Imagine this: Facebook is set to release a slew of shiny new features designed to win back users and increase engagement. But before it can release its products, Renren (one of China’s Facebook clones) releases the same features across its platform, beating Facebook to the punch. Infuriated, Facebook security officials claim they know with near certainty that their plans were stolen by a hacker on behalf of the Chinese social-media giant. Some furious employees put in motion a plan to load a devastating malware attack on the hackers’ networks as payback.
Is that even legal? Can Facebook retaliate with a hack of its own? Under current U.S. law, the answer is no, but a growing number of legislators are attempting to change that. Yesterday, Rhode Island Democratic senator Sheldon Whitehouse became the most recent lawmaker to express support for revenge hacking.
“We ought to think hard about how and when to license hack-back authority so capable, responsible private-sector actors can deter foreign aggression,” Whitehouse said. “If [a major CEO] wanted permission to figure out how to hack back, I don’t think he’d know what agency’s door to knock on to actually give him an answer.”
Hacking back (also known as revenge hacking) involves a retaliatory response by a private company or an individual after they are attacked by a malicious actor. While anyone can monitor and enforce their own network and devices, the Computer Fraud and Abuse Act prevents people from going a step further and hacking into someone else’s network, even if they were hacked first. In his recent book, The Perfect Weapon, journalist David Sanger likens hacking back to a retaliatory home invader.
“It’s illegal, just as it’s illegal to break into the house of someone who robbed your house in order to retrieve your property,” Sanger writes.
The idea that legalizing hacking by Mark Zuckerberg and Jeff Bezos will make anyone any safer is a corrupt fiction.
They’re Bond villains, and granting them immunity to pull this crap will end in tragedy.