Companies are increasingly concerned about the threat of cyber-attacks to their businesses. Their concern is understandable, as the rate of cybercrime incidents is growing every year.
In 2014, a survey conducted by the Oxford Economics and Ponemon Institute found that 60% of respondent companies had reportedly experienced a cyber-attack in the past 12 months. McAfee, a cyber-security firm, estimates that the cost that cybercrime has on the global economy amounts to over $400 billion per year.
An attack on a company’s systems can have debilitating effects. A malicious hacker may prevent a business from functioning, steal the financial details of its customers and cause irreversible reputational damage. This can result in a loss of business, a reduction in share price and angry customers bringing claims for damages that they have suffered.
The recent high-profile attack on Sony Pictures in December is a memorable example of the degree of harm that can be caused. Sony was forced to pull its film, ‘The Interview,’ from general release. Hackers also managed to disclose a large amount of sensitive information into the public domain, including the social security numbers of many of Sony’s employees and copies of previously unreleased films.
Hackers may go further than targeting data storage facilities. Last year saw the first known reported instance of a corporation’s physical systems being damaged as the result of an attack. The case related to an unnamed German steel company, whose control systems were reportedly accessed through sending what appeared to be a reputable email to an employee’s account. The malicious content of this email allowed hackers to gain access to the network and to the company’s plant machinery. The engineers lost control of the blast-furnace and were unable to properly shut it down, resulting in alleged “massive” damage.
As a result of this increasing prevalence of cyber-attacks, it is now common for large corporations to employ security experts who are capable of designing sufficiently robust IT systems to deter all but the most determined and capable hackers. Yet, the demand for these skilled individuals is so high that it often outstrips supply. This is leading some managers to employ reformed hackers who are ex-convicts. In fact, a recent survey conducted by KPMG suggested that over half of UK companies would consider hiring a hacker with a criminal record to prevent against attacks.
Some companies are reportedly taking even more drastic action and retaliating against the perpetrators of cyber-attacks – a trend otherwise known as “hacking-back”.
Hacking-back may, for instance, be motivated by a company seeking to put an end to an existing threat, looking to recover lost data or attempting to disable systems and therefore prevent future attacks occurring. To do this they may attempt to hack into the host system. Alternatively, they may look to bring an end to the attack through what is called a Distributed Denial of Services process (DDOS). A DDOS seeks to disable a system, generally through saturating it with external communications sent from multiple computers and therefore overloading the network.
Legal and practical implications
When an attack strikes, hacking-back may seem like a legitimate measure to take to protect the company and its customers’ interests. Yet any such steps are likely to be deemed illegal under English law.
The Computer Misuse Act 1990 makes it a criminal offence to gain unauthorised access to a third party’s computer or data. It is also an offence to impair the operation of a third party computer, through a DDOS attack for instance. If the perpetrator is found guilty, then they could face up to two years’ in prison.
Although countries such as The Netherlands have recently sought to legalise hacking-back, there currently remains no relevant defence or exception to the Computer Misuse Act’s offences in England. However, to date there have been no known successful prosecutions that have been brought against any UK companies, its management or directors for committing these types of offences. Although this does not mean this won’t happen in the future.
Beyond the legal implications, hacking-back may also have other unintended consequences. Skilled hackers often use multiple “bots” to launch their attacks; these are usually third party computers that have become infected. This could mean that instead of hacking-back against the perpetrator, a company may find themselves bringing down an innocent party’s system. In addition, the increasing prevalence of cyber-attacks being sponsored by nation-states such as Russia, North Korea and Iran means that retaliation could have serious diplomatic consequences for the UK government.
Protecting against the risks of an attack
In-house lawyers and IT directors should therefore beware of the large risks that hacking-back is likely to entail. Companies are advised to avoid the temptation and instead mitigate their risks by improving internal security management. This may be achieved by adopting best industry practice protocols, such as ISO 27001 and looking to separate business networks from critical networks, so to avoid a German steel scenario, where the blast-furnace would have been protected if it wasn’t indirectly connected to the company’s email server.