Our goal in launching the Economic Security and Technology Department’s Back & Forth series is to promote debate about ideas that do not get adequate attention in Washington policy circles. As a bipartisan community of scholars, our expectation is that Back & Forth will model the art of thoughtful disagreement about unexplored solutions to our biggest challenges on economic security and technology. That, in our opinion, is the crying need of democratic governance in polarized times.
— Navin Girishankar, President, Economic Security and Technology Department, CSIS
Since the emergence of the commercial internet in the United States in the 1990s, we have experienced many transformations, including the explosion in e-commerce, the rise of social media, and the development of cloud computing. During that time, we have also experienced remarkably consistent trends when it comes to cybersecurity: The volume, diversity, and sophistication of attacks have increased, as have resultant costs borne by individuals, businesses, and governments.
In response, for many of those years, governments largely focused on cyber defense and coordination, including strengthening defensive capabilities, cyber diplomacy and international cooperation, cybercrime laws and enforcement, public-private sector partnerships, and cybersecurity awareness and education. These efforts are necessary and laudable, but they have also proved to be insufficient. In that context, the United States announced in recent years that it would engage in offensive cyberoperations, and more recently, it is—along with several of our allies and partners—considering vastly expanding such efforts.
As the U.S. government decides how to go on offense, this Back & Forth issue will address whether Congress and the administration should authorize some form of “hack back,” or, in other words, allow nongovernment entities to engage in offensive hacking in response to being hacked.
Why the United States Government Should Authorize Hack Backs
Matt Pearl, Director, Strategic Technologies Program
The view that the government should authorize hack backs has been broadly denounced for the past 25 years, with commentators arguing (among other things) that it would result in escalation of cyber conflict; raise legal and ethical issues, including risking harm to third parties; and result in inconsistent application and abuse. In the context of these concerns, why might it be necessary to move beyond the traditional model for addressing wrongs, in which we rely exclusively on law enforcement and the court system to address wrongs when it comes to addressing cyberattacks?
I argue that we confront a crisis in cybersecurity due to structural features that have—and will—consistently render traditional law enforcement responses insufficient, and that as a result, we require a more decentralized and distributed model of responding to cyberattacks. Specifically, in cyberspace, we confront a dangerous cocktail of:
- Interconnectivity, which enables malicious actors to conduct cyberattacks across borders, thus undermining the ability of open societies to protect their information technology and operational technology systems;
- State sovereignty, enabling those same malicious actors to receive protection from state sponsors;
- Low barriers to entry, enabling new malicious actors in those states to create mischief with very little training or overhead; and
- Ease in scaling up cyberattacks, particularly in states that have large populations, which can be incentivized to participate in hacking en masse.
Thus, as Dmitri Alperovitch famously said, “We do not have a cyber problem; we have a China–Russian–Iran–North Korea problem.” Those states are responsible for most cyber intrusions and attacks because they can take advantage of interconnectivity and sovereignty. Further, these states have significant resources and cyber talent within their borders who can easily scale up cyberattacks. When we combine these factors with the low barriers to entry, it is no wonder that the FBI and other law enforcement agencies have been incapable of effectively responding to attacks on individuals and businesses, particularly in cases that do not involve large-scale cyber rings or affect many people. Indeed, I would challenge advocates for maintaining the government’s monopoly on cyber force to find any point at which the U.S. government—or any government in an open society, for that matter—has, for even a limited period, come remotely close to adequately addressing all the harms that ordinary citizens suffer.
In arguing for maintaining the government monopoly on cyber force, opponents of hack back tend to use flawed analogies, such as comparing it to authorizing a homeowner to remove a noisy device his neighbor is running near his property, rather than requiring him to call the police or file a lawsuit. This would be a good comparison, if it were easy and almost costless for Russians—rather than our next-door neighbors—to install such devices outside our homes, and it was extremely difficult for the local police to physically remove them. Simply put, if the physical world were to take on such characteristics, we would surely develop new mechanisms to empower affected homeowners, rather than condemning them to relying on the traditional—slow, cumbersome, and ineffective—remedies.
Rather than relegating Americans to such ineffective “remedies,” we should opt to create a system of highly regulated, accredited cybersecurity firms that are authorized to “hack back” on behalf of affected citizens and businesses. Before being accredited by the federal government, such cybersecurity firms should be required to demonstrate their technical acumen, including accuracy in attributing cyberattacks to the right attacker. Additionally, they should be required to set aside sufficient funds—or, alternatively, cyber insurance—to pay for any third parties that are inadvertently harmed. Further, such firms could be required to notify and present evidence to relevant agencies before engaging in offensive cyber operations. These firms would be incentivized to avoid harming innocent third parties by a combination of traditional civil liability and potential consequences from the federal government (including losing their accreditation and fines). Further, providing affected entities with the option to work with such firms would help to avoid the increasing temptation they have to engage in self-help as they suffer damage and receive insufficient government assistance.
Addressing all the objections to authorizing hack backs would exceed the scope of this piece, but I will briefly respond to two concerns. First, opponents of hack back argue that it would create diplomatic problems for the United States as foreign governments complain about being attacked. In the case of the main culprits of cyberattacks (mentioned above), such concerns do not carry much weight, as we no longer live in a world in which our diplomats should give them the benefit of the doubt. Their complaints should be ignored unless those governments present concrete evidence that innocent third parties were harmed.
Beyond those four states, it is certainly possible that offensive cyber operations could inadvertently affect third countries, and therefore, efforts should be undertaken to notify our allies and partners of offensive operations before they occur, and to address any concerns they have. Indeed, given that several of our allies and partners are already engaging in—or contemplating engaging in—offensive cyber operations, we will need more extensive forms of coordination, regardless of whether we authorize some form of hack back. The proposed offensive operations of our cybersecurity firms should be incorporated into this coordination, allowing the United States to be responsive to concerns about various types of offensive operations. Policies in many other areas are conducted in a decentralized or distributed fashion in the United States, including defense and security functions and public health initiatives, and we are nonetheless able to coordinate effectively at the international level. Thus, with the right mechanisms in place, the United States does not need to decide between having a wide range of entities engage in offensive cyberoperations and conducting cyber diplomacy in a coordinated fashion—we can have both.
Second, opponents of hack back hypothesize scenarios in which allowing it would result in an escalating cycle of retaliation that would further destabilize cyberspace. It is hardly obvious that this would be the result—one can just as easily imagine that authorizing hack back will impose costs on some malicious cyber actors such that they are dissuaded from engaging in certain forms of activity, improving the overall cybersecurity environment. Thus, hack back opponents attempt to dissuade us from using a tool to remedy concrete, real-world harm by hypothesizing a possible, speculative scenario in which hack back could make things worse. Given the dire state of cybersecurity, we are much better off authorizing experienced and expert firms to engage in hack back to see what the results are, while retaining the option to reverse course—or, more likely, to use the results to adjust the circumstances under which hack back is allowed—if any unacceptable consequences ensue.
Shooting Without Aiming: Hack Back Is Not a Magic Bullet
Alexander Klimburg, Senior Associate (Non-resident), Strategic Technologies Program
In dealing with the perennial challenge of mitigating serious cybercrime, it is accurate to say that we don’t have a “cyber problem,” but rather a nation-state power problem—in building domestic cyber resilience, deterring malicious actors, and shaping the global internet domain upon which all activity depends. These are complex problems that defy easy solutions. Hack backs are not a magic bullet for what will remain a historically challenging issue for years to come.
The United States and many Western nations are not passive victims in cyberspace and are increasingly defending themselves. The U.S. Department of Defense, in particular, has already developed an increasingly muscular version of what was known as the “persistent engagement” of the most advanced cyber adversaries. Below that, law enforcement and especially competent private actors do regularly cooperate in certain kinds of active cyber defense—some of which can even be termed as offensive cyber activity that could run afoul of the ancient Computer Fraud and Abuse Act (CFAA). This type of select public-private law enforcement cooperation can and should be expanded upon with more resources and greater flexibility. However, a general principle of allowing the private sector to hack back would emulate a model previously favored only by the United States’ adversaries, in particular Russia, China, and Iran. If this alone does not hint that it is probably a bad idea, consider that a licensed hack-back policy could also throw up paralyzing legal questions, greatly increase the threat of inadvertent escalation between states, and in general undermine the system of international law that has been the bedrock of U.S. influence for decades.
The advocates of what is sometimes abbreviated as cyber “hack back” often look fondly to the earliest history of the United States, where Article I of the Constitution grants the power to issue “Letters of Marque” to private actors. These licensed pirates were then “allowed” to raid the shipping of enemy nations and could seek safety in U.S. ports. Letters of Marque were issued only in two periods—during the Quasi-War of 1798–1800 with France and, to a much greater extent, in the War of 1812 against the United Kingdom. The rise and fall of this practice is an indication of why hack backs are not a long-term winning strategy.
Letters of Marque were primarily attractive for two reasons—firstly, and most importantly, they were a very cost-effective way of quickly projecting naval power. This was very important in the War of 1812, where it allowed the United States to rapidly field a significant asymmetric naval force against the overwhelming might of the Royal Navy. But it also allowed for some level of plausible deniability—an important feature during the so-called Quasi-War against the former ally, France. These would remain the only two uses of Letters of Marque by the United States.
Obviously, both alleviating resource restraints and the attraction of plausible deniability have been deciding factors in the buildup of “privateer” cyber proxy forces in Russia, China, and Iran. Much of the early cyber forces in these countries were private, be it the so-called “patriotic hackers” of early 2000s China, the big organized Russian cybercrime organizations like Russian Business Network, or indeed Iran’s private hacker forums like Ashiyane. It is revealing that as these cyber powers mature, they have increasingly relied on their state forces, while still leveraging the cybercrime ecosystem and civil-military fusions to their advantage. None of these advantages apply to the United States, but the disadvantages of large-scale licensing of “hack back” would be even more obvious.
The first challenge is one of simple confusion created by private hackers engaging on their own—after all, if the government has a hard time coordinating offensive cyber activities, why would the private sector be better? This is further compounded by the significant risk to third parties inherent in conflict in the Age of Cyber; unlike in the Age of Sail, cyber privateers can’t avoid impacting neutral parties. This becomes obvious when we look at the most likely operational use cases of the practice. The most common form of limited hack back has been to disrupt botnets used for espionage, and in particular, recover or destroy stolen information. By hacking the so-called botnet “mothership,” the command and control (C&C) server (peer-to-peer botnets have a “superpeer” instead), both law enforcement and private companies have been able to recover exfiltrated files before they were downloaded by the end user. But even this relatively simple act is fraught with liability risk. The C&C server itself is always a victim system, one hacked for the purpose, and “recapturing” it can further degrade its normal function. Further, the data that is recovered will likely not just be limited to that of the victim hacking back, but also that of many other victims, whose private information is suddenly in the hands of their industry competitors. Imagine if, for instance, a major French hardware company hacking back found the intellectual property of a major U.S. rival—a nearly impossible bad position for all concerned.
For reasons like this, these kinds of limited hack-back activities are nearly always coordinated or managed by law enforcement. They are increasingly effective: in the last year, EUROPOL (in Operation ENDGAME) targeted a large number of botnets in one single operation, while the US Department of Justice took on the mammoth 911 S5 botnet that may have facilitated over 5 billion dollars of damages. Also, the U.S. intelligence community is not quite as bound by the CFAA as regular law enforcement actors, and the FBI is both. The FBI has regularly “infiltrated” (hacked) criminal networks, like when in 2023 it hacked the Hive ransomware network and recovered decryption keys needed to restore hijacked systems. The private sector—especially Microsoft and Google, but also several small, non-U.S. cybersecurity companies unconcerned with the CFAA have played a role in all of these activities. This counter-cybercrime cooperative system has evolved slowly over a decade and a half of practice and is steadily improving. Yes, it does need quick and better cooperation, and especially resources (for law enforcement), but it is far from broken. Going beyond this practice—by expanding the depth of activity (e.g., destroying the criminals’ own data) or reach (by “licensing” companies to do this on their own) is likely to only greatly exacerbate the risks with only marginally increased benefit. No wonder some of the most important private sector cyber defenders and veterans of the field actively oppose hack back.
The second challenge is the threat of inadvertent escalation between states due to a lack of specific control of private actors. China, for instance, greatly reduced its reliance on private actor-driven commercial intellectual property (IP) theft following the 2015 Xi-Obama deal, most likely as the risks these less-controlled actors posed outweighed the benefits. While Chinese commercial IP theft returned and then exceeded previous levels after 2017, it was clear that state-managed (rather than state-sanctioned, i.e., “privateers”) intrusion sets were in the lead, albeit being supported by a large ecosystem of contractors. There are also dozens of examples of how hacktivists and cybercriminals from Albania to Turkey have engaged in politically motivated cross-border cyberattacks of various levels, creating substantial confusion as to what was an official “cyberwar” and what was truly independent activity. Most recently, for instance, Algerian hackers likely stole and published details of around 2 million social security recipients in the adversary country of Morocco, including personal details of civil servants. Their justification was that they were “hacking back” against supposed Moroccan activity. Of course, everyone always says they are just hacking back—but they don’t always know that they are attacking the right party. Outside any magical top-secret U.S. integrated cyber-attribution capabilities, the evidence available to mere mortals is often circumstantial, at best. False flag attacks are not only a subject of fiction.
The third challenge is simply that licensing private hackers simply flies in the face of international law and upends a cornerstone of the rules-based order. There is no question that hack-back of the general sort would be illegal under international law. A fundamental principle of international law is that of due diligence, meaning that states have an obligation to prevent their territory from being used for unlawful acts—and when they do, these private actors can be considered as state actors. This has been reinforced both in the 2001 Articles on the Responsibility of States for Internationally Wrongful Acts and most recently again in the 2013, 2015, and 2021 reports of the UN Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace. Much U.S. and Western effort has been spent on defending the rules-based order, which, indisputably, has benefited the United States greatly. Discarding this advantage for very little gain would not be prudent.
Successive U.S. administrations have long known how important it has been to be seen as a good actor on the international stage. In 1856, for instance, the U.S. government wanted to sign the Paris Declaration that swore off privateering but proved unable to do so due to the issue of how slaves would be treated (namely, not as property). Instead, the government simultaneously declared it would uphold the declaration without formally ratifying it—and abided by it in subsequent conflicts.
Even as a rising power, the United States recognized that it paid to be seen as a supporter of the international system, and not as actively undermining it. Actively supporting “privateers” in the Age of Sail or the Age of Cyber, regardless of how defense-minded they supposedly are, is hardly commiserate with this goal.
