. Phillips, 477 F.3d at 220-21.
142
Section 4 ACDC bill (H.R. 3270).
141
22
intermediary computer to allow for attribution of the origin of the persistent cyber intrusion”,
(5) intentionally and remotely access an intermediary’s computer, or (6) intentionally cause a
“persistent disruption to a person or entities internet connectivity resulting in damages”.143 The
term “intermediary computer” is defined as a “person or entity’s computer that is not under the
ownership or primary control of the attacker but has been used to launch or obscure the origin
of the persistent cyber-attack”. This is particularly important as hackers will often use hordes
of “zombie computers” that belong to innocent persons to attack defenders in order to obscure
the true source of the attack.144
On top of that, section 5 of the bill provides a notification requirement for hacking back.
More precisely, this notification requirement obligates the defender to notify the FBI National
Cyber Investigative Joint Task Force of an intended hack back operation and to receive a reply
from the FBI in which acknowledgment of receipt of the notification is given prior to engaging
in hacking back. This notification should contain information regarding (1) the type of breach
that the defender was a victim of, (2) the goal of the intended hack back operation, (3) actions
the defender intends to make in order to preserve evidence of the attacker’s intrusion, (4) actions
the defender intends to make in order to prevent damage to intermediary computers and (5) any
other information the FBI may request.145
3.3.2 Definitional and Linguistic Ambiguities
Since the bill is the first attempt at legalizing hacking back it is unsurprising that several
definitional and linguistic ambiguities exist that still need more clarification. However, it would
be beyond the scope of this thesis to analyse the potential shortcomings of every single phrase
in this bill. Rather, the aim is to illustrate that drafting a piece of legislation that legalizes
hacking back is an incredibly complex exercise and will require detailed elaboration and
guidance on the scope of the retaliatory actions that non-state actors may or may not take when
engaging in a hack back operation.
Under the bill a defender must be a victim of a “persistent unauthorized intrusion”.
However, it is unclear what “persistent” in this context entails. For instance, how many times
or for what duration should a defender be a victim of an intrusion in order to meet this criterion?
One may even wonder why an unauthorized intrusion must be persistent and why singular
intrusions are seemingly excluded.146 For instance, there may be a case of a brief one-off
intrusion that has a high impact while there might be more prolonged intrusions that have little
to no impact.147 In any case, the use of word “persistent” is problematic because it leaves so
much room for interpretation which makes it a big question mark for defenders whether they
would be able to rely on this legislation to legally hack back.148
143
Ibid.
Lin (n 23) 13.
145
Section 5 ACDC bill (H.R. 3270).
146
Chesney (n 50) 101.
147
Robert Chesney, Legislative Hackback: Notes on the Active Cyber Defense Certainty Act discussion draft
(Lawfare Blog, 7 March 2017) <https://www.lawfareblog.com/legislative-hackback-notes-active-cyber-defensecertainty-act-discussion-draft> accessed 6 September 2020.
148
Cook (n 33) 217.
144
23
Another problematic aspect is the access without authorization by the defender of the
“computer of the attacker”. In this context it is important to note that a chain of computers may
have been used by the attacker in order to conceal the true source of the intrusion.149 The bill
recognizes that defenders may have to “perform reconnaissance” on intermediary computers in
order to establish attribution which presumably requires the collection of information about the
target networks or systems without obtaining remote access, but in the end it may still prove
difficult, if not impossible, for defenders to establish whether such intermediary computers are
under the control of the attacker or have been used in the attack.150 After all, cyberspace
provides malicious actors with anonymity through obfuscation techniques such as VPN
services and digital evidence is prone to manipulation which exacerbates the complexity of the
issues at hand. Furthermore, the fact that the bill stipulates that it is not allowed for defenders
to “intentionally” obtain remote access into an intermediary’s computer only adds more mud to
the water since this suggests that unintentional remote access might actually be permissible.151
As such, it might be a defence against liability for defenders to claim that they did not intend
the result of their actions and this may therefore incentivize more risky retaliatory behaviour.152
More concerns regarding definitional and linguistic ambiguity in the bill can obviously
be raised. For instance, defenders are not allowed to destroy information, but the bill does not
speak of forbidding modification of data or rendering it unavailable by encrypting it.153
Moreover, the exceptions to liability protection for “threats to public health or safety” or actions
that intentionally result “in the persistent disruption to a person or entities internet connectivity”
are well meant attempts to limit the risk of collateral damage, but they need more
substantiation.154 Questions arise such as what constitutes a “threat” and once again it is unclear
how the term “persistent disruption” should be understood.
3.3.3 Limitation of Liability
A major concern for defenders is that the ACDC bill under section 4(l)(1) only provides
protection against criminal liability. However, defenders that engage in hacking back would
still put themselves at risk of facing civil liability which includes compensatory damages and
injunctive reliefs pursuant to section 4(l)(2). As such, the ACDC bill would only provide an
escape for criminal liability, but persons or entities that would be targeted by the hack back
operation can still start a civil claim against the active defender for suffered damages.155 Thus,
the ACDC bill does aim to limit the risk appetite of defenders to some degree by not providing
them with a free pass to hack back without the risk of having to pay compensation for damages
caused by hacking back.
149
Chesney (n 147).
Cook (n 33) 217.
151
Ibid, 218.
152
Ibid.
153
Chesney (n 147).
154
Cook (n 33) 218.
155
Section 4 (l)(2) ACDC bill (H.R. 3270).
150
24
3.4 Arguments in Favour of Decriminalizing Hacking Back in the US
Now that the legal frameworks regarding the CFAA and ACDC bill have been described and
analysed, this chapter will move on to explore the main arguments in favour of decriminalizing
hacking back in the US. These arguments will be inferred from both the ACDC bill and
academic literature.
3.4.1 Hacking Back as Self-defence
One of the main arguments in favour of decriminalizing hacking back is based on the ethics
revolving around the right to self-defence of one’s own person and property in cases of
immediate assault.156 At a conceptual level, it may be argued that the state has a monopoly on
lawful use of violence.157 Thus, the idea is that a “social contract” exists between the state and
its citizens whereby citizens abandon their liberty to use violence against each other and
transmit this power to the state in exchange for collective security.158 Therefore, one may argue
that, if the state fails to deliver this security, the state’s monopoly on violence is transferred
back to its citizens.159 As such, the argument could be made that non-state actors may have a
right to self-defence in the form of hacking back in cases where the state cannot defend nonstate actors from malicious hackers.160 While it is unclear and untested whether a court would
accept a self-defence claim for hacking back, it remains an interesting theory used to argue that
hacking back could be permissible under certain circumstances. In this sense, one can make an
analogy between self-defence in the physical world and cyberspace. In general, self-defence is
permitted both ethically and legally when there is an ongoing assault against one’s person or
property and the state is unable to intervene in time.161 In physical cases, such as fighting off a
rapist or a killer, self-defence is a generally accepted exception to the prohibition of harming
someone.162 Of course, there are limits to this right, as the victim generally, from an ethical and
legal perspective, should adhere to principles of necessity and proportionality and this would
be no different in the case of hacking back. In this context, necessity would mean that hacking
back is a necessary measure in order to prevent greater harm while proportionality would mean
that the hack back operation must be a proportionate response to the severity of the initial
attack.163 So even if hacking back is a proportionate response to the severity of the original
attack it would still have to be necessary in the sense that the harm cannot be avoided with less
impactful measures (e.g. taking less impactful active defence measures). Thus, it can be argued
that in the absence of adequate law enforcement and a lack of effective active cybersecurity
measures it could be permissible to hack back in cases of ongoing and immediate intrusions in
one’s network.164 This may also explain why the ACDC bill speaks of a “persistent
156
Lin (n 23) 10.
Ibid, 8.
158
Ibid.
159
Ibid.
160
Ibid.
161
Ibid, 12.
162
Ibid.
163
Ibid.
164
Ibid, 11.
157
25
unauthorized intrusion”, because if the intrusion is not persistent and ongoing it would be
difficult to argue that hacking back would be necessary and proportional. Thus, the question
remains whether self-defence could be claimed if the defender retaliates after the cyber-attacker
has ceased the attack.165 Moreover, complications exist in the case of applying a right to selfdefence in cyberspace as the identity and location of the attacker may be unclear, as well as
what the level of threat is and whether the attacker is still hacked inside the defender’s
network.166 These factors would undoubtedly have an influence to what extent hacking back
would be permissible under a self-defence claim, if permitted at all.167
3.4.2 Hacking Back as Compensation for Ineffective Law Enforcement
The next argument builds further upon the previous ethical argument, but focuses more
concretely on the pragmatic advantages that hacking back would provide. It is well known that
time-consuming and unsuccessful prosecutions, slow courts and a general lack of resources and
expertise of law enforcement to combat cybercrime have allowed hackers to wreak havoc across
the internet.168 Moreover, it has been asserted that law enforcement is largely ineffective in
combatting cybercrime.169 This is also exemplified in the ACDC bill as it is mentioned that in
2017, the Department of Justice only managed to prosecute 165 cases of computer fraud.170 In
light of these concerns, hacking back would have the advantage of being a faster and more
efficient response.171 Rather than waiting for law enforcement to intervene and take action,
hacking back would enable an immediate response in order to identify the source of the attack,
disrupt the attack and possibly monitor the behaviour of the attackers in order to gain insights
which may be helpful to develop future defensive techniques.172 The advantages of hacking
back were also most notably illustrated by Google’s response in operation Aurora. After the
hackers stole and altered Google’s source codes, Google hacked back in order to disrupt the
attack and identify the source of the attack.173 This allowed Google to establish that more than
thirty other companies were hacked and share this valuable information with law enforcement
and the affected companies.174 The Google case therefore also serves as an example of the
possible collective benefits that can be reached by a private actor hacking back.
3.4.3 The Deterrence Effect and Retributive Justice
Proponents of hacking back state that hacking back will have a deterrent effect on malicious
hackers.175 The idea is that a swift and far-reaching response by the defender will impose
increased risks and costs for the attacker which may deter them from engaging in future cyber165
Ibid, 12.
Ibid, 11.
167
Ibid, 12.
168
Bannelier & Christakis (n 24) 61.
169
Messerschmidt (n 2) 14.
170
Section 2(2) ACDC Bill (H.R. 3270).
171
Ibid.
172
Ibid; See also section 4(l)(3)(B)(i)(II) ACDC bill (H.R. 3270)
173
Drummond (n 1); Sanger & Markoff (n 3); Mauer (n 3).
174
Ibid.
175
Bannelier & Christakis (n 24) 62.
166
26
attacks.176 This is again reinforced by the notion that law enforcement currently is largely
ineffective in combatting cybercrime177 and deterring malicious actors by hacking back may
therefore be a mitigating defensive measure for private actors in this context. However, the
effectiveness of the deterrence is dependent on the severity and certainty of negative
consequences, but one can imagine that a successful hack-back operation could increase the
risk for attackers of being located and identified which could prove to be a powerful deterrent.178
This is also one of the arguments used by the US Congress in the ACDC bill as it states that the
hacking back can assist in improving defences and deterring cybercriminals.179 On top of that,
hacking back would allow for the establishment of a basic sense of retributive justice by striking
back and increasing the risk of exposure for cybercriminals.180 On the other hand, hacking back
might not be much of a deterrent for hackers that are solely motivated by ideological interests
such as terrorists or political hackers whom are working for nation states.181
3.4.4 Concerns on the Effectiveness of Traditional Forms of Cybersecurity
It is generally acknowledged that basic cybersecurity measures such as firewalls, anti-virus
software, strong passwords and patching of computers are necessary to ensure a decent level of
cybersecurity.182 However, against the most targeted and sophisticated attacks they will
generally not offer an adequate level of protection.183 As stated in chapter 2, passive
cybersecurity measures and even some active cybersecurity measures such as honeypots may
be circumvented by cyber-attackers which might warrant a stronger response by the defender
in order to deter attackers. In such cases, hacking back might be the only option left to prevent
further damage. Hacking back may therefore prove to be a complementary technique that
enables defenders, under government oversight, with more options to defend themselves and
deter attackers.184
3.5 Arguments Against Decriminalizing Hacking Back in the US
Now that the main arguments in favour of decriminalizing hacking back have been discussed
this chapter will move on to the arguments against decriminalizing hacking back.
3.5.1 Risk of Escalation
A major practical concern is the risk of escalation and unintended consequences of cyber
conflicts that may be triggered by a hack back operation.185 For defenders it can be very hard
176
Ibid.
Brenner & Clarke (n 11) 7.
178
Huang (n 46) 1247.
179
Section 2(6) ACDC Bill (H.R. 3270).
180
Lin (n 23) 21.
181
Bannelier & Christakis (n 24) 67-68.
182
Section 2(5) ACDC Bill (H.R. 3270)
183
Blair and others (n 36) 9
184
Lin (n 23) 5.
185
Bannelier & Christakis (n 24) 64.
177
27
to estimate how an attacker might respond to being hacked back.186 The use of offensive
techniques against non-state actors that are located in foreign states, or even against states
themselves, might trigger an international escalation of vicious countermeasures and diplomatic
tensions.187 Furthermore, one can also imagine that innocent bystanders that suffer damage
from the hack-back operation might retaliate or that even nation states would retaliate on behalf
of their legal or natural persons.188 One can even imagine that malicious hackers may pretend
that they were only responding against an initial attack by hacking back.189 As such, it is clear
that decriminalizing hacking back would blur and complicate the lines between victims and
perpetrators.190 Thus, allowing non-state actors to pursue justice themselves might do more
harm than good for the security of the internet.
3.5.2 Difficulties in Establishing Attribution and Risk of Collateral Damage
The establishment of attribution of a cyber-attack is another complex issue that adversaries of
hacking back raise as an objection. Before launching a hack back operation knowledge is
needed on the identity of the attacker in order to prevent retaliation against the wrong party.191
It is notoriously difficult to establish attribution in cyberspace with a high degree of certainty
and the faster the response the likelier it becomes that the defender retaliates without taking
enough time to ensure that the suspected computer is indeed the true source of the attack.192
The ACDC bill acknowledges this concern as only “qualified defenders with a high degree of
confidence in attribution” should be allowed to hack back while they must also be extremely
cautious not to impact any intermediary computers.193 Nevertheless, attribution is rarely fully
certain as cybercriminals can route attacks through intermediary “zombie” computers
belonging to innocent persons or use fake IP addresses in order to conceal the legitimate source
of an attack.194 Thus, cybercriminals may try to manipulate defenders by leaving altered
evidence of the attack that will lead them in false directions. As such, hacking back is
problematic since the ability to respond promptly against a cyber-attack is deeply compromised
by technical complexities and a lack of certainty associated with establishing attribution in
cyberspace. The consequential errors in attribution can lead to significant damage and
compromises of the integrity of computer systems of innocent parties.195 While the ACDC bill
does provide parties to claim civil damages against parties that wrongfully attributed cyberattacks, it is arguably undesirable to incentivize victims of cyber-attacks to risk damaging
innocent third parties by making hacking back a legalized practise.
186
Lin (n 23) 14.
Bannelier & Christakis (n 24) 64; Adam Elkus, ‘When companies hack back’ (NewAmerica, 18 June 2015)
<https://www.newamerica.org/weekly/when-companies-hack-back/> accessed 13 September 2020.
188
Ibid.
189
Bannelier & Christakis (n 24) 66.
190
Ibid.
191
Lin (n 23) 12.
192
Ibid, 13.
193
Section 2(10) ACDC Bill (H.R. 3270).
194
Ibid.
195
Bannelier & Christaks (n 24) 66.
187
28
3.5.3 Issues of Extra-territoriality
Hacking back would also be highly problematic in case of cross-border operations. As
mentioned in section 2.3, most countries have criminalized hacking and therefore any person
that would hack back a foreign entity is likely to violate the domestic law of the country where
that foreign entity is located which is also acknowledged in the ACDC bill.196 As such, a crossborder hack operation could have far-reaching consequences. For instance, affected states could
issue arrest warrants and make requests for extradition against the person that started the hack
back operation.197 This is also enabled by instruments in the Cybercrime Convention which
regulate mutual assistance and extradition between signatories.198 Moreover, even if the US
would decriminalize hacking back, this would still not solve the aforementioned extra-territorial
legal problems that would arise in cases of cross-border operations. Thus, non-state actors that
engage in cross-border hack back operations may expose themselves to possible criminal legal
sanctions by foreign jurisdictions.
3.5.4 Risk of Degradation of State Authority
Decriminalizing hacking back would mean that the state’s exclusive monopoly on legitimate
use of force is eroded to some extent which could give rise to vigilantism and anti-social
behaviour in cyberspace.199 The authority of the state is based on the idea that we have
substituted private justice for institutional justice which is also known as the “social
contract”.200 Decriminalizing hack back would therefore break this social contract and allow
non-state actors to seek justice themselves which, in a sense, would erode the rule of law. As
previously mentioned, this may lead to escalatory cycles of counterattacks and dramatically
increase the risk of collateral damage for innocent parties. If decriminalized, the state’s
involvement with the disruption of cyber-attacks or the collection and analysis of evidence
would be minimized which ultimately would be a confession of its incapacity to police
cybercrime and thereby undermine its authority.201
3.5.5 Risk of Interference with Ongoing Investigations
Similarly, hacking back poses risks to ongoing investigations of the state against
cybercriminals.202 For instance, a non-state actor that takes action against a malicious hacker
could jeopardize ongoing investigations by law enforcement against the same cybercriminal.203
This risk may be even greater if, for example, the objective of the hack back operation would
196
Bannelier & Christakis (n 24) 73; Section 2(9) ACDC Bill (H.R. 3270).
Ibid, 74.
198
See article 24 and 25 of the Cybercrime Convention.
199
Bannelier & Christakis (n 24) 65.
200
Ibid; Lin (n 23) 8.
201
Ibid.
202
Bannelier & Christakis (n 24) 66.
203
Ibid.
197
29
be to delete stolen data which ultimately may destroy evidence required by law enforcement
for prosecution of the cybercriminal.204
3.5.6 Lack of Financial and Human Resources and Potential for Misuse
Finally, one must highlight the inequality that exists between a few big technology companies
with extreme financial power and the millions of small and medium-sized enterprises
(SMEs).205 As mentioned in chapter 2, for SMEs, hacking back might not be a feasible
cybersecurity technique due to a lack of financial and skilled human resources while big tech
and cybersecurity companies may have the technical capacity and resources to effectively and
safely hack back.206 Moreover, the concern exists that decriminalizing hack back could become
a legitimized tool for those big tech companies to engage in cyber-espionage or to damage
competitors.207 As such, implementing a legal framework that regulates hacking back may be
prone to misuse by cynical parties that will use it as a cover for ulterior motives.
3.6 Concluding Remarks
The focal point of this chapter revolved around understanding how the ACDC bill would amend
the CFAA for the purpose of decriminalizing hacking back in the US and what arguments in
favour and against such decriminalization can be extrapolated from both the ACDC bill and
academic literature. In short, the ACDC bill would enable victims of persistent unauthorized
intrusions to hack back for the purposes of (1) establishing attribution, (2) disrupting the
ongoing unauthorized intrusion and (3) monitoring the behaviour of the attacker.
The underlying debate on the intended decriminalization in the US is complex and
requires careful consideration of advantages and disadvantages of decriminalizing hack back.
The most compelling argument in favour of decriminalization is perhaps that law enforcement
is indeed ineffective in policing cybercrime and therefore non-state actors require new tools to
actively defend themselves from online threats and deter attackers. As such, hacking back
would be nothing more than exercising the online right to self-defence in the absence of
effective law enforcement and may result in accomplishing a sense of retributive justice by
striking back against the attacker. However, notable risks and disadvantages exist when it
comes to hacking back. A major concern is the risk of triggering an escalatory cycle of
countermeasures or causing diplomatic tensions with other nation states. The practise may, as
a result, also erode the authority of nation states as private parties would seek their own
“vigilante” justice which could lead to unintended consequences. For example, hacking back
requires that knowledge is first obtained on accurately identifying the source of the attack, but
establishing such attribution is notoriously complex in cyberspace as attackers can be elusive
and utilize intermediary computers to carry out attacks. Therefore, a considerable risk exists
that defenders retaliate against innocent parties and cause collateral damage which, ultimately,
makes cyberspace less secure. Furthermore, private actors might even use hacking back as an
204
Ibid.
Ibid, 67.
206
Ibid.
207
Ibid.
205
30
excuse to engage in cyber-espionage or cause damage to the information systems of
competitors. Hacking back also brings up issues of extraterritoriality as defenders will likely
violate domestic law of foreign state in case of cross-border intrusions. Other concerns include
the risk of interference with ongoing investigations and a general lack of financial and skilled
human resources to hack back. Thus, the proposal to decriminalize hacking back in the US is
based on legitimate shortcomings and concerns in the fight against cybercrime, but strong
arguments exist against its decriminalization.
31
Chapter IV - Assessing the merits of decriminalizing hacking back in
the Netherlands
4.1 Introduction
Now that the arguments in favour and against decriminalizing hacking back have been
addressed, it is time to evaluate to what extent they hold up in the Dutch context. In order to do
so, the legal and policy position on hacking back in the Netherlands will be analysed which, in
short, can be summarized as an anti-hack back approach for private actors. However, in order
to fully evaluate the efficacy of decriminalizing hacking back, it will be necessary to consider
how such decriminalization could be given in effect in practise by means of regulation. This
chapter will therefore also explore what legal conditions can be construed to circumscribe
hacking back if it were to be regulated. Finally, it will be evaluated to what extent the current
position of the Netherlands against allowing private sector hacking back is justified in light of
the arguments against and in favour of its regulation.
4.2 The Dutch Position: No Private Hack-back Allowed
Cybercrime is on the rise in the Netherlands as in 2019 the Dutch Data Protection Authority
(“Autoriteit Persoonsgegevens”) received 902 counts of data breaches attributed to a hack,
malware or phishing which constitutes a 25% increase compared to 2018.208 Especially big
organisations that process large amounts of personal data seem to be targeted by malicious
hackers.209 Moreover, the most recent data shows that Dutch law enforcement was only able to
solve 8,3% of all reported hacking crimes in 2018.210 However, the current legal position of the
Netherlands is that hacking back should be avoided and there is no legal leeway for companies
to hack back. This position can be derived from three main sources, namely the Dutch Criminal
Code, the Cybercrime Convention and the Paris Call for Trust and Security in Cyberspace
which will be shortly discussed hereafter.
4.2.1 The Dutch Criminal Code
The Netherlands has a general prohibition on hacking which is contained in article 138ab of the
Dutch Criminal Code. This article stipulates that “any person who intentionally and unlawfully
gains entry to a computerised device or system or a part thereof shall be guilty of computer
trespass and shall be liable to a term of imprisonment not exceeding two years or a fine of the
fourth category. Unlawful entry shall be deemed to have been committed if access to the
208
Autoriteit Persoonsgegevens, ‘Meldplicht datalekken: facts & figures Overzicht feiten en cijfers 2019’ 6.
Ibid.
210
Centraal Bureau voor de Statistiek, ‘Cybersecuritymonitor 2019’ 30.
209
32
computerised device or system is gained: (a) by breaching a security measure, (b) by a technical
intervention, (c) by means of false signals or a false key, or (d) by assuming a false identity.”211
Thus, hacking back would constitute a clear violation of this article because defenders
would both intentionally and unlawfully access the computer of the cyber-attacker. One might
point out that the unlawfulness of such conduct could perhaps still be excused by claiming selfdefence under article 41(1) of the Dutch Criminal Code. However, this is a very narrow
exception that is traditionally used in cases of physical assault and its application in the context
of hacking back is not discussed in the literature and remains untested in court which is why
such a classical self-defence claim under Dutch law will not be considered as a viable or valid
legal justification for hacking back in this thesis.
4.2.2 The Cybercrime Convention
As mentioned in chapter 2.3, the Cybercrime Convention, under article 2, criminalizes the
intentional access to the whole or any part of a computer system “without right”. The
Netherlands is one of 65 signatories to the Cybercrime Convention and the Dutch prohibition
of hacking is also in line with the provision of the Cybercrime Convention which, in principle,
would render hacking back illegal. However, the expression “without right” does give leeway
for jurisdictions to establish certain legal defences or justifications that would render certain
forms of hacking legal. Thus, international law only criminalises hacking in cases where it is
done “without right”, which therefore still gives national jurisdictions the choice to decide who
does or does not have this right. This will be relevant to consider when examining possible legal
conditions that can be proposed to decriminalize specific forms of hacking back.
4.2.3 The Paris Call for Trust and Security in Cyberspace
On 12 November 2018, the Paris Call for Trust and Security in Cyberspace was established by
French president Emmanuel Macron with 78 states signing this non-binding declaration at this
time of writing. The Netherlands and over thirty other European countries are signatories to the
Paris Call, but the US has not signed this agreement.212 The Paris Call lays out common
principles that are aimed at securing cyberspace. Among its goals are the protection of
individuals, infrastructure, the internet, electoral processes, intellectual property and the
establishment of international norms for responsible behaviour in cyberspace.213 Most
relevantly, the 8th principle of the Paris Call stipulates the following: “no private hack back:
take steps to prevent non-State actors, including the private sector, from hacking-back, for their
own purposes or those of other non-State actors”.214 However, the Paris Call also acknowledges
that private sector hack-backs are “an area fraught with ambiguity”, and it is believed that
211
Article 138ab Wetboek van Strafrecht - The English unofficial translation of the Dutch Criminal Code was
retrieved here: <https://www.legislationline.org/documents/section/criminalcodes/country/12/Netherlands/show> accessed 14 January 2021.
212
A complete overview of the signatories can be found here: https://pariscall.international/en/supporters.
213
A complete overview of the nine principles stipulated in the Paris Call ben be accessed here:
https://pariscall.international/en/principles.
214
See Principle 8 of the Paris Call.
33
“further elaboration is needed to set clear boundaries around intent, authority, and intrusiveness
before government and private actors can implement it”.215 This shows that the issue of
disallowing private sector hack-back is not clear-cut and further elaboration is required on what
specific forms of hacking back should not be allowed. The Paris Call itself mentions that
penetration testing of defensive systems should definitely not be captured by this prohibition,
but no further guidance is given on any other forms of hacking back that might be excluded
from this prohibition.
The fact that the Netherlands, but not the US, has signed this agreement might showcase
a divergence in approaches towards internet security although the exact reasons as to why the
US did not sign are unknown.216 Nevertheless, by signing this agreement the Netherlands agree
in principle that preventing hacking back would be one of several measures needed to maintain
trust and security in cyberspace. However, it is important to keep in mind that the Paris Call is
not a legally binding document and mostly stands as a symbol for diplomacy and international
cooperation in cyberspace.
4.3 Considering the Legal Conditions for Regulating Hacking Back
From the previous section it is clear that the Dutch approach to hacking back by non-state actors
is that it should be avoided. However, given the arguments that exist in favour of its
decriminalization one can question this approach and consider the merits of regulating hacking
back. This section will therefore discuss what legal conditions can be construed to regulate
hacking back in the Netherlands by considering and building further on propositions that have
been made in academic literature and the ACDC bill.
In the literature it has been emphasized that a hack back operation should be
proportional and necessary,217 but the current literature is also vague and unclear about what
this would actually mean in practise. Proportionality and necessity are often used to determine
if someone has a right to interfere with someone else’s right. This may therefore be the most
suitable and legally relevant framework for construing a legal defence for regulating hacking
back. Theoretically, it would be possible to implement a legal defence for hacking back under
national law since the Cybercrime Convention gives its signatories (including the Netherlands)
leeway to establish legal defences for conduct that is done “without right”. The upcoming
section therefore aims to further conceptualize what proportionality and necessity would
actually mean in the context of a regulated hack back, especially since this is a point that is
vastly under-addressed in the literature. Moreover, given the unique problems that come into
play with hacking back additional conditions will be proposed for its regulation. As such, an
alternative approach towards hacking back will be explored in order to be able to make an
objective assessment as to the efficacy of decriminalizing this practise in the Netherlands.
215
Ibid.
Olivia Beavers, ‘US tech companies back Paris cyber agreement opposed by Trump administration’ (TheHill,
13 November 2018) <https://thehill.com/policy/cybersecurity/416465-us-tech-companies-back-paris-cyberagreement-that-us-wont> accessed 19 November 2020.
217
Huang (n 46) 1259; Kesan & Majuca (n 46) 40.
216
34
4.3.1 Proportionality
In classical self-defence cases, proportionality means that the self-defensive measure must be
in proportion to the severity of the crime.218 In physical real-world cases, this would mean, for
instance, that you are not allowed to kill another person that is trying to rob you, since that
response would be disproportionate to the initial crime. Conversely, it would be a proportionate
self-defence measure to hit someone with a fist in order to fend off an attack.219 However, the
question remains what proportionality would mean in the context of hacking back as a selfdefensive method against malicious hackers. The natural answer might be that whatever
damage the hacker inflicts upon the defender may be inflicted back upon the hacker. However,
it should be remembered that hacking back poses unique risks such as escalation of cyberconflicts, wrongful attribution and subsequent third-party damage. Thus, a more proportional
approach could be proposed by allowing hacking back for only one specific goal: the disruption
of an ongoing intentional and unauthorized intrusion of the defender’s computer or network. In
such cases, hacking back could be deemed as a proportionate response to clear the defender’s
system of any unwanted intruders. This could be done, for instance, by shutting down the
attacker’s computer or command and control network, 220 but proportionality also dictates that
defenders should opt for less impactful actions during the hack back operation (e.g. by only
shutting down or disrupting the specific software used for the attack) if those will still result
into the overall disruption of the attack. Moreover, hacking back for mere retaliatory purposes
should be avoided and the practise should thereby be limited solely to instances where the goal
is to disrupt an attack. This vastly limits the scope of hacking back as defenders would only be
allowed to engage in hack back operations against ongoing attacks for one specific purpose in
order to prevent private actors from going after suspected attackers long after the initial attack
has ended.
The ACDC bill also mentioned the establishment of attribution and the monitoring of
the behaviour of the attacker which would assist in the development of improved cyber
defensive measures as legitimate purposes for hacking back. However, it seems
disproportionate to allow non-state actors to hack back for the sole purpose of establishing
attribution or observing suspected attackers. If hacking back would be allowed to establish
attribution, then that would give private actors an incentive to hack third parties without any
high degree of certainty. Instead, attribution should be established with a high degree of
certainty before hacking back by performing reconnaissance on suspected (intermediary)
computers without remotely accessing them. Such reconnaissance could be carried out through
trace-back technologies such as beacons and other digital forensic technologies as long as such
technologies do not result into the remote access of third-party computers. If attribution cannot
be established with a high degree of certainty than the non-state actor should refrain from
hacking back. As such, the standard of proof for legally hacking back should be high in order
218
Jaap de Hullu, Materieel strafrecht (Deventer: Kluwer 2012) 314.
Adrianus J M Machielse, Noodweer in het strafrecht, (Amsterdam: Stichting Onderzoek Recht en Beleid
1986) 651.
220
Nicholas Winstead, ‘Hack-Back: Toward A Legal Framework For Cyber Self-Defense’ (AmericanUniversity,
26 June 2020) <https://www.american.edu/sis/centers/security-technology/hack-back-toward-a-legal-frameworkfor-cyber-self-defense.cfm> accessed 25 October 2020.
219
35
to prevent companies from engaging in excessive and out-of-control hack back operations.
Similarly, hacking back in order to simply observe attacker’s behaviour seems to be a goal that
is not proportionate to the intrusiveness of the measure and could lead to excessive forms of
cyber-espionage and misuse.
However, in any case, it should be emphasized that the privacy of innocent third-parties
would still be at risk of being compromised by regulated hack back operations. This risk of
violation of innocent third party’s privacy rights should therefore be balanced against the
benefit of disrupting ongoing attacks and protecting proprietary information and the integrity
of computer systems. Thus, the potential for privacy violations of innocent parties that could
be caused by hack back operations should not be underestimated. This would call for hacking
back to be used only as a last resort and only in cases where it is truly necessary for the
disruption of ongoing attacks which will be discussed more in depth in the next two sections.
4.3.2 Necessity
Self-defensive conduct in classical criminal self-defence claims should not only be
proportionate, but must also be necessary. This means that if a less intrusive measure can be
taken that would still allow for an attack to be rendered harmless than that less intrusive measure
is the one that should be chosen.221 In the context of hacking back, this would mean that nonstate actors should choose to adopt less intrusive measures than hacking back if those measures
would also still allow for the disruption of an attack by a malicious hacker. In practise, this
could mean that hacking back would be unnecessary if the attack can be disrupted by removing
the attacker from the defender’s network or fixing the vulnerability which would put an end to
the hacker’s access to the defender’s system. Similarly, defenders could use alternative
cybersecurity measures such as honeypots or sandboxes which would prevent the hacker from
having access to the actual company assets which would render the attack harmless. If any
alternative forms of cybersecurity, such as the ones mentioned in chapter 2, can be considered
efficacious in mitigating attacks they should take priority over deploying a hack-back operation.
Nevertheless, in cases of malicious hacks the time element is a crucial resource that must be
considered in the equation.222 This means that in practise defenders will want to disrupt a
malicious attack as fast as impossible in order to mitigate damages. Technical experts would
therefore need to determine which means would be most appropriate to clear the system of
intruders in a timely manner. Thus, the bottom line is that hacking back, due its intrusive
character, should be a last resort if all other forms of cybersecurity measures are not effective
in timely disrupting an ongoing attack. This naturally begs the question how likely it would be
that attacks cannot be timely disrupted by any means other than hacking back. This will
ultimately depend on the case-specific circumstances and assessments of technical experts.
However, if it proves impossible for technical experts to disrupt an ongoing attack within a
reasonable timeframe by using less intrusive cybersecurity measures, hacking back might be
considered as a proportionate and necessary response to deal with malicious attacks.
221
De Hullu (n 218) 313.
Mathew Schwarz, ‘Breach Attribution and 'Hack Back': Don't Waste Time’ (BankInfoSecurity, 14 December
2016) <https://www.bankinfosecurity.com/interviews/yakety-yak-dont-hack-back-i-3414> accessed 25 October
2020.
222
36
4.3.3 Additional Conditions
As discussed before, hacking back is associated with risks of misattribution, subsequent privacy
violations and third-party damage, escalatory cyber-warfare and potential cross-border
ramifications. As such, one could argue that additional conditions should be imposed on nonstate actors to legally hack back in order to mitigate these risks. Therefore, one proposition that
could be made is that the damage that can potentially be mitigated by hacking back must
outweigh the potential damages and privacy violations to third parties.223 This should prevent
defenders from engaging in hack back operations where the hacking back has little to no effect
in preventing damages or where damages are negligible. As such, hack back operations should
be limited to situations where the damages are (potentially) severe if the attack is not timely
disrupted. Moreover, defenders should still be subjected to civil liability for any damage caused
to third-parties by hacking back224 which should also serve as an incentive for defenders to
carefully collect sufficient evidence to establish attribution with a high degree of certainty
before hacking back. The term “high degree of certainty” is a subjective norm that would
require technical experts to be prudent in establishing attribution in order to minimize the risk
of accessing any innocent third party’s computers. Furthermore, non-state actors should refrain
from remotely accessing any computer that is not located in the Netherlands since this most
likely would result into the violation of foreign domestic criminal laws on illegal access of
computer systems. It could also be recommended to make it mandatory for non-state actors to
notify a designated law enforcement or intelligence agency and receive their authorization
before hacking back. Such notification, similarly to the ACDC bill, should specify (1) the type
of breach, (2) preserved evidence of that breach used for the establishment of attribution and
the intended target of the hack-back operation, (3) actions that will be taken to prevent damage
to innocent intermediary computers and minimize damage to the target’s computer and (4) an
ex ante justification as to why the hack back operation is a proportional and necessary response.
4.4 Testing the Waters: is the Dutch Prohibition on Hacking Back Justified?
The current Dutch approach towards hacking back by non-state actors is that it should not be
allowed which also seems to be the predominant international consensus. This can be
characterized as logical and straightforward due to the many strong arguments that exist against
endorsing private sector hack backs. The risk of escalation and repercussions, difficulties in
establishing attribution, risk of collateral damage, risk of violation of domestic and foreign
laws, risk of degradation of state authority, risk of interference with ongoing investigations and
an overall lack of financial and skilled human resources to hack back form the main arguments
against allowing non-state actors to hack back. Since disallowing private sector hack backs
seems to be the international approach by most countries it would arguably not be appealing
for the Netherlands to decriminalize hacking back. After all, the efficacy of hacking back would
be greatly limited if non-state actors are not allowed to hack back malicious actors located in
223
224
Majuca & Kesan (n 46) 10.
Ibid; Huang (n 46) 1259.
37
other states. In that regard, it is important to note that the ACDC bill has sparked a lot of
discussion in the US, but so far it has not actually been passed into law and it remains
questionable whether it ever will. Moreover, it is important to remember the conceptual
framework that underpins cyberspace. The borderless, anonymous and de-materialized nature
of the internet and the ability of cybercriminals to route their attacks through computers around
the globe with a high degree of sophistication while covering their tracks will make it very hard
for companies to establish attribution. Furthermore, even if attribution can be established it
would still be illegal to hack back in cases where the perpetrator is located on foreign soil since
that would most likely violate foreign domestic laws on computer integrity and illegal access
of computer systems. The efficacy of decriminalizing hacking back by one country, such as the
Netherlands, would thus be very questionable if there is not some sort of international
agreement on allowing its use in certain limited cases. In addition, one can question whether
companies that have been breached should actually care at all about establishing attribution and
hacking back. Ultimately, these private actors are not going to be able to go out and arrest the
perpetrators or retrieve their data without it being permanently compromised. So, from a risk
management perspective companies should ask themselves the classical cost-benefit questions:
why should we try to hack back? What are the risks? What can we potentially gain? And is this
a wise use of corporate funds?225 These are questions that should be considered rationally before
even thinking about engaging in a high risk strategy such as hacking back. When a company is
breached, the most valuable resource is time and companies must therefore consider where to
put their focus.226 Is this focus going to be on trying to find out who did it and hacking them
back or figuring out what happened within the system, documenting it and assessing whether
there is a vulnerability that needs fixing to prevent it from happening again. In light of the
foregoing, the question remains to what extent Dutch companies would even realistically
consider deploying a hack back operation, even if it was legal for them to do so given its
questionable efficacy.
However, it is clear that malicious hacks form a real threat for Dutch companies and
recent data suggests that Dutch law enforcement is highly unlikely to solve most of these
crimes.227 On top of that, it can be argued that hacking back may have a deterrent effect on
attackers and provide defenders with an overall sense of basic retributive justice. However,
these arguments by themselves, while reasonable, do not truly justify hacking back as a
proportional and necessary response against a breach. More pressing circumstances would be
needed which fits the notion that hacking back should only be allowed as a last resort. For
instance, one can consider a situation where the system of a hospital is hacked which renders
medical devices inoperable or a situation where critical infrastructure such as the electrical grid
is targeted which leads to power outages.228 These are situations where malicious hacks can
have high-stake consequences that could result into grave damage and even cost people’s lives
and therefore require an immediate response. In such cases, one can easily imagine that the
potential damages that can be mitigated by hacking back outweigh the potential damages to
innocent third parties. This is the point where hacking back becomes its most justifiable and
225
Schwarz (n 222).
Ibid.
227
Autoriteit Persoonsgegevens (n 206); Centraal Bureau voor de Statistiek (n 208).
228
Winstead (n 220).
226
38
appealing, namely as a response towards an ongoing intrusion which must be disrupted as
quickly as possible in order to prevent greater harm. Even more so, the argument that private
actors must be authorized to disrupt an attack by hacking back becomes more appealing if there
are no efficacious alternatives. In this context, it must also be considered that vulnerabilities in
our society are both so distributed and interconnected that the government cannot respond to
every attack229 which would further justify action taken by non-state actors.
All in all, the Dutch prohibition on private sector hack backs is understandable and
justifiable from the viewpoint of keeping cyberspace a safe and secure space. After all, hacking
back carries the risk of creating a chaotic internet environment where unintended consequences
actually lead to greater harm instead of preventing it. However, it could be argued that in limited
cases a private sector hack back could be justified for the purpose of timely disrupting an
ongoing attack whereby the damage that can potentially be mitigated by hacking back
outweighs the potential damage that may be inflicted on third parties. On the other hand,
regulating hacking back would create more questions and uncertainty. For instance, how are
you going to calculate potential damages that can be mitigated by hacking back or the damages
potentially suffered by third parties? Or how are you going to define what constitutes a “high
degree of certainty”? Similar questions have come up with the introduction of the ACDC bill
in the US and would undoubtedly also be posed if other jurisdictions would aim to regulate
hacking back. These are incredibly complex and problematic questions that arise when
attempting to design rules to regulate hacking back and given the many other problems that
would come into play with hacking back, it is only understandable that nation-states have
agreed to ban it altogether.
4.5 Concluding Remarks
The Dutch prohibition on private sector hack backs is understandable given the dominant
international consensus against its use and the underlying plethora of arguments that exist
against its decriminalization. However, there are exceptional cases imaginable where it could
be worth considering to regulate hacking back in cases where the attack (potentially) causes
severe damage which outweighs the potential damage to third parties that may be caused by
hacking back. Hacking back could be considered an appropriate response in such cases of
ongoing attacks where no efficacious alternatives are available to timely disrupt the attack and
damage to the attacker’s system is kept to a minimum. However, it would be recommended that
private sectors first establish attribution with a high degree of certainty before hacking back
through the use of trace-back technologies and digital forensics. Moreover, international hack
back operations should be avoided because of the risk of violating domestic laws of foreign
nations. However, this is the point where hacking back perhaps also starts to make a lot less
sense, since the borderless nature of the internet allows malicious hackers to launch attacks
from any given place in the world. The ability to hack back would be hindered by foreign laws
and since the international consensus derived from the Paris Call and Cybercrime Convention
seems to be that private hack back should not be allowed at all, it seems unlikely that an
international agreement would arise to allow private sector hack backs under exceptional
229
NCTV, ‘Cybersecuritybeeld Nederland 2020’ 7.
39
circumstances. All things considered, at face value, hacking back might be appealing in some
cases as a last resort against ongoing attacks that (potentially) cause severe damage, but a lack
of international consensus to regulate this practise and technical difficulties of accurately
establishing attribution currently stand in its way of being an efficacious solution.
40
Chapter V - Conclusion
In this thesis, hacking back is defined as the retribution of the victim of an unauthorized
intrusion against the cyber-attacker by obtaining unauthorised access to the cyber-attacker’s
computer or network. Within the world of cybersecurity, hacking back is perceived as a very
aggressive active cyber defence measure that victims of cyber-attacks can deploy. The
introduction of the ACDC bill in the US has sparked discussion on whether non-state actors
should be legally allowed to hack back in order to retaliate against malicious cyber-actors.
However, the international consensus that can be derived from the Paris Call and the
Cybercrime Convention seems to be that non-state actors should not be allowed to hack back
in pursuit of a more secure cyberspace. Interestingly, the Netherlands is a signatory to both the
Cybercrime Convention and the Paris Call. The Netherlands could therefore be considered a
jurisdiction that is against allowing private sector hack-backs. This position by the Netherlands,
however, remains unexplored in academic literature and Dutch society which serves as the
primary rationale for exploring to what extent it would actually be efficacious to decriminalize
hacking back by non-state actors in the Netherlands. This thesis has therefore explored what
arguments exist in favour and against decriminalizing hacking back by analysing both the
ACDC bill and academic literature and placed this highly sensitive issue in a Dutch perspective.
In this context, this thesis has explored and considered legal conditions which can be construed
to circumscribe hacking back if it were to be decriminalized. This was necessary for providing
an assessment on the degree in which the Dutch stance on hacking back can be justified and
assessing to what extent an alternative solution by regulating hacking back could be deemed
efficacious.
Hence, the main research question answered in this thesis was the following: in light of
the arguments that can be inferred from academic literature and the ACDC bill, to what extent
would it be efficacious to decriminalize hacking back by non-state actors in the Netherlands?
The main arguments derived from the literature and ACDC bill in favour of
decriminalizing hacking back are its use as an ethical and pragmatic self-defence method that
compensates for inadequate law enforcement, its value as a deterrent, its value as a form of
retributive justice against malicious hackers and its value as a complementary cybersecurity
measure that can be deployed if traditional (active) cyber defensive measures prove to be
ineffective. Conversely, the main arguments against allowing hacking back are the risk of
escalation and repercussions, difficulties in accurately establishing attribution, risk of collateral
damage to innocent third parties, risk of violation of domestic and foreign laws, risk of
degradation of state authority, risk of interference with ongoing investigations and an overall
lack of financial and skilled human resources for non-state actors to hack back.
Even though many strong arguments exist against decriminalizing hacking back, it is
clear that also some compelling arguments exist in favour of its decriminalization. Moreover,
there is data showing that data breaches attributed to malicious hacks are on the rise in the
Netherlands and Dutch law enforcement has not been effective in dealing with such crimes.
Therefore, an exploration was made on legal conditions that can be construed to circumscribe
hacking back if it were to be decriminalized in the Netherlands which admittedly is not without
its flaws. In chapter 4 it was proposed that a private hack back operation could be made legal
and justifiable for one purpose: the disruption of an ongoing intrusion. In that regard, hacking
41
back should only be allowed if it can be deemed a proportional and necessary response.
Proportionality and necessity mean in this context that excessive hack back operations for mere
retaliatory purposes should be avoided, damage to adversaries’ systems should be kept to a
minimum and defenders should deploy less intrusive cybersecurity measures instead of hacking
back if those can be deemed to be efficacious in timely mitigating an attack. Thus, hack back
operations should be seen as a last resort against attacks that (potentially) cause severe damage
and where an immediate response is needed in order to prevent greater damage. In this context,
hack back operations should also only be allowed if the damage that can potentially be mitigated
by hacking back outweighs the potential damages and privacy violations to third parties.
Furthermore, even if decriminalized, defenders should still be held civilly liable for any damage
caused to third-parties by hacking back which should also serve as incentive for defenders to
carefully collect sufficient evidence to establish attribution with a high degree of certainty
before hacking back. It should also be obligatory for non-state actors to notify a designated law
enforcement or intelligence agency and receive their authorization prior to hacking back. This
notification should specify (1) the type of breach, (2) preserved evidence of that breach used
for the establishment of attribution and the intended target of the hack-back operation, (3)
actions that will be taken to prevent damage to innocent intermediary computers and minimize
damage to the target’s computer and (4) an ex ante justification as to why the hack back
operation is a proportional and necessary response. Finally, non-state actors should refrain from
remotely accessing any computer that is not located in the Netherlands since this most likely
would result into the violation of foreign domestic criminal laws on illegal access of computer
systems.
Nevertheless, it must be conceded that any attempt to regulate hacking back is highly
problematic given the many practical and legal issues involved. The borderless, anonymous
and de-materialized essence of the internet enables cybercriminals to route their attacks through
computers from any given location which makes it a highly complex exercise for companies to
accurately establish attribution. Furthermore, even if attribution can be established it would be
illegal to hack back in cases where the perpetrator is located on foreign soil since that would
most likely violate foreign domestic laws on computer integrity and illegal access of computer
systems. The efficacy of decriminalizing hacking back by the Netherlands would thus be very
questionable if there is not some sort of international agreement on allowing its use in certain
limited cases. However, the international consensus derived from the Cybercrime Convention
and the Paris Call suggests that hacking back by private actors should not be allowed which
makes it unlikely and implausible that an international agreement would arise that would state
the opposite and decriminalize hacking back. Thus, hacking back might be alluring in some
cases as a last resort against ongoing attacks that (potentially) cause severe damages, but the
implications of the international consensus against allowing this practise and technical
difficulties of accurately establishing attribution mean that decriminalization in the Netherlands
cannot be regarded as an efficacious approach.
For now, it seems reasonable to posit that non-state actors in the Netherlands remain
and should be limited to deploying cybersecurity measures that are considered to be legal and
solely produce effects within their own networks. However, it will be interesting to see if the
perception on hacking back will change in the future if technologies get better at accurately
establishing attribution and thereby become more effective at catching malicious cyber-actors.
42
If so, then perhaps, one day, hacking back may be a regular and accepted cybersecurity measure
that is part of the defensive arsenal of IT and security managers.
43
Bibliography
Primary Sources
Legislation
Dutch Statutory Law
Wetboek van Strafrecht (Wet van 3 maart 1881) – The English unofficial translation of the Dutch
Criminal Code was retrieved here: <https://www.legislationline.org/documents/section/criminalcodes/country/12/Netherlands/show>
US Statutory Law
Computer Fraud and Abuse Act (CFAA)
H.R.3270 - Active Cyber Defense Certainty Act (ACDC bill)
International Treaties
Council of Europe, ‘Convention on Cybercrime’ (2001) CETS No. 185
Council of Europe, ‘Explanatory Report to the Convention on Cybercrime’ (2001) CETS No. 185
Other International Declarations
Paris Call for Trust and Security in Cyberspace
Case Law
US
International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418 (2006)
Multiven, Inc. v. Cisco Systems, Inc., 725 F.Supp.2d 887, 891–92 (N.D.Cal.2010)
United States v. Carlson, 209 Fed. App’x 181, 185 (3d Cir. 2006)
United States v. Fowler Case Case No. 8:10-cr-65-T-24 AEP (M.D. Fla. Oct. 25, 2010)
United States v. Nosal, 676 F.3d 854, 859 (9th Cir.2012)
United States v. Phillips, 477 F.3d
United States v. Thomas, 877 F.3d 591, 598 (5th Cir. 2017)
44
United States v. Trotter 478 F.3d 918 (8th Cir. 2007)
United States v. Yücel 97 F. Supp. 3d 413 (S.D.N.Y. 2015)
Secondary Sources
Books
De Hullu J, Materieel strafrecht (Deventer: Kluwer 2012)
Kaplan J and others, Beyond Cybersecurity: Protecting Your Digital Business (John Wiley & Sons 2015)
Machielse A, Noodweer in het strafrecht, (Amsterdam: Stichting Onderzoek Recht en Beleid 1986)
Articles
Albersheim R, 'The Legal Implications of Corporate Reverse Hacking' (1999) 18 Preventive L Rep 8-9
Baker B, ‘Considering the Potential Deterrence Value of Legislation Allowing Hacking Back’ (2018)
1-23
Bannelier K, Christakis T, ‘Cyber-Attacks Prevention-Reactions: The Role of States and Private Actors’
(2017) Les Cahiers de la Revue Défense Nationale 1-86
Brenner S, Clarke L, ‘Distributed Security’ A New Model of Law Enforcement’ (2005) John Marshall
Journal of Computer & Information Law (forthcoming) 1-47
Chesney R, ‘Cybersecurity Law, Policy and Institutions (version 3.0)’ (2020) 1-137
Cook C, 'Cross-Border Data Access and Active Cyber Defense: Assessing Legislative Options for a
New International Cybersecurity Rulebook' (2018) 29 Stan L & Pol'y Rev 205-236
Cooper P, ‘Cognitive Active Cyber Defence: Finding Value Through Hacking Human Nature’ (2017)
Journal of Law & Cyberwarfare, Vol. 5, No. 2 57-172
Custers B, ‘Nieuwe online opsporingsbevoegdheden en het recht op privacy: Een analyse van de Wet
computercriminaliteit III’ (2018) JV afl. 5 100-117.
Dewar R, ‘CSS Cyber Defence Trend Analysis 1’, (2017) Risk and Resilience Team Center for Security
Studies 1-21
Gandhi H, ‘Active Cyber Defense Certainty: A Digital Self-Defense in the Modern Age’ (2019)
Oklahoma City University Law Review, Vol. 43, Issue 2 101-131
Grabosky P, ‘The Evolution of Cybercrime, 2004-2014’ (2014) RegNet Research Paper No. 2014/58 116
Hoffman W, Levite E, ‘Private Sector Self Defense: Can active measures help stabilize cyberspace?’
(2017) Carnegie Endowment for International Peace 1-51
45
Huang S, ‘Proposing a Self-Help Privilege for Victims of Cyber Attacks’ (2014) The George
Washington Law Review Vol. 82 No. 4 1229-1266
Kramer X, ‘Challenges of Electronic Taking of Evidence: Old Problems in a New Guise and New
Problems in Disguise’ (2018) Il Conferencia Internacional & XXVI Jornadas Iberoamericanas de
Derecho Procesal IIDP & IAPL, La Prueba en el Proceso / Evidence in the process Atelier 2018 391410
Lee R, ‘The Sliding Scale of Cybersecurity’ (2015) SANS Institute: Information Security Reading
Room 1-18
Lee R, Lee R, ‘The Who, What, Where, When, Why and How of Effective Threat Hunting’ (2016)
SANS Institute: Information Security Reading Room Whitepaper 1-13
Lin P, ‘Ethics of Hacking Back: Six Arguments From Armed Conflict to Zombies’ (2016) Ethics +
Emerging Sciences Group 1-34
Majuca R, Kesan J, ‘Hacking Back: Optimal Use of Self-Defense in Cyberspace’ (2009) Illinois Public
Law and Legal Theory Papers Series Research Papers Series No. 08-20 1-68
Messerschmidt J, ‘Hackback: Permitting Retaliatory Hacking By Non-State Actors as Proportionate
Countermeasures to Transboundary Cyberharm’ (2013) Columbia Journal of Transnational Law
(forthcoming) 1-37
Pool R, Custers B, ‘The Police Hack Back: Legitimacy, Necessity and Privacy Implications of The Next
Step in Fighting Cybercrime’ (2017) European Journal of Crime, Criminal Law and Criminal Justice
(25) 123-144
Rosenzweig P, ‘International Law and Private Actor Active Cyber Defensive Measures’ (2013) Stanford
Journal of International Law, Vol. 47, (forthcoming) 1-13
Sharton B, Gould G, Pierce J, ‘Key Issues in Computer Fraud and Abuse Act (CFAA) Civil Litigation’
(2018) Thomson Reuters 1-8
Smith B, 'Hacking, Poaching, and Counterattacking: Digital Counterstrikes and the Contours of SelfHelp' (2005) 1 JL Econ & Pol'y 171-195
Smits J, ‘What is Legal Doctrine? On the Aims and Methods of Legal-Dogmatic Research’ (2015)
Maastricht European Private Law Institute Working Paper No. 2015/06 207-228
Van den Herik L, ‘De digitale oorlog: waan of werkelijkheid?’ (2013) NJB 2013/291 afl. 6 290-334
OECD Digital Economy Papers
OECD, ‘Roles and Responsibilities of Actors for Digital Security’ (2019) OECD Digital Economy
Papers, N° 286
NCTV Policy Documents
NCTV, ‘Cybersecuritybeeld Nederland 2020’
Dutch Data Protection Authority Publications
46
Autoriteit Persoonsgegevens, ‘Meldplicht datalekken: facts & figures Overzicht feiten en cijfers 2019’
Dutch Central Bureau for Statistics Publications
Centraal Bureau voor de Statistiek, ‘Cybersecuritymonitor 2019’
Online Sources
Beavers O, ‘US tech companies back Paris cyber agreement opposed by Trump administration’
(TheHill, 13 November 2018) <https://thehill.com/policy/cybersecurity/416465-us-tech-companiesback-paris-cyber-agreement-that-us-wont> accessed 19 November 2020
Buchanan M, ‘Google hacked the Chinese hackers right back’ (Gizmodo, 15 January 2010)
<https://gizmodo.com/google-hacked-the-chinese-hackers-right-back-5449037> accessed 23 April
2020
Cox J, ‘Revenge Hacking Is Hitting the Big Time’ (The Daily Beast, 19 September 2017).
<https://www.thedailybeast.com/inside-the-shadowy-world-of-revenge-hackers> accessed 7 April
2020
Drummond D, ‘A new approach to China’ (Google Official Blog, 12 January 2010)
<https://googleblog.blogspot.com/2010/01/new-approach-to-china.html> accessed 6 May 2020
Elkus
A,
‘When
companies
hack
back’
(NewAmerica,
18
June
2015)
<https://www.newamerica.org/weekly/when-companies-hack-back/> accessed 13 September 2020.
Gross
M,
‘Enter
the
Cyber-Dragon’
(Vanity
Fair,
2
August
<https://www.vanityfair.com/news/2011/09/chinese-hacking-201109> accessed 5 May 2020
2011)
Jackson W, ‘How Google attacks changed the security game’ (GCN, 1 September 2010)
<https://gcn.com/articles/2010/09/06/interview-george-kurtz-mcafee-google-attacks.aspx> accessed 6
May 2020
Kozloski A, ‘Sinkholing: a critical defensive tool’ (Hitachi, 5 December 2015) <https://www.hitachisystems-security.com/blog/sinkholing-a-critical-defensive-tool/> accessed 15 July 2020
Lemos R, ‘Why the hack-back is still the worst idea in cybersecurity’ (TechBeacon)
<https://techbeacon.com/security/why-hack-back-still-worst-idea-cybersecurity> accessed 23 April
2020
Maurer T, ‘Breaking Bad: How America's biggest corporations became cyber vigilantes’ (Foreign
Policy, 10 Sep 2012) < https://foreignpolicy.com/2012/09/10/breaking-bad/> accessed 23 April 2020
Mazerik R, ‘Understanding DNS sinkholes – A weapon against malware’ (Infosec, 26 January 2018)
<https://resources.infosecinstitute.com/dns-sinkhole/#gref> accessed 15 July 2020
Morgan S, ‘Cybercrime To Cost The World $10.5 Trillion Annually By 2025’ (Cybercrime Magazine,
13 November 2020) <https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/>
accessed 3 January 2021
Panda Mediacenter, ‘What is the difference between sandboxing and honeypots?’ (Panda Mediacenter,
12
September
2018)
<https://www.pandasecurity.com/mediacenter/security/differencesandboxinghoneypots/#:~:text=So%
2C%20while%20the%20goal%20of,the%20rest%20of%20the%20company> accessed 14 July 2020
47
Sanger D, Markoff J, ‘After Google’s Stand on China, U.S. Treads Lightly’ (N.Y. Times, 14 January
2010) <https://www.nytimes.com/2010/01/15/world/asia/15diplo.html?_r=1> accessed 23 April 2020
Schmidle N, ‘The Digital Vigilantes Who Hack Back’ (NewYorker, 30 April 2018) <
https://www.newyorker.com/magazine/2018/05/07/the-digital-vigilantes-who-hack-back> accessed 3
January 2021
Schwartz S, ‘Federal 'hack back' bill back on table, but critics wary of blind spots’ (Ciodive, 12 August
2019) <https://www.ciodive.com/news/federal-hack-back-bill-back-on-table-but-critics-wary-of-blindspots/557855/> accessed 7 April 2020
Schwarz M, ‘Breach Attribution and 'Hack Back': Don't Waste Time’ (BankInfoSecurity, 14 December
2016) <https://www.bankinfosecurity.com/interviews/yakety-yak-dont-hack-back-i-3414> accessed 25
October 2020
Tamkin T, ‘10 Years After the Landmark Attack on Estonia, Is the World Better Prepared for Cyber
Threats?’ (Foreign Policy, 27 April 2017) <https://foreignpolicy.com/2017/04/27/10-years-after-thelandmark-attack-on-estonia-is-the-world-better-prepared-for-cyber-threats/> accessed 16 July 2020
Winstead N, ‘Hack-Back: Toward A Legal Framework For Cyber Self-Defense’ (AmericanUniversity,
26 June 2020) <https://www.american.edu/sis/centers/security-technology/hack-back-toward-a-legalframework-for-cyber-self-defense.cfm> accessed 25 October 2020
48