In January the FBI & Fordham Univ. ICCS 2012 conference was held at Fordham Univ. It was a great conference with more than 30 countries represented. Most of the speakers were excellent. This was truly a great collaboration between private industry and law enforcement from all over the world.
I was somewhat apprehensive about speaking on my topic, “Hacking Back In Self-Defense: Is It Legal; Should It Be?,†since I was not sure how it would be received, especially by law enforcement. To my surprise the response was excellent. First impression from many when they read the title is that all hack back is illegal, vigilantism, unethical; but, after the lecture numerous people to include many law enforcement personnel approached me to express their interest in the topic and were happy to see an attorney trying to push the envelope and move the discussion forward.
Let’s face it, here in the US the cyber laws have not kept pace with the technology and now we find ourselves inadequately prepared to defend our networks and information primarily due to our antiquated cyber laws. I am a proponent of updating our laws but in doing so, finding the proper mix of privacy protection and enabling clear and robust defense.
Hacking-back, or aggressive cyber defense should be incorporated but with parameters and acknowledgement, by those seeking this alternative, that they are strictly liable for their actions and are prepared to make amends to innocent third parties caught in the crossfire. Obviously this is a simplification of a mission or operation that must consider many many variables and factors, to include legal issues from a multitude of jurisdictions, numerous options regarding the particular options to pursue, evidence of a clear attempt to identify the attacker through various forms of traceback, a memo outlining all of the actions pursued or contemplated prior to seeking hackback along with an analysis of why those actions either failed or were not viable options, and a very robust risk assessment weighing all of the options and comparing the amount of damage presently being sustained by the company because of the attacks with the potential for damage to others. These and many more factors must be considered and analyzed when building a case for and a plan to implement hackback.