In the accelerating information frenzy of the modern world, the specter of hacking has become more threatening as technology progresses. For example, information is more accessible and vulnerable especially when it is valuable. Public and private institutions rely heavily on electronic communications and storage, which raises the stakes of a transgression. Currently, there are legal barricades and consequences for accessing or exploiting another individual’s digital information without permission, but most are defensive, and some are largely ineffective. The need for hacking countermeasures has been introduced and debated, but not satisfied. International cooperation has largely helped, but is ultimately undergirded by political motive rather than principle. To a degree, the law remains irresolute as to how to best combat online hacking and similar misconduct.
The federal government has exacted large punishments for hacking computer systems without authorization. It defines “hacking” as accessing a computer without authorization or exceeding one’s authorization access, obtaining information that the United States government determines to be classified for reasons relating to national defense or foreign relations, or willfully communicating or attempting to communicate the information to any foreign nation, or willfully retaining the information and failing to deliver it to the officer or employee of the United States entitled to receive it. It can be punished as a misdemeanor or a felony depending on the circumstances, resulting in a up to one year in prison and a $100,000 fine or up to ten years and $250,000, respectively.
So, hacking private companies or individuals can yield similar consequences. Private companies are no strangers to cyberattacks. In recent years, though, the scope of offense has broadened from companies contracted with the government or armed forces, to victims as diverse as movie studios and financial institutions. As it stands, businesses have limited avenues to justice. They may monitor, take defensive action, and fix whatever damage they incur on their own. A Congressional bill recently drafted aims to allow businesses to “hack back” legally. This can mean anything from simply tracing an attack, to identifying the attacker, to actually damaging the attacker’s devices. However, the bill in its current form is discouragingly vague, and a company’s misstep could risk violating the same laws that were meant to protect it. So, companies may be unwilling to take that risk. Another criticism of the bill is that it does little to protect innocent third parties from retaliation where their systems might simply have been hijacked in a hacker’s scheme. This concern is exacerbated by vagueness in the bill’s language allowing retaliation against “persistent unauthorized intrusion.”
A substantial portion of cyberattacks are carried out by state actors or state proxies. Perhaps the most notable recent large-scale attacks, other than the allegations of Russian meddling in the 2016 presidential election, was the “WannaCry” attack in May of 2017. Known as a “ransomware” attack, it involved the hijacking of some very important institutions across the globe – e.g., Britain’s National Health Service, FedEx. Thanks to a power outage in sub-Saharan Africa insulating some computers there from it, the British organization was able to reload its lost information. British and American cyber-security researchers suspected North Korea, who had earlier targeted Sony in response to a comedy mocking its dictator, and is known to use cyberattacks to help fund its nuclear program. Only weeks after “WannaCry,” another large ransomware attack named “NotPetya” sought to extort members of networks in Ukraine, and also to permanently damage them. So, naturally Russia was suspected. China has done its fair share of meddling as well. In 2014, the Department of Justice indicted five Chinese officers in the Third Department of the Chinese People’s Liberation Army, a branch responsible for using computer networks to steal intellectual property for the benefit of Chinese enterprises. Russia is also known to outsource its dirty work to third parties, and the victims are by no means always from the western world. Saudi Aramco, an official Saudi Arabian oil company, endured an attack that shut down its systems and ultimately required it purchase 50,000 new hard disks to replace its destroyed parts.
A geopolitical solution to the cyberattack problem might prove most useful, though also most difficult to attain. The United States and China in an exemplary effort agreed that “neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property.” This is essentially based solely on trust. However, though the “Liberation Army” officers will unlikely see the inside of an American courtroom, the recent indictment was a ground-breaking step to spur retraction in Chinese espionage.
In the legally murky world surrounding privacy and hacking, our law firm can help you navigate the unknown and complicated paths. Please do not hesitate to contact us for a legal consultation.