Hacking Back

Overview

• "Hacking back" refers to a retaliatory and offensive cyber act against a hacker. The legality of such conduct is the subject of significant debate in both Australia and abroad.

Background

• "Hacking back" generally refers to the proactive steps taken by the victim of a cyberattack to turn the tables on its assailant in order to:
  • identify the source of an attack, including by probing a cybercriminal's infrastructure for weaknesses or snippets of information that could reveal who is behind an attack;
  • thwart or stop the crime, including by disabling the hacker's malware, or launching distributed-denial-of-service (DDoS) attacks; or
  • destroy or steal back what was taken, including by remotely breaking into a target's servers and wiping any data including stolen information or intellectual property.
• See Gavin Smith and Valeska Bloch, 'The hack back: The legality of retaliatory hacking' (Allens Insight, 17 October 2018)

Legal Framework

• In Australia, computer intrusion and unauthorised access to or modification of data (including data destruction) are offences that were introduced into the Criminal Code via the Cybercrime Act 2001 (Cth). Hacking a hacker outside one's own network therefore runs the risk of committing a criminal offence.

Criminal Code Act 1995 (Cth) ('Criminal Code')

• Parts 10.7 and 10.8 of the Criminal Code Act 1995 (Cth) (‘Criminal Code’) criminalise the following offences:
  • Computer intrusions
  • Unauthorised modification of data, such as the destruction of data
  • Unauthorised impairment of electronic communications, such as denial of service attacks
  • Creation and distribution of malicious software (such as malware, viruses and ransomware)
  • Dishonestly obtaining or dealing in personal financial information

Regulatory & Policy Framework

• Australia's International Cyber Engagement Strategy
  • Australia’s Position on the Application of International Law to State Conduct in Cyberspace
  • Australia's position on how international law applies to state conduct in cyberspace
• Australia Non Paper: Case studies on the application of international law in cyberspace

Relevant Organisations

• Australian Signals Directorate
  • Speech: Then and Now - Coming out from the shadows, Mike Burgess, Director-General, ASD (29 October 2018)
• Australian Defence Force - Information Warfare Division
  • Towards Mature ADF Information Warfare - Four Years of Growth (Speech by Major General Marcus Thompson AM, 2020)

Industry Materials

• Gavin Smith and Valeska Bloch, 'The hack back: The legality of retaliatory hacking' (Allens Insight, 17 October 2018)
• Corey Holzer and James Lerums, 'The ethics of hacking back' (2016 IEEE Symposium on Technologies for Homeland Security, 2016)
• Michael N Schmitt and Durward E Johnson, 'Responding to Hostile Cyber Operations: The “In-Kind” Option' (2021) 97(1) International Law Studies 15

Related Topics

• Computer-Based Crime
• Directors' Duties
• International Cyber Engagement