Active cyberdefense: What are the legal limitations?

Active cyberdefense: What are the legal limitations?

Date: Dec 06, 2013

For some time, active cyberdefense, sometimes referred to as attacking or hacking back, was a conversation for backroom officials working in classified environments. But, more recently, active cyberdefense has gained traction at organizations of all shapes and sizes as IT security professionals struggle to keep up with advanced cyberthreats.

But did you know that an active cyberdefense strategy could get you in trouble with the law -- even if you're striking back at the attacker who hacked you first? At ISSA's international conference in Nashville, Tenn., this fall, SearchCIO-Midmarket Editorial Director Christina Torode sat down with Randy Sabett, an attorney at ZwillGen PLLC, to follow up on his conference session, "Walking into a minefield: The legal pros and cons of active cyber defense."

In this Ask the Expert video, find out why an active cyberdefense strategy could put an organization at legal risk.

What legal limitations should you be aware of before you decide to pursue a strategy of active cyberdefense?

Randy Sabett: The one that gets talked about most frequently, and I think that is to some extent misinterpreted, is the Computer Fraud and Abuse Act [CFAA], which basically focuses on 'unauthorized access.' The other piece is 'exceeding authorized access.'

Let's say I'm attacking you and I've essentially crossed that barrier. I've gone inside your network, I've broken in, I'm stealing your trade secrets and I'm stealing the PII [personally identifiable information] you have on your customers. I've committed a Computer Fraud and Abuse Act violation.

From an active cyber-response or active cyberdefense perspective, if you now come back at me yourself or maybe you hire one of these companies, the thing that you have to worry about is, 'Are the activities that you're engaged in, or that you've authorized someone to engage in, potentially violating the CFAA?' Then this gets into an almost hyper-technical discussion of what the likelihood is of me as an attacker -- I'm already violating your network -- to now bring about a Computer Fraud and Abuse Act violation against you. That's from the civil side, but you always have to worry. The other piece you have to worry about is from a law enforcement perspective. There is the possibility that law enforcement could bring action.

More video interviews from ISSA

Stay ahead of cybercriminals with free tools

Age-old computer security question answered

Three-step plan for securing networks

CISO weighs in on threat detection and visibility

The Computer Fraud and Abuse Act is one [concern]. ECPA -- the Electronic Communications Privacy Act -- is another one. Part of the problem here is that there's nothing directly on point. There's nothing that says it is OK to do things up to this point. All we have is something that says you can't engage in unauthorized access. As a result, there are a number of folks that [feel], as far as this topic is concerned, it's black and white, or it's binary. If you're engaged in anything other than defensive activity, it's a CFAA violation and you're breaking the law. Unfortunately things aren't that clear.

The best example that I can give, that I think really illustrates this: I've broken into your network. I have stolen your critical intellectual property [IP]. I've got these documents of yours that I'd rather store on somebody else's computer, hot point or some other network that I have broken into as well, or I put them on my network. These documents have what's called beaconing technology, just as an example. The way beaconing technology works is that when it leaves your network, it phones home and says, 'Here I am.'

The question then becomes, what do you do? Do you simply delete the document off of my network if you can get access? Now you've gone into my network. Do you just cause the document to encrypt itself? There are a number of things that could be done at that point.

Some people really take the Computer Fraud and Abuse Act to an extreme. They'll say, 'The mere fact of the beacon running, using computer cycles off of a computer on my -- the attacker's -- network, to tell you where the document is, that's unauthorized access. I did not authorize you to run that small piece of code on my network, yet I'm the one who stole your IP."

This is one of the reasons why we need more clarity, and it is not there right now. It is very hard to interpret under existing law what's OK and what's not.

Let us know what you think of this video; email

More on Enterprise risk management

  • canderson

    Hacker mindset a prereq for security engineers, says Markley CTO

    VIDEO - In this video excerpt, Markley Group CTO Patrick Gilmore talks about why today's ideal security engineer is someone who is paranoid, aggressive and really liked to hack stuff as a teenager.
  • canderson

    Mapping enterprise infrastructure is needed to improve cybersecurity

    VIDEO - In this SearchCIO video, security expert Pauline Neville-Jones discusses why mapping IT infrastructure is needed to improve cybersecurity.
  • canderson

    Private and public sectors must combine forces against cyberattacks

    VIDEO - Pauline Neville-Jones outlines steps underway in the U.K. to combine government and private sector resources in the fight against cyberattacks.
  • Building a disaster recovery plan starts with IT disowning DR

    Tip - An email arrives from on high ordering IT to complete a project ASAP. The CIO marshals the troops. When it comes to disaster recovery, however, it's the CIO's duty to just say, 'No.'
  • Use Apple iCloud hack to sell employees on security culture

    News - Apple's much-hyped iCloud leak of celebrity photos is a golden opportunity for CIOs to sell security culture to employees, says a customer experience expert. Also in Searchlight: Home Depot suffers a breach; Samsung unveils a two-screen Galaxy Note.

    ( Sep 05, 2014 )

  • key risk indicator (KRI)

    Definition - A key risk indicator (KRI) is a metric for measuring the likelihood that the combined probability of an event and its consequence will exceed the organization's risk appetite and have a profoundly negative impact on an organization's ability to be successful. 
  • shadow app

    Definition - Shadow apps are software-as-a-service (SaaS) applications that are used on business networks but are not supplied by the IT department or even visible to them. Shadow apps are often collaborative software, such as unified communication and collaboration (UCC) applications that enable greater productivity in the office.
  • Are CIOs standing in the way of a proactive security strategy?

    News - A new report shows that hackers can get past even the most up-to-date security tools. Could CIO insecurity be partly to blame? Plus, download Facebook's Messenger app or bust, and glasses might soon become moot -- all in this week's Searchlight.

    ( Aug 01, 2014 )

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: