I have noticed, at least amongst lawyers, there does not seem to be much middle ground when it comes to “Active Defense” or hack back and the right of self-defense. Those who comment on it either agree self-defense exists in cyberspace, with very few in this camp, or it doesn’t, which is where the majority stand. All I ask of most is don’t simply jump to the conclusion that self-defense does not exist and “Active Defense” or hack back is illegal, but instead look at the arguments, potential fact scenarios, and definitions.
“Active Defense,” has many definitions and should not be strictly equated to hack back. Hack back, instead may be considered a subset of “Active Defense,” which does include cyber self-defense or cyber self-help. Whether or not a company can utilize these theories depends entirely on the given facts of a situation. For instance, if a company has suffered a cyber attack and cannot show the attack continues or is persistent, they will not likely be able to make a case for the use of self-defense. My draft definition of “Active Defense” (still a work in progress) is as follows: “a meticulous and escalated approach to a persistent cyber attack wherein the company leadership makes a decision whether or not to progress at pre-determined decision-points, evaluating risk, liability and legal issues.” Each decision-point will include all of the intelligence gathered, all potential options, tools, techniques, possible scenarios, potential risks, liability, and legal issues. Depending on the facts and the confidence of the decision-maker there can be few decision points or many. The number of decision-points is also a factor to consider in the scenario and the actual amount of liability, if any, may depend on how meticulous and cautious the decision-maker acted. For example, the first decision-point may be whether the attack(s) is or are persistent. “Active Defense” is very fact dependent.
Unfortunately most jump immediately to the conclusion that Active Defense, or hack back are illegal. In my opinion this is a very shortsighted view. If you are a company losing a lot of money, can show you have implemented good or better security, and have taken an escalated approach collecting intel and evaluating risk, liability and legal issues along the way, then I believe you do have a right to defend yourself. Again, it is very fact specific. This is where most people then pull out the “attribution” card and claim you will impact an innocent bystander.
If someone drugs and hypnotizes an innocent bystander and convinces him to shoot at you, don’t you have the right to shoot back in self-defense? This is similarly fact dependent. For instance, if you know the person is an innocent bystander you would likely try and run away and get help, maybe call the police. You might even attempt an escalated approach causing as little harm as possible to the innocent drugged and hypnotized bystander. In the end if it is you or him most will likely opt to save their own lives. Now remember, self-defense applies to person or property. So, in the end most will opt to save their own property over the property of the innocent bystander.
So, if a server is compromised and being used to attack my company, don’t I have the right to defend against that server? In this scenario I am assuming I cannot identify who owns the server. If I could I would simply call that person or company and ask that the server be shut down or the malware removed. Also, is the owner of the compromised used to attack me truly an innocent bystander? Is there contributory negligence on the part of that server owner for not having adequate security and allowing his system to be compromised? In a perfect world you could say no, but today many if not most compromises occur because companies have not used due diligence in keeping systems patched and implementing basic security. Enough for now, comments?
That’s not a definition because it says nothing about a defining characteristic of HOW one can go about “actively defending”. The term is vague and almost meaningless. That definition could be used for ANY reactive incident response program.
Perhaps. But you would be guaranteed at the very least a ,major civil law suit from the victim’s family that would put you in the poor house, and very likely a criminal felony charge for use of excessive force. Look up the law on firearms self-defense – it’s heavily weighted against the use of firearms in self-defense depending on a given state’s laws.
The same would apply to “Active Defense”. Any company that trespassed on any other individual or company during that process would be immediately liable for a civil suit and probably criminal charges.
Irrelevant to whether you can legally affect that person’s machines without going through law enforcement or civil suit procedures.
I’m sorry but “Active Defense” is a meaningless term and the recommendations are legally questionable. Aside from doing some sort of “recon” to determine where an attack is actually coming from, there is very little the victim of a cybercrime can do legally to “strike back” at an attacker.
Furthermore, it’s not clear that anyone other than a large corporation could profitably expend the time and effort to engage in that sort of behavior as opposed to expending the same effort on reactive and proactive defense.
Richard, to your first point: exactly! Active Defense is not hack back, as I stated, but hack back is a subset or option if you will. As to whether it is a definition, it is a definition, it just happens to be my definition since I have not seen an official one.
Point 2: self-defense scenario – in my State we have the “make my day” law, so I have every right to defend myself. That aside, the decision points are where the company leadership decides how much they believe, if sued, they will have to spend defending and gauge this against how much they are losing from hackers.
Point 3: anyone who employed active defense would be immediately liable both civilly and criminally. Well, hate to say it, but you are wrong. As I stated, this is all fact specific. Criminally, you have to violate the CFAA and not every action you take is a violation. Civilly, again assuming you do something that violates the CFAA, and on the other hand, I would argue contributory negligence based on the so-called innocent bystander allowing their network to be compromised and if need by counter-sue.
Point 4: contributory negligence is not irrelevant, and contacting law enforcement is a business decision each owner has to make. There is no requirement to call LE and doing so could even impact reputation.
Point 5: “active defense is meaningless.” Well, this is the sort of naysayer reaction that keeps companies directly in the grips of hackers. “Its illegal, you can’t do anything other than rely on LE who is overworked and under paid, and the world will self-destruct if you do otherwise.” Think outside the box. Provide solutions, don’t just say NO. If you are not part of the solution you are part of the problem.
Point 6: Bingo, the extreme options in active defense are only for corps losing a lot of money or intellectual property and are at the point of taking action to preserve or save the company. If you have good effective reactive and proactive defensive techniques that will do the job I would love to hear them and I would bet many others as well.
Thanks for the comment and I look forward to your response.