In the accelerating information frenzy of the modern world, the specter of hacking has become more threatening as technology progresses. For example, information is more accessible and vulnerable especially when it is valuable. Public and private institutions rely heavily on electronic communications and storage, which raises the stakes of a transgression. Currently, there are legal barricades and consequences for accessing or exploiting another individual’s digital information without permission, but most are defensive, and some are largely ineffective. The need for hacking countermeasures has been introduced and debated, but not satisfied. International cooperation has largely helped, but is ultimately undergirded by political motive rather than principle. To a degree, the law remains irresolute as to how to best combat online hacking and similar misconduct.
The federal government has exacted large punishments for hacking computer systems without authorization. It defines “hacking” as accessing a computer without authorization or exceeding one’s authorization access, obtaining information that the United States government determines to be classified for reasons relating to national defense or foreign relations, or willfully communicating or attempting to communicate the information to any foreign nation, or willfully retaining the information and failing to deliver it to the officer or employee of the United States entitled to receive it. It can be punished as a misdemeanor or a felony depending on the circumstances, resulting in a up to one year in prison and a $100,000 fine or up to ten years and $250,000, respectively.
So, hacking private companies or individuals can yield similar consequences. Private companies are no strangers to cyberattacks. In recent years, though, the scope of offense has broadened from companies contracted with the government or armed forces, to victims as diverse as movie studios and financial institutions. As it stands, businesses have limited avenues to justice. They may monitor, take defensive action, and fix whatever damage they incur on their own. A Congressional bill recently drafted aims to allow businesses to “hack back” legally. This can mean anything from simply tracing an attack, to identifying the attacker, to actually damaging the attacker’s devices. However, the bill in its current form is discouragingly vague, and a company’s misstep could risk violating the same laws that were meant to protect it. So, companies may be unwilling to take that risk. Another criticism of the bill is that it does little to protect innocent third parties from retaliation where their systems might simply have been hijacked in a hacker’s scheme. This concern is exacerbated by vagueness in the bill’s language allowing retaliation against “persistent unauthorized intrusion.”