Julian Hayes and Harvey Briggs examine the legal position regarding “active defence” in response to ransomware attacks, and consider the pros and cons of possible legislative changes.
For many British citizens, the WannaCry outbreak, one of the most disruptive ransomware attacks of last year, might have had only passing interest. Yet for the thousands of NHS patients whose hospital appointments were cancelled without notice, with ambulances diverted and diagnostic scans put on hold as a result of the attack, the consequences were serious. Businesses and infrastructure providers both at home and abroad also felt the impact, with Nissan car production halted in the North East, Deutsche Bahn computers disrupted and Spain’s Telefónica hit; one estimate put the global financial cost of WannaCry at $4 billion. Faced with such widespread disruption, mirrored by other attacks including BadRabbit in Eastern Europe and NotPetya globally, the desire to counter-attack was inevitable.
Essentially a form of computer malware, ransomware is often spread by Trojan downloads, in which the data on a victim’s computer is locked, typically by encryption, and payment in digital currency demanded in return for the de-encryption and return of the data. Faced with overwhelming disruption and reputational damage, ill-prepared victims of such digital extortion might be tempted to pay the ransom demand. However, a recent survey found that less than half those who paid successfully recovered their data. Law enforcement agencies encourage victims to report the attacks, but extortionists located outside the jurisdiction (often in Eastern Europe, South Asia and West Africa) far outpace the speed at which the authorities can act, leaving victims frustrated. A third, more controversial and often illegal, approach is for ransomware victims to take “active defensive measures” against their attacker, commonly known as “hacking back”. This involves gaining unauthorised access to an online extortionist’s computer to recapture or delete stolen data, or to disable the computer itself.
Legal Status of “Active Defence”
Until recently, the consensus amongst legislators was that “active defence” by private companies and individuals risked vigilantism and should be illegal. In England and Wales, sections 1 – 3 of the Computer Misuse Act (CMA) 1990 outlaw unauthorised computer access without exception for hacking back. While the 1997 Police Act permits the National Crime Agency (NCA) to authorise the taking of specified proportionate action within the jurisdiction in respect of “wireless telegraphy” for the purpose of preventing and detecting serious crime, effectively absolving liability under the CMA, the NCA has proved reluctant to give such authority. Similarly in the US, the Computer Fraud and Abuse Act 1996 makes no provision for active defence by victims of cyberattacks.
Europe continues to adhere to this traditional approach with the recently published French Government’s Strategic Review of Cyber Defence strongly opposed to giving private companies the right to retaliate following a cyberattack. However, in stark contrast to this approach, US legislators have introduced the Active Cyber Defense Certainty (ACDC) Act before Congress which would break with the consensus. The Act would permit authorised individuals and companies to hack back establishing the attribution of an attack, disrupting cyberattacks without damaging third parties’ computers, retrieving and destroying stolen files, monitoring the behaviour of an attacker and utilizing “beaconing technology” to trace stolen data. This draft legislation accepts that victims of cybercrime should first report the incident to the authorities. Nevertheless, acknowledging the frustration felt by victims of ransomware attacks, it also recognises that many cybercrimes are not dealt with in a timely manner, creating uncertainty for those affected.
The Dangers of Hacking Back
It is easy to see arguments in favour of “active defence” legislation; empowering corporates with the right to develop and deploy new defence tools may help deter criminal hacking. Allowing hack backs might shift the odds on a cyber battlefield which at present appear heavily weighted in the attacker’s favour. Ultimately, legislation allowing “active defence” may initiate a state of affairs whereby identification and prosecution of cyber criminals becomes the norm and not the exception. More prosaically, preventing a company from hacking back to recover data stolen from it is arguably akin to prohibiting a burglary victim from taking back his possessions which he can see in the back of the burglar’s car.
Unfortunately, there is no real parallel between the simple example given above and the sophisticated nature of many ransomware attacks. Putting aside the moral question as to whether states should outsource law enforcement to third parties, attributing a cyberattack to a particular server requires particular technical abilities not necessarily available to all potential victims; misattributing an attack and hacking the wrong server back risks causing collateral damage, exposure to civil claims and potential criminal liability. Assuming the attacker has been correctly identified, there is no guarantee that the stolen data has not been moved or copied elsewhere, defeating the purpose of the hack back and potentially making it more difficult for the authorities to investigate the original ransomware attack. Echoing an argument against allowing state access to encrypted messages, sanctioning active defence might encourage authoritarian regimes to adopt similar measures for “political crimes”. Further, the apparently sensible precaution of requiring state-approval of a hack back affecting another country’s interests might be perceived as an act of national aggression even if permission to hack back was confined by jurisdiction. Finally, once discovered, hack backs risk potentially overwhelming retaliatory measures such as distributed denial-of-service (DDoS) attacks by the original attacker.
The Future of Active Defence
Despite an increasing awareness of the precautionary measures available, the pace of ransomware attacks shows few signs of slowing. The risk of disruption as a result of such attacks is heightened further as everyday electronic devices become more interconnected. Furthermore, as a result of the forthcoming General Data Protection Regulation regime, there exists potentially severe regulatory consequences where personal data is involved. Against this background, calls by victims of ransomware attacks for retaliatory measures against the perpetrators of such attacks are unlikely to abate. Whether the proposed ACDC Act would bring about a sea change in attitudes, despite the countervailing arguments, remains unclear. Other countries (and online threat actors) are likely to watch the legislation’s progress through Congress and the debate which it generates with considerable interest.
Julian Hayes is a partner specialising in all aspects of corporate crime and regulatory work. As well as dealing with high profile fraud and corruption matters, including investigations with an international dimension, he has considerable experience of advising corporates on data protection and cybercrime issues.
Harvey Briggs is a legal assistant specialising in corporate crime and regulation, with a particular interest in data and other information law issues.