Future Tense

The Right to Bear Denial-of-Service Attacks

Do we need a Second Amendment in the cyber world?

Cyber 2nd Amendment.

Should companies be allowed to “hack back” against cyberattacks?

Photo illustration by James Emmerman. Images courtesy of Shutterstock.

Maybe the only thing Americans agree on anything when it comes to the Second Amendment is that the “right of the people to keep and bear arms” is all about guns and gun control. We’re very used to seeing that language invoked around incidents of gun violence. So it was striking to see the logic of the National Rifle Association applied to a completely different context in a piece about cybercrime in the New York Times on June 21, in which Jeffery Stutzman, the vice president of the cybersecurity intelligence sharing consortium Red Sky Alliance, is quoted as saying, “I do really believe there should be a Second Amendment right in cyber.”

But what are “cyber arms,” and what would it mean to have a right to bear them?

The tools that are wielded as “weapons” in this space are the same as the ones that we use on a daily basis—computers and software. We’re already all walking around with those in our pockets. The idea of a right to cyber arms has nothing to do with what you can carry or buy when it comes to computers or code. It has everything to do with how you use those tools and where you draw the line between offense and defense in the virtual world.

Sometimes that’s easy. Anti-virus software, firewalls, and intrusion detection systems, for instance, operate on a defender’s own network and do not venture beyond those confines to affect machines that belong to other people. These are clearly defense. On the opposite end of the spectrum, the U.S. Air Force last year explicitly designated six “cyber tools” as weapons. Presumably, these are programs that are aimed at targeting networks and machines belonging to others in a manner that lands squarely in the category of offense. On the whole, this distinction between measures that operate on and affect your own computer systems and those that target and impact machines belonging to others is the clearest way to distinguish between defense and offense—and, not coincidentally, legal and illegal civilian activity—in cyberspace.

The gray area comes in when nonmilitary actors, usually companies, feel that the only way to defend against a threat or attack is to strike back at the machines it originates from, either to mitigate the immediate harm by taking the offending machines offline or to retaliate and deter future attacks. This notion of “active defense” or “hacking back”—in which defenders don’t just protect their own networks but actively go after their attackers as well—is what people like Stutzman mean when they invoke a “Second Amendment right in cyber.”

And while it’s not as familiar as the self-defense debates that center on guns, this conversation about how far firms should be allowed to go when it comes to protecting their computer networks has actually been going on for years. Currently, under the U.S. Computer Fraud and Abuse Act, it is illegal to access a computer system in any manner—for self-defense purposes or otherwise—without authorization. But for more than a decade, companies have tried to argue that there are certain circumstances when defending their assets and interests warrants unauthorized access. A bill introduced in Congress in 2002, but never passed, sought to permit companies to actively combat peer-to-peer copyright infringement with technical measures including denial-of-service attacks intended to flood offending servers.

Defensive attacks are also a recurring theme in government reports from the past decade, though they are often addressed with some trepidation. A 2009 National Research Council report on “Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities,” for instance, suggests that existing rights to the defense of property may apply to cyberattacks so that that “even a private party under continuing cyberattack may itself have some rights to use a cyberattack of its own to stop the incoming cyberattack.” Still, the report cautions, that rationale has never been invoked in court in such a context so its applicability is “subject to some doubt” and such attacks may have other harmful consequences, including being attributed to the government of the country from which they originate.

A 2013 report from the Commission on the Theft of American Intellectual Property also tackled the issue, albeit with a more decisive stance on the legality of counterstrikes. It stated:

While not currently permitted under U.S. law, there are increasing calls for creating a more permissive environment for active network defense that allows companies not only to stabilize a situation but to take further steps, including actively retrieving stolen information, altering it within the intruder’s networks, or even destroying the information within an unauthorized network. Additional measures go further, including photographing the hacker using his own system’s camera, implanting malware in the hacker’s network, or even physically disabling or destroying the hacker’s own computer or network.

The authors concluded they were “not ready” to endorse the legalization of such measures for fear of the unintended consequences—but they left open the possibility that changes along these lines may be warranted in the future. They note that “entirely defensive measures are likely to continue to become increasingly expensive and decreasingly effective, while being unlikely to change the cost-benefit calculus of targeted hackers away from attacking corporate networks.”

It’s possible—though by no means certain—that permitting companies to undertake more active counterstrikes, either for mitigative or retributive purposes, could more effectively deter attacks than traditional, passive forms of defense. But what both government reports get right—and Stutzman gets wrong—is that the tremendous risks of explicitly endorsing such measures far outweigh the potential benefits.

Those risks include the possibility of targeting the wrong actors with counterstrikes—both because attribution is very difficult in many of these cases and because cyberattacks are often routed through intermediate machines, so even if you can definitively identify the source of an attack you cannot be certain whether the attack actually originated from that source or whether it was merely an unwitting intermediary. On top of those fears are the concerns aired in the NRC and IP Commission reports that governments may be wrongly blamed for attacks launched by companies within their borders and such actions may exacerbate the already strained international policy efforts surrounding cybersecurity. Similarly, a government that took steps to legalize such measures would be likely to attract criticism and mistrust from foreign states and thereby move the ongoing debates in a decidedly unproductive direction.

It’s understandable that some companies under attack are frustrated with the options available to them and chomping at the bit to use their considerable resources to strike back. But a so-called right to cyber arms ultimately poses more threats than it mitigates, and it’s hard to make the case that the way forward on cybersecurity is to encourage more attacks. Here, the best defense is a good defense.

This article is part of Future Tense, a collaboration among Arizona State University, the New America Foundation, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.