Active cyberdefense: What are the legal limitations?

Date: Dec 06, 2013

For some time, active cyberdefense, sometimes referred to as attacking or hacking back, was a conversation for backroom officials working in classified environments. But, more recently, active cyberdefense has gained traction at organizations of all shapes and sizes as IT security professionals struggle to keep up with advanced cyberthreats.

But did you know that an active cyberdefense strategy could get you in trouble with the law -- even if you're striking back at the attacker who hacked you first? At ISSA's international conference in Nashville, Tenn., this fall, SearchCIO-Midmarket Editorial Director Christina Torode sat down with Randy Sabett, an attorney at ZwillGen PLLC, to follow up on his conference session, "Walking into a minefield: The legal pros and cons of active cyber defense."

In this Ask the Expert video, find out why an active cyberdefense strategy could put an organization at legal risk.

What legal limitations should you be aware of before you decide to pursue a strategy of active cyberdefense?

Randy Sabett: The one that gets talked about most frequently, and I think that is to some extent misinterpreted, is the Computer Fraud and Abuse Act [CFAA], which basically focuses on 'unauthorized access.' The other piece is 'exceeding authorized access.'

Let's say I'm attacking you and I've essentially crossed that barrier. I've gone inside your network, I've broken in, I'm stealing your trade secrets and I'm stealing the PII [personally identifiable information] you have on your customers. I've committed a Computer Fraud and Abuse Act violation.

From an active cyber-response or active cyberdefense perspective, if you now come back at me yourself or maybe you hire one of these companies, the thing that you have to worry about is, 'Are the activities that you're engaged in, or that you've authorized someone to engage in, potentially violating the CFAA?' Then this gets into an almost hyper-technical discussion of what the likelihood is of me as an attacker -- I'm already violating your network -- to now bring about a Computer Fraud and Abuse Act violation against you. That's from the civil side, but you always have to worry. The other piece you have to worry about is from a law enforcement perspective. There is the possibility that law enforcement could bring action.

MORE VIDEO INTERVIEWS FROM ISSA

Stay ahead of cybercriminals with free tools

Age-old computer security question answered

Three-step plan for securing networks

CISO weighs in on threat detection and visibility

The Computer Fraud and Abuse Act is one [concern]. ECPA -- the Electronic Communications Privacy Act -- is another one. Part of the problem here is that there's nothing directly on point. There's nothing that says it is OK to do things up to this point. All we have is something that says you can't engage in unauthorized access. As a result, there are a number of folks that [feel], as far as this topic is concerned, it's black and white, or it's binary. If you're engaged in anything other than defensive activity, it's a CFAA violation and you're breaking the law. Unfortunately things aren't that clear.

The best example that I can give, that I think really illustrates this: I've broken into your network. I have stolen your critical intellectual property [IP]. I've got these documents of yours that I'd rather store on somebody else's computer, hot point or some other network that I have broken into as well, or I put them on my network. These documents have what's called beaconing technology, just as an example. The way beaconing technology works is that when it leaves your network, it phones home and says, 'Here I am.'

The question then becomes, what do you do? Do you simply delete the document off of my network if you can get access? Now you've gone into my network. Do you just cause the document to encrypt itself? There are a number of things that could be done at that point.

Some people really take the Computer Fraud and Abuse Act to an extreme. They'll say, 'The mere fact of the beacon running, using computer cycles off of a computer on my -- the attacker's -- network, to tell you where the document is, that's unauthorized access. I did not authorize you to run that small piece of code on my network, yet I'm the one who stole your IP."

This is one of the reasons why we need more clarity, and it is not there right now. It is very hard to interpret under existing law what's OK and what's not.