As I have discussed for the last two weeks, cannabis businesses have become increasingly vulnerable to cyberattacks. It is natural for a company victimized by data breaches to want to retaliate by hacking back. However, under current U.S. law, which is codified under the Computer Fraud and Abuse Act (“CFAA”), it is strictly prohibited to intentionally access another’s computer without authorization.
Legislators have given some thought to this problem. Most recently, the re-introduction in October 2017 of the Active Cyber Defense Certainty (“ACDC”) Act, a bill sponsored by Congressman Tom Graves (R-Ga) and Congresswoman Krysten Sinema (D-Az), raised questions about the legality of counter attacking. Indeed, the ACDC Act proposes to amend the CFAA and enable victims of cyberattacks to adopt active defensive measures to identify the hackers, destroy information originally stolen from the victims’ networks, and attack the intruders’ servers to interrupt the ongoing attack. Although an eye-for-an-eye form of justice is appealing, unauthorized access to networks is not a good idea. Here is why.
First and foremost, the ACDC Act has not be enacted. This means that the CFAA remains the law of the land, and accessing others’ computer systems without their permission is a criminal offense. Every state law punishes hacking under the computer crime statutes. These crimes carry serious penalties ranging from a class B misdemeanor (punishable by up to six months in prison, a fine of up to $1,000, or both) to a class B felony (punishable by up to 20 years in prison, a fine of up to $15,000, or both).
Second, even if retaliation were legal, most companies would lack the expertise required to safely conduct an offensive cyber operation. It is incredibly difficult to identify individuals and entities behind cyberattacks. Most intruders cover their tracks very carefully by using encryption and by routing strikes through others’ computers. Given this, counter hacking would most certainly result in attacking computer systems and destroying data belonging to innocent third parties.
Then, there is the issue of whether victim companies have the technical proficiency required to effectively take counter measures against cyber intruders. Indeed, the internal tools needed to effectively hack back represent a major undertaking: a high level of expertise, constant vigilance, and huge financial resources. Moreover, it is highly unlikely that companies that could not prevent the intrusion of their networks would manage to take on their attackers on their own digital turf.
Lastly, retaliation by companies that fell victim of a data breach would most certainly impede law enforcement investigations and delete or temper with evidence that could be useful in a prosecution. Unlike law enforcement agencies, companies do not have the relevant technical expertise or diplomatic tools to pursue hackers. Most companies ignore how to preserve a chain of custody that would enable the introduction of untampered evidence at trial. In addition, counter hacking is an incredibly dangerous endeavor because it is very difficult, if not impossible, to see what a company would be up against. In retaliating, a company would run the risk of escalating the situation and of further injuring itself.
As I have discussed before (here and here), no one and no company is immune to cyberattacks. It is understandable that companies, including cannabis companies, are getting tired of being passive and of merely defending against these breaches. However, hacking back is not a feasible option given its illegality and the negative consequences it could have on the retaliating company. When faced with a data breach, don’t let your emotions dictate your actions; instead, stick with a comprehensive plan of action that will help you minimize your damages and let skilled, experienced law enforcement agents do the job of tracking and investigating your attackers.