This is a bit old, but the Steptoe & Johnson LLP Steptoe Cyberblog posted a great exchange on hackback. Participants included Stewart Baker, Orin Kerr, and Eugene Volokh.
I don’t know if hackback is legal under the CFAA, but I don’t think it really matters. Change the CFAA. Pass a statute that allows companies to engage in hackback. Clarify their rights. Make them get authorization from DOJ before doing so, and make DOJ do a necessity/proportionality/distinction analysis before granting it. The key isn’t to outlaw hackback (because companies are already engaged in hackback now, and will likely continue regardless of its legality), but rather create liability rules that limit its harmful effects while enabling its benefits.
Better debate (reflected in the exchange) is the policy question: not so much whether hackback is legal, but is hackback wise? I think so. Detractors point to attribution concerns, possibility of collateral damage to innocent computer systems, etc. Valid concerns, but don’t allow a company to engage in hackback unless it has met some high standard of attribution. That’s where the DOJ/government backed authorization process comes in.
While I”m on the subject, this looks to be a good one. I apologize for not reminding you about the early bird special, but you can still get a discount if you lock your registration in now. AIA Global Inc’s “Suits & Spooks” event:
“Offense As Defense”
Some of the most important discussions that will take place in 2013 will be around the need for the private sector to become more aggressive in the defense of their systems. Among the many questions to be considered are:
- Since the federal government has not successfully defended private networks from attack, should the private sector be legally authorized to strike back in self defense?
- Where’s the line drawn between vigilantism and appropriate proportional response?
- Does Title 18 need to be modified to permit companies to adopt an active defense posture?
- What are the national and international legal issues?
- Is this a necessary change or a terrible idea?
- How does the increasingly lucrative market for offensive malware affect the active defense movement?
These questions and more will be examined and debated at Suits and Spooks DC to be held at the Waterview Conference Center in Arlington, VA on February 8-9, 2013. We’ll be inviting industry veterans, government officials, hackers, lawyers, Special Operations Forces personnel, and security researchers to join in the discussion along with our registered attendees.
admin
I have great respect for both Orin Kerr and Stewart Baker. I used Kerr’s book COMPUTER CRIMES for three years when I taught that course, and I use portions of Baker’s SKATING ON STILTS in my Cyber Security Law & Policy Course. Still, I think that Kerr is correct and Baker is mistaken on whether hackback is legal under Section 1030 (Computer Fraud and Abuse Act). Hackback is almost always an unauthorized access — and, hence, a crime — unless performed pursuant to a “lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.” Mr. Baker’s argument to the contrary is very weak. The policy issue, however, is an entirely different matter, as Zach notes in the primary post on this blog.