The Hack Back: The Legality of

Retaliatory Hacking
Valeska Bloch, Sophie Peach and Lachlan Peake consider whether organisations in Australia
and abroad have a right to ‘hack back’ in response to a cyber attack.

Today, the cyber battlefield is just breaking into a target’s servers Dr Alana Maurushat advocates for
as important as the physical one. and wiping any data including legislation that permits hacking back
However, in circumstances where stolen information or intellectual provided it meets certain conditions
government departments and law property.8 – in particular, that a party can
enforcement agencies are unable sufficiently attribute the source
or unwilling to effectively respond Developments in Australia of the hacking to minimise the
to cybercrime, organisations are The legal position likelihood of retaliatory measures
increasingly questioning whether being taken against the wrong
or not they have (or ought to have) The Cybercrime Act prohibits target, and that the counter-hacking
a right to ‘hack back’ as an offensive the unauthorised access to, or is reasonable, proportionate and
retaliatory measure. This article modification or impairment of, necessary when considered against
looks at how this debate is evolving data held on a computer.9 Although the harm sustained by the victim.14
at home and abroad. these laws do not draw a distinction
between hacking and hacking While the position in Australia
What does it mean to ‘hack back, ‘depending how it is done, might seem slightly more opaque
back’? [hacking back] may not be illegal.’10 than elsewhere, it is likely that
Hacking back generally refers to the One possible legal argument is that hacking back is an offence under
proactive steps taken by the victim of ‘computerised counter attack’ is Commonwealth law. Speaking to the
a cyberattack to turn the tables on its an example of self-defence.11 Some Australian Strategic Policy Institute
assailant in order to:6 academics believe self-defence on 29 October 2018, ASD Chief Mike
should permit hacking back in Burgess issued a strong warning to
• identify the source of an particular circumstances. The law Australian businesses contemplating
attack, including by probing a recognises a right to engage in active ‘hacking back’.15 Burgess unequivocally
cybercriminal’s infrastructure ‘self-help’ in certain circumstances, stated hacking back is illegal in
for weaknesses or snippets of for example, ‘the right of restraint Australia and should not form part of
information that could reveal and self-help eviction remedies in any organisation’s cyber strategy.16
who is behind an attack; landlord-tenant relations’ and the He expressed particular concern that
• thwart or stop the crime, right of self-defence in criminal cyber attacks launched by Australian
including by disabling the law to protect personal safety or businesses, or at their behest, ‘risk
hacker’s malware, or launching property.12 This is the basis on which misattribution and an escalation in
distributed-denial-of-service some argue that, in principle, the malicious activity’.17 Further, privately
(DDoS) attacks;7 or law could similarly allow active initiated attacks risk that attack being
self-help against cybercrime, misinterpreted as a state sanctioned
• destroy or steal back what was subject to certain limitations such attack, which could have significant
taken, including by remotely as necessity and proportionality.13 negative consequences.18

1 Nicholas Schmidle, The digital vigilantes who hack back, The New Yorker (7 May 2018).
2 Ibid.
3 Melissa Riofrio, Hacking back: digital revenge is sweet but risky, PC World (9 May 2013).
4 Tom Kulik, Why the Active Defense Certainty Act is a bad idea, Above the Law (29 January 2018).
5 TimeBase, The legality of defensive hacking (30 September 2013).
6 Dan Lohrmann, Can ‘hacking back’ be an effective cyber answer? Government Technology (13 February 2016).
7 Joseph Cox, Revenge hacking is hitting the big time, Daily Beast (19 September 2017).
8 Liam Tung, Is hacking in self-defence legal? Sydney Morning Herald (27 September 2013).
9 Cybercrime Act 2001 (Cth) ss 477.1 – 477.
10 Alana Maurushat, senior lecturer at UNSW Faculty of Law (see Liam Tung, Is hacking in self-defence legal? Sydney Morning Herald (27 September 2013)).
11 Ibid.
12 Jay P Kesan and Ruperto P Majuca, ‘Hacking Back: Optimal Use of Self-Defense in Cyberspace’, Oxford Research Paper, p1.
13 Ibid pp 20–24.
14 Alana Maurushat, senior lecturer at UNSW Faculty of Law (see Liam Tung, Is hacking in self-defence legal? Sydney Morning Herald (27 September 2013)).
15 Mike Burgess, Director-General ASD, Speech to ASPI National Security Dinner (29 October 2018).
16 Ibid.
17 Julian Bajkowski, Australia’s cyber spy chief slams corporates contemplating ‘hacking back’, IT News (30 October 2018).
18 Ibid.

8 Communications Law Bulletin Vol 37.4 (December 2018)

The industry position the Division is mostly concerned computers for persons defending
with the defence implications of against unauthorized intrusions
A 2017 Commbank Report found
state-to-state cyber warfare. into their computers’. Interestingly,
that Australian industry is split on
the Bill expressly recognises that
active defence and referred to a At the same time that the IWD was the nature of cybercrime makes it
survey by the Australian Strategic established, former Prime Minister ‘very difficult for law enforcement
Policy Institute which said only 10% Malcolm Turnbull also unveiled plans to respond to and prosecute [it] in a
of respondents were in favour of for the ASD to be given increased timely manner’.27
a right to hack back. In Australia, powers to respond to overseas cyber
more than 70% of data breaches criminals, stating that ‘[o]ur response To give effect to its purpose, the
are detected by law enforcement to criminal cyber threats should ACDC Bill would make limited
agencies or third parties and less not just be defensive. We must take hacking back legal by allowing
than 20% by companies’ internal the fight to the criminals.’23 At the organisations defending their
security teams.19 This may be one time, Opposition Leader Bill Shorten networks to:
reason why the preference among remarked that the protective focus
the business and broader community • destroy any stolen data;28 and
should not be limited to the ‘military
appears to be for increased law establishment’ and ‘big banks’ but • go outside those networks to
enforcement competencies (both also smaller and medium-sized access the servers being used
legal and technical) to respond to businesses, other organisations, and to conduct the attacks to gather
identified cyber intrusions, rather the health system.24 If the ASD’s new information in order to:
than legal permission for victims to competencies are focused mainly on
hack back themselves. Nevertheless, • deploy technology to identify
protecting government departments
hacking back is ‘reasonably common’ the physical locations of the
and the largest private organisations,
in Australia,20 suggesting there is hackers;
then many sectors of the Australian
some degree of frustration among economy could continue to exist in a • disrupt those servers to
the business community at perceived kind of regulatory gap, where active interrupt the attack; and
ineffectiveness of formal legal defence against cybercriminals will • monitor the behaviour
responses to hacking. either be self-initiated, or not occur of an attacker to assist in
at all. preventing future attacks.29
The Government’s approach
In July 2017, the Australian Global Developments The Bill also imposes the following
Government established the The US’s Active Cyber Defense safeguards:
Information Warfare Division Certainty Bill • The Bill provides that hacking back,
(IWD) within the Department of As in Australia, the criminal or ‘active defense’, be restricted to
Defence, headed by the Deputy prohibition in the US25 does not draw computers in the US. The difficulty
Chief (Information Warfare), Major- a distinction between hacking and with this, however, is that domestic
General Marcus Thompson. This counter-hacking, but simply provides hacking can be routed via overseas
unit is tasked with ‘defending the that using a computer to intrude servers, thus circumventing the
country’s critical infrastructure upon or steal something from application of the ACDC Bill. As
against cyberattacks and launching another computer is illegal. cybercrime is truly borderless, a
offensive cyber strikes on foreign geographic limitation on hacking is
actors.’21 The former Minister for The Active Cyber Defense Certainty of limited utility.
Cybersecurity, Dan Tehan, explained (ACDC) Bill26, introduced in 2017,
that the focus of this unit is on would lift the restriction on hacking • The Bill contains a liability
‘military cyber operations, military back. The long title of the Bill provision making organisations
intelligence, joint electronic warfare, states its purpose is ‘to provide a financially responsible for any
information operations and [the] defense to prosecution for fraud and damage caused to innocent
military’s space operations.’22 Thus, related activity in connection with computer users.

19 Commonwealth Bank, Signals: quarterly security assessment (Q1 2017).

20 TimeBase, The legality of defensive hacking (30 September 2013); and Liam Tung, Is hacking in self-defence legal? Sydney Morning Herald (27 September
2013).
21 Australian Government Department of Defence, Information Warfare Division.
22 James Elton-Pym, ‘New Australian military unit will specialise in cyber warfare’, SBS News (30 June 2017).
23 Ibid.
24 Ibid.
25 Computer Fraud and Abuse Act (1984) Title 18, Sec. 1030.
26 ACDC Bill 2017.
27 ACDC Bill 2017 s2(2).
28 ACDC Bill 2017 s3.
29 ACDC Bill 2017 s4.

Communications Law Bulletin Vol 37.4 (December 2018) 9

 suggested that many companies and
Key Takeaways large organisations already have in
place measures for defending against
• As the frequency and severity of cybercrime continues to increase, cyber-intrusion that may amount
a debate has emerged as to whether or not companies should be to hacking back,31 it appears that
allowed to exercise a kind of ‘digital vigilantism’1 by taking active steps ‘most companies and cybersecurity
to prevent or respond to cyber incidents. There tends to be two key experts’ in the US are against legally
schools of thought:
permitting counter-hacking by non-
• Those that reject hacking-back note that the risks associated state victims of cyberattacks.32
with hacking back are significant and that hacking back can have
unintended consequences. First, there is considerable difficulty To the extent that there is support
associated with identifying the perpetrator and, even if the hack for the reform in the US, it would
works, a victim may simply have invited further retaliation.2 Second, seem to be founded on the same
counter-attacks can also damage hijacked computers belonging justification expressly identified by
to innocent third parties.3 Third, most companies don’t have the the ACDC Bill33 – that is, although
skillset internally to effectively take affirmative countermeasures it would be preferable that law
against cyber criminals. Companies are finding it hard enough to enforcement and government
implement defence mechanisms to prevent attacks in the first place agencies had the sole remit and
– arming staff with the skillset to effectively ‘hack back’ takes this to responsibility for responding to
an unprecedented level.4 Nevertheless, or perhaps precisely for that cybercrime, the logistical enormity
reason, a ‘new breed of security company’ has emerged which offers of that task, coupled with the vital
to aid companies in implementing active defence measures.5
importance of cybersecurity in
• Hacking back proponents tend to argue that provided that the the modern world, may justify an
cybercrime can be accurately attributed and that any response is exception to the general principle
reasonable and proportionate, in the absence of greater government against justice being meted out by
involvement, hacking back is the only realistic solution. victims.
• In Australia, computer intrusion and unauthorised access to or The ACDC Bill was referred to
modification of data (including data destruction) are offences under the Congressional Subcommittee
the Cybercrime Act 2001 (Cth) (the Cybercrime Act). Hacking the
on Crime, Terrorism, Homeland
hacker outside your network therefore runs the risk of committing a
criminal offence. Security, and Investigations on 1
November 2017. It can be expected
• We are seeing a fascinating development in the US: on the one hand, the debate will continue whatever
legislative moves to sanction private entities to engage in active defence, view the Committee forms on the
a kind of ‘cyber vigilantism’; and on the other, pressure from security measure.
and defence agencies for an increased political appetite to operate
aggressively in response to foreign hacking. Germany
• The approach taken by German legislators has been to expand the Unsurprisingly, this issue is
powers and responsibilities of state agencies. This culminated in also occupying the attention of
the creation of a new army command responsible for responding to policymakers in Europe. In Germany,
malicious attacks. intelligence officials are advocating
for greater legal authority to hack
back in the event of cyberattacks
• The Bill would require counter- is obliged to report to Congress from foreign powers and overseas
hackers to give prior notice to the once a year on activity carried out criminals.34 The legal complication
FBI’s National Cyber Investigative under the ACDC regime. there is centred on which of
Joint Task Force so that it can Germany’s ‘more than three dozen
check for any extra-territorial The question becomes: is a measure security agencies’ will be responsible
impact and interference with such as that introduced by the ACDC for hacking back, and what the
national security operations. Bill ‘a necessary tool for companies scope of their powers would be.35
to protect their valuable information Front of mind for German legislators
• The legislation will have a sunset assets’ or is it ‘cyber-vigilantism’?30 when considering this issue is the
date of two years after passage While members of the internet weeks-long intrusion by foreign-
and the US Justice Department security industry in the US have based hackers into the networks of

30 Tom Kulik, ‘Why the Active Defense Certainty Act is a bad idea,’ Above the Law (29 January 2018).
31 Nicholas Schmidle, ‘The digital vigilantes who hack back,’ The New Yorker (7 May 2018).
32 Josephine Wolff, ‘When companies get hacked, should they be allowed to hack back?’ The Atlantic (14 July 2017).
33 ACDC Bill 2017 s2.
34 Andrea Shalal, ‘German spy agencies want right to destroy stolen data and ‘hack back’,’ Thompson Reuters (6 October 2017).
35 Janosch Delcker, ‘A hacked-off Germany hacks back,’ Politico (28 January 2018).

10 Communications Law Bulletin Vol 37.4 (December 2018)

the Bundestag, Germany’s Lower and systems from state, state- intrusions by ‘Russian actors’ is that
House, in 2015. This precipitated sponsored and non-state actors nothing has been done by the US to
the creation of a new German army alike, is that these attacks occur at force perpetrators to ‘change their
command comprising 13,500 ‘cyber a level that is ‘below the threshold calculus.’41 However, Admiral Rogers
soldiers’ and contractors in 2017, of the use of force and outside of was guarded and, under questioning
before prompting this most recent the context of armed conflict, but from Senators, quickly pointed out
agitation for increased security cumulatively accrue[s] strategic that such a shift is a shift in policy,
powers. The new army command gains to our adversaries’.40 stating: ‘I’m not going to tell the
‘protects military intelligence, president what he should do or not
communications, and geographic- One implication from the Admiral’s do … I’m an operational commander,
information systems’ and ‘currently comments is that a sophisticated not a policymaker.’42
consists largely of military personnel response from defence, security and
with backgrounds in IT.’36 The intelligence agencies will need to
incorporation of this new capacity occur at the same level – something
Valeska Bloch is a Partner in
within traditional defence structures above intelligence gathering and
the Technology, Media and
was metaphorically described by espionage, but below the use of Telecommunications Practice Group at
the unit’s head, Lieutenant Colonel force. The intention behind such Allens and Sophie Peach and Lachlan
Marco Krempel, as ‘tuning a driving a strategic shift will be to prompt Peake are Head Paralegals at Allens
car.’37 rethinking by perpetrators: a key in Sydney. This article represents the
challenge which USCYBERCOM has personal view of the authors and is not
This state-oriented approach, faced in responding to network necessarily the views of the firm.
focusing on augmenting the powers
and diversifying the capacities 36 Ibid.
of traditional security and law 37 Sumi Somaskanda, ‘Cyberattacks are “ticking time bombs” for Germany’, The Atlantic (4 June 2018).

enforcement agencies, provides an 38 Admiral Michael S Rogers, Commander: United States Cyber Command, Statement before the Senate
Committee on Armed Services (27 February 2018) p4.
interesting contrast to the ACDC 39 Ibid.
Bill in the US. The sponsors of 40 Ibid p 12
the proposed German legislation 41 Sean Gallagher, ‘Why US “cyber-warriors” can’t do anything about Russian “cyber-meddling”’, ars
clearly do not share the view of Technica, 1 March 2018.
42 Ibid.
their American counterparts that
it is overly difficult to guarantee
timely and effective responses by a
nation’s agencies to the dynamic and
fast moving problem of malicious
hacking.
The CAMLA Board for 2019
President: Martyn Taylor (Norton Rose Fulbright)
The US Military View
Vice President: Gillian Clyde (Beyond International)
Nevertheless, the view that defence
and intelligence capabilities must Vice President: Debra Richards (Ausfilm)
be reorganised and augmented to Treasurer: Katherine Giles (MinterEllison)
deal with the threat of cyberwarfare
is stirring in the US. In testimony
Secretary: Rebecca Dunn (Gilbert + Tobin)
before the Senate Armed Services Julie Cheeseman (Ashurst)
Committee, outgoing head of US Chris Chow (Chris Chow Creative Lawyers)
Cyber Command (USCYBERCOM)
and the NSA, Admiral Michael Sophie Dawson (Bird & Bird)
Rogers, identified his ‘greatest Jennifer Dean (Corrs Chambers Westgarth)
concern’ to be ‘state-sponsored
Ashleigh Fehrenbach (MinterEllison)
malicious cyber actors and the
states behind them’, as ‘many states Eli Fisher (HWL Ebsworth)
now seek to integrate cyberspace Ryan Grant (Baker McKenzie)
operations with … their traditional
military capabilities.’38 Indeed, Emma Johnsen (Marque Lawyers)
several have mounted sustained Rebecca Lindhout (HWL Ebsworth)
campaigns to scout and access [the Marlia Saunders (News Corp)
US’s] key enabling technologies,
capabilities, platforms and systems’.39 Raeshell Staltare-Tang (Bird & Bird)
Admiral Rogers explained that Tim Webb (Clayton Utz)
the problem in defending against
cyberattacks on US infrastructure

Communications Law Bulletin Vol 37.4 (December 2018) 11