If a hacker manages to steal your personal data and information, do you have a right to hack them back and take back your data? According to the “Hacking For The Better Good” panel held at CES this week, the answer is a short: “No.”
Unpack that a bit and you get this: “Not yet.”
The future of hacking, as described by Michael Stawasz, the deputy chief for computer crime for the U.S. Department of Justice, won’t be dominated by using others’ personal information for identify theft. It’s going to be extortion and ransom — messing with someone in various ways until they pay you to stop. This is particularly important in a world where more and more potentially insecure devices — part of the Internet of Things ecosystem — are being used as part of our everyday lives. In the context of the obvious concerns that elicits, Stawasz explained the government’s position: A victim of malicious hacking still isn’t in a position to become cyber-Batman. Vigilantism remains illegal, in the physical world and the digital world.
For now, he explained, there are just too many unanswered legal questions, and the framework for how an individual might go about finding their own stolen digital property isn’t developed. Part of this has to do with how fast technology changes and how fast federal law changes (hint: not the same speed). As soon as the government finally pins down the legal wording for something, it is already five steps behind what computer hackers are now capable of.
The other part, however, has to do with the fact that the government doesn’t want to sanction ‘hack-back’ actions it cannot explicitly oversee. What happens if a victim of stolen data goes out to get their own data back, and inadvertently acquires a trove of other people’s data in the process? What if they create more harm than good and unintentionally take down an entire network? The possibilities go on and on.
There’s hope those issues could be resolved sooner rather than later. The point of the panel was to consider solutions for how the government and tech community can work together to give benevolent hackers the ability to work within the law and help out a vulnerable public. Unfortunately, the panelists themselves didn’t offer a lot of specific ideas. Michael Tiffany, the co-founder and CEO of the cyber security company White Ops, was suspicious of creating “hack-back exceptions,” calling them “manipulative” and suggesting that there wasn’t even a legal framework to protect good hackers from criminal prosecution.
Stawasz emphasized that he wanted to see more victims of data theft or DDOS attacks approach authorities to come up with a solution that falls under legal framework, instead of taking matters into their own hands.
As comes as a surprise to no one, however, Stawasz acknowledges that “we haven’t had anyone come forward on that offer.” The government’s reputation among good and bad hackers is, well, bad. Stawasz says this reputation of overzealous prosecution is overblown, saying that of the tens of thousands arrested for digital fraud, less than 200 are actually charged. Too bad that fact hasn’t really assuaged fears yet.
On the plus side, it’s nice to see that this is now a topic of discussion for both the Justice Department and the tech community. As more and more of our everyday tools become connected to the cloud, cybersecurity is taking on a more vital role in society. Hopefully, we can move these talks from isolated CES conference rooms and into more prominent platforms — say, a Congressional hearing or something.