Hacking Back

Overview and Background

“Hacking back” generally refers to proactive steps taken by the victim of a cyberattack to retaliate against an assailant. Such measures may include:

• identifying the source of an attack, for example by probing an attacker’s infrastructure for weaknesses or information revealing attribution;
• thwarting or stopping the crime, such as disabling malware or launching denial-of-service countermeasures; or
• destroying or recovering stolen material, for instance by remotely accessing a target’s servers to delete or retrieve stolen data.

The term is used interchangeably with "active defence,' "counter-hacking," and "retaliatory hacking". It encompasses actions that blur the line between defensive and offensive cyber activity, and raises legal and policy concerns about attribution, collateral damage, escalation, and accountability.

In November 2022, following the Optus and Medibank breaches (see LitigationAndInvestigations), the Commonwealth announced a Joint Standing Operation Against Cyber Criminal Syndicates (JSO) between the Australian Federal Police (AFP) and the Australian Signals Directorate (ASD) to “hack the hackers.” The JSO was framed as targeting ransomware groups and criminal syndicates, with ministers promising day-to-day disruption of operations. Commentators noted that it largely extended existing disruption practices, but the announcement of the JSO iteslf signalled a more assertive posture.

Legal Framework

In Australia, hacking back by private entities is unlawful. Part 10.7 (Computer Offences) and Part 10.8 (Financial Information Offences) of Schedule 1 of the Criminal Code Act 1995 (Cth) (the Criminal Code) (as inserted by the Cybercrime Act 2001 (Cth)) make it an offence to:

• access, modify or impair restricted data or electronic communications without authorisation (ss 477.1–477.3, 478.1–478.3);
• create or distribute malicious software (s 477.2); and
• dishonestly obtain or deal in personal financial information (s 480.4).

Some national security and law enforcement agencies may exercise powers that resemble hacking back:

• Australian Security Intelligence Organisation Act 1979 (Cth) (ASIO Act):
  • Under s 25A (computer access warrants), the Attorney-General may authorise ASIO to access a specified computer to collect intelligence relevant to a defined “security matter”. Such warrants may permit adding, copying, deleting or altering data where necessary to obtain access or conceal activities, but not for general disruption.
  • Related warrants include s 27A (foreign intelligence warrants) and s 27C (identified person warrants).
• Surveillance Devices Act 2004 (Cth) (following changes effected by the Surveillance Legislation Amendment (Identify and Disrupt) Act 2021 (Cth)), Part 2, Divisions 4–6 provide for:
  • computer access warrants (s 27D), permitting covert entry to data;
  • data disruption warrants (s 27KA), expressly authorising modification, deletion or disruption of data to frustrate serious offences; and
  • network activity warrants (s 27KK), enabling the mapping of criminal networks.
  • These provisions empower the AFP and ACIC, under judicial or Australian Review Tribunal authorisation, to engage in disruption activities that fall within the concept of hacking back.
• Intelligence Services Act 2001 (Cth):
  • The ASD, ASIS and AGO are generally restricted to operations outside Australia (ss 6–7).
  • ASD’s functions include preventing or disrupting cybercrime by persons overseas (s 7(1)(c)).
  • Ministerial authorisation under ss 8–9 may extend powers in limited circumstances, but the Act prevents agencies from exercising activities that fall within ASIO’s warrant-based remit.

Regulatory & Policy Framework

• The 2023–2030 Cyber Security Strategy Discussion Paper emphasises coordination of national capabilities, cyber resilience, and the disruption of cybercriminal activity. Submissions (such as that published by UQ Cyber and AusCERT) to the Discussion Paper frequently observed that the statutory framework is fragmented: the Australian Federal Police requires judicially issued warrants under the Surveillance Devices Act 2004 (Cth), the Australian Signals Directorate acts under Ministerial instruments pursuant to the Intelligence Services Act 2001 (Cth), and the Australian Security Intelligence Organisation requires Attorney-General approval under the Australian Security Intelligence Organisation Act 1979 (Cth).
• Australia has also endorsed responsible state behaviour in cyberspace through the International Cyber Engagement Strategy and has published statements on the application of international law to cyber operations.

Relevant Organisations

• Australian Criminal Intelligence Commission (ACIC).
• Australian Defence Force (ADF).
• Australian Federal Police (AFP).
• Australian Security Intelligence Organisation (ASIO).
• Australian Signals Directorate (ASD).
• Department of Home Affairs (DoHA).

Industry Materials

• Corey Holzer and James Lerums, ‘The Ethics of Hacking Back’ (2016) IEEE Symposium on Technologies for Homeland Security.
• Gavin Smith and Valeska Bloch, ‘The Hack Back: The Legality of Retaliatory Hacking’, Allens (Web Page, 17 October 2018).
• Michael N Schmitt and Durward E Johnson, ‘Responding to Hostile Cyber Operations: The “In-Kind” Option’ (2021) 97(1) International Law Studies 15.
• UQ Cyber and AusCERT, Submission to the 2023–2030 Australian Cyber Security Strategy Discussion Paper (Submission, 12 April 2023).
• Brendan Walker-Munro, Dan Mount and Robert Ioannou, ‘The Hacker Strikes Back: Examining the Lawfulness of “Offensive Cyber” under the Laws of Australia’ (SSRN Preprint, 2023).

Related Topics

• Computer-Based Crime
• Directors' Duties
• International Cyber Engagement