With a Republican-controlled White House and Congress taking power this month, the 2016 Republican Party platform provides insight into how lawmakers from the majority party will approach cyber security policy over the next several years. One sentence in the platform’s cyber security section needs a closer look: “We will explore the possibility of a free market for Cyber-Insurance and make clear that users have a self-defense right to deal with hackers as they see fit.” While the first part of this sentence would encourage effective cyber risk management to strengthen security across U.S. industry, the second part would promote a culture of retaliatory attacks (often called a “hacking back”) that could endanger innocent parties and undermine U.S. foreign relations. President-elect Trump and Congress should avoid a “wild west” hack back environment, and instead follow the rule of law to advance cyber risk management.
On one hand, the Republican platform’s support for cyber insurance can strengthen cyber defense in the U.S. business community. Companies purchasing this insurance must meet baseline security standards and integrate cyber risk into overall enterprise risk management plans. Cyber insurance policies with regularly updated standards help companies adapt to a rapidly changing threat environment. A robust insurance market would reward companies that implement best practices with lower premiums or higher coverage, thus improving cyber security posture in the private sector.
On the other hand, encouraging Americans to respond to hackers “as they see fit” creates an unstable cyber security environment for two reasons. First, it is difficult to trace the source of a cyber attack or cyber espionage campaign because hackers often use proxy or stolen servers to launch attacks. With uncertain or false attributive information, a company could plausibly hack back at the wrong person or organization, harming an innocent party in the United States or abroad. It is easy to imagine how a cycle of retributive attacks based on unsubstantiated evidence would lead to a “wild west” cyber ecosystem. Second, if private users or companies hack back against foreign entities, they would undermine or exacerbate U.S. relations with other countries, as well as hinder development of international cyber norms and laws. For instance, if the Democratic National Convention hacked back against the Russian GRU intelligence unit in April 2016, or hired a third party to do so, before allowing a federal investigation, it would have heightened the prospect of an escalatory U.S.-Russian cyber conflict during the U.S. general election.
In fact, hacking back contradicts current U.S. law. The 1986 Computer Fraud and Abuse Act (CFAA), the primary federal authority covering computer security, forbids accessing computers without authorization or exceeding authorized access. An effort to amend the CFAA to legalize hacking back, which almost always involves unauthorized access to another computer or network, places the retributive burden on private users and businesses, ultimately undermining the U.S. government’s role as a law enforcer in cyberspace.
The Republican-led Congress and Trump administration should advance cyber risk management and rule of law in cyberspace. There are three solutions, short of hacking back, that promote strong cyber security for the private sector.
First, Republicans must spearhead policies to help grow the cyber insurance market. This market has already experienced impressive growth: North American insurance companies accounted for 87% of the $3 billion market in 2016, with expected growth to reach $14 billion by 2022. Congress and state governments can help strengthen this market by providing tax incentives for cyber insurance, adding cyber insurance requirements to government contracts, and increase funding for groups researching cyber actuarial data, like the Cyber Incident Data and Analysis Working Group.
Second, lawmakers should update and clarify the 1986 CFAA law to make it more applicable to today’s vastly different cyber security environment. The law should update terms like “protected computer” to apply to modern devices, and make clear what actions in cyberspace are legal for private users and businesses1. It should unequivocally state that intruding into a suspected hacker’s network and/or devices, or hiring a third party to do so, is illegal. Once the CFAA is updated, individuals and businesses will be better able to develop effective cyber defense strategies that operate within clearly defined legal parameters.
Third, federal, state, and local governments should strengthen cyber incident response mechanisms for incidents affecting the private sector. The federal government already has several private sector outreach programs, such as the Department of Homeland Security’s US-CERT, ISC-CERT, and Automatic Indicator Sharing (AIS). Moreover, in July of 2016 the Obama administration released PPD-41, which outlined federal government response mechanisms in the event of a significant cyber incident, including attacks against businesses vital to national security and public health. Despite these initiatives, the U.S. government does not have adequate response mechanisms for hacks against most individuals and businesses.
In lieu of legalizing hacking back, state and local governments must bolster cyber incident response capabilities to investigate more attacks against U.S. individuals and businesses. If investigations implicate international actors, then federal agencies like the FBI have authorities and resources to “disrupt and deter” these international hackers. More resources for cyber incident response at all levels of government will mitigate the need for the private sector to hack back.
1. For a more comprehensive analysis of legal implications of the CFAA, read Irving Lachow, “Active Cyber Defense: A Framework for Policymakers,” Center for New American Security, February 2013, available at https://s3.amazonaws.com/files.cnas.org/documents/CNAS_ActiveCyberDefense_Lachow_0.pdf
Bobby Shields is a Security Policy Studies Masters candidate with concentrations in Cyber Security and Energy Security. He currently works as the Program Assistant for the Elliott School’s NSSP and MIPP programs.