photo by Matthew Hurst
Years ago, phone companies inserted fake listings into their phone books.
The utilities didn’t want to play an elaborate prank on those looking for a plumber or take-out place. The phony entries existed to deter copycats who might simply lift the phone company’s own listings to sell a cheaper knock-off. A simple listing of data cannot be copyrighted or infringed under U.S. law, but a particular expression of that data can. The fake entries were designed to offer not only a means to catch such copycats, but legal recourse when they were caught. These sorts of anti-theft protections were also built in to dictionaries, maps and a variety of other reference works. (Unfortunately for the phone companies, the Supreme Court ruled in 1991 that inserting fictitious entries in an otherwise unprotected listing of raw subscriber data did not qualify the data for copyright protection.)
These days, big companies are increasingly targets of cyberattacks that are vastly more serious than a simple theft of telephone listings. But companies doing business in the United States have few legal options when setting traps for hackers.
Under current law, companies would be taking big chances if they embedded defensive measures in their own systems, such as tracking or disabling software that might increase the costs and risks of such attacks. Private contractors who launch digital counterattacks are also at risk, because our laws do not distinguish between cyberattacks and counterattacks responding to them. Bloomberg recently reported on the growing unease among big companies who are seeking out security specialists, especially in the aftermath of the massive breach at Sony Pictures last year. Health insurance provider Anthem is the latest large-scale victim.
Apart from doing whatever they can do to secure their own systems, we expect companies to rely almost entirely on the government to protect them, their data and the data of their clients or customers. But the government has so far shown little inclination or ability to take these sorts of countermeasures on behalf of private parties.
Not every company is willing to sit still and wait for hackers to take their best shots. This has led to a variety of attempts to push the limits of existing law, some of which allegedly include going on the offensive. The Federal Bureau of Investigation is currently looking into a case in which hackers working at the behest of financial institutions disabled servers in Iran that had been used to attack bank websites. And in the aftermath of the Sony attacks, fake copies of several movies were leaked onto file-sharing sites; anyone attempting to download or share those files faced attacks that slowed or disabled their systems.
The Bloomberg article suggests that law enforcement agencies are choosing to look the other way, especially when corporate counter-hacking is restricted to identifying the data thieves or the data they took, rather than trying to disable the perpetrators’ systems. But even this intelligence-based retaliation is still technically illegal under the Computer Fraud and Abuse Act. And since many attacks come from abroad, often with the tacit support of foreign governments, there are also sensitive diplomatic issues at play. Yet because companies have no legal recourse, their responses have been driven underground, where they cannot be effectively regulated or supported, in the interest of limiting the growth of the international hacking trade.
Instead, more than one commenter has compared the current state of online security to “the Wild West,” with vigilantes filling the void left by ineffective lawmen. While U.S. law enforcement may be able to catch an individual here or there, hacking networks are designed to be vast, foreign-based and hard to pin down. Even if the government decided to pursue a policy of aggressive counterattack today, the job is simply too large. Taking defensive weapons out of companies’ hands is not a practical solution.
It is time to update the law. Legitimate purchasers have rights that need to be protected, such as the right to use the cellphone you bought with any software you choose. But cyber-trespassers have no rights, and they ought to have no expectation that their own computers are secure after they have hacked someone else. An updated law could build in provisions to protect innocent virtual bystanders, while establishing rules for companies to legally incorporate software to fight back against those who would steal or otherwise abuse their private data.
Think of it as the computer equivalent of “stand your ground.” You ought to have the right to kill the computer of anyone who knowingly breaks into yours.