Legal Merits of 'Hack Back' Strategy

Attorneys Discuss Whether Best Cyberdefense is Strong Offense

By , December 10, 2012.
Legal Merits of 'Hack Back' Strategy

Listen Now

Read Transcript

From point-of-sale hacks to malware and DDoS attacks, the top cyberthreats of 2012 have been aggressive and strong. Is it time for organizations to adopt a "hack back" strategy against perceived attackers?

This is a question being discussed by members of the American Bar Association, and it was a hot discussion topic among three leading security/privacy attorneys in a year-end roundtable panel with Information Security Media Group.

Here's an explanation of the "hack back" concept from David Navetta, who co-chairs the ABA's Information Security Committee: If you are an organization being subjected to, say, a DDoS attack, and you are able to pinpoint the source of those attacks, then you would use your own brute force to "hack back" and disable those systems.

"Why, as an organization, if you can identify the source of the attack, do you need to take the harm - potentially lost revenue - when you can potentially disable the attack?" Navetta asks. "This is a cutting-edge issue going into 2013. Some companies may want to take the hacks into their own hands and attack back."

But the hack back strategy is a legal gray area. Often in these attacks, fraudsters ensnare innocent corporate and consumer PCs in their botnets. What are the legal repercussions of gaining unauthorized access to these systems, shutting them down and perhaps even damaging them?

Panelists Ronald Raether and Lisa Sotto express concern about the ramifications of hacking back against an innocent consumer's PC. "If that's what's being hacked into," Raether says, "you're now the equivalent of bombing Switzerland in a war."

In part one of a five-part series drawing from this roundtable discussion, the three attorneys also talk about:

  • Top privacy, fraud and breach issues of 2012;
  • Changes in how courts handle data breach cases;
  • The most significant security-related legal stories of the year.

About the participants:

David Navetta is co-founder of the Information Law Group and co-chairman of the American Bar Association's Information Security Committee. He has been a keen observer of information security-related litigation, including financial fraud and state privacy laws.

Ronald Raether is partner at Faruki Ireland & Cox in Dayton, Ohio. His experience with technology-related issues spans an array of legal areas, including patents; anti-trust; licensing and contracts; employment; trademark; domain name disputes; and federal and state privacy statutes.

Lisa Sotto is managing partner for the New York-based law firm Hunton & Williams, where she focuses on privacy, data security and information management issues. She has earned a No. 1 U.S. national ranking for privacy and data security from Chambers and Partners.

Subsequent installments of this series focus on:

Follow Tom Field on Twitter: @SecurityEditor

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE ISMG's Guide to the Sony Breach

The Sony data breach is the top security news story of 2014, and ISMG has provided thorough...

Latest Tweets and Mentions

ARTICLE ISMG's Guide to the Sony Breach

The Sony data breach is the top security news story of 2014, and ISMG has provided thorough...

The ISMG Network