Baker’s advocacy is driven not by industry interests so much as his own deeply held belief that government officials and law enforcement agencies are incapable of addressing online threats themselves. “It’s like the NRA saying, ‘When seconds count, the police are only minutes away,’ except the police are days away when you’re talking about cybercrime,” Baker says.
Baker and Representative Graves, though, are in the minority. At least among most people willing to speak on the record, legalizing proactive responses to cybercrime is a wildly unpopular idea. Its critics range from law enforcement officials who worry it will lead to confusion in investigating cyberattacks, to lawyers who caution that such activity might well violate foreign laws even if permitted by the U.S., to security advocates who fear it will merely serve as a vehicle for more attacks and greater chaos, particularly if victims incorrectly identify who is attacking them, or even invent or stage fake attacks from adversaries as an excuse for hacking back.
And if big tech firms are clamoring for the opportunity to go after their attackers more aggressively, they are certainly not doing so publicly. “I haven’t heard from particular companies that they want to have that activity authorized,” says Greg Nojeim, the director of the Freedom, Security and Technology Project at the Center for Democracy and Technology, a think tank. At least a couple companies have actively gone after adversaries in the past—Google reportedly breached a computer in Taiwan in 2010 while investigating attacks on its customers, and in 2014 the FBI examined whether some banks had hired hackers to crash servers being used by Iran—but known examples are few and, on the whole, relatively tame.
“I think a lot of companies would be hesitant to take the position,” Nojeim continued, “that it’s okay to engage in active-defense measures on somebody else’s network out of fear that their own networks would then become targets.” He, like many critics of broad hacking-back legalization, makes certain distinctions for defensive activities he views as less problematic. For instance, he is comfortable with “beaconing,” the practice of attaching code to sensitive files that will report back to their owners the IP address of machines they are copied onto when stolen.
Others argue that the crucial limits relate to who is permitted to hack back rather than what they are permitted to do. For instance, Jeremy Rabkin, a law professor at George Mason University, has advocated for putting together a list of cybersecurity firms vetted by the U.S. government, so that companies could hire an approved hack-back vendor to go after its online adversaries. “A lot of things can go wrong when people start mucking around in your files and your systems,” Rabkin told me. “You have to trust these people; you have to be sure that they’re not going to steal stuff or tip off other people.” In his estimation, there are only a handful of firms—highly regarded security companies and contractors that have longstanding relationships with the U.S. government and ex-military personnel, mostly—that can be trusted to pull this off.