RSA 2013: Hacking back is illegal, says legal advisor

Active defence against cyber attacks is illegal if it is tantamount to hacking back or vigilantism, says security startup CrowdStrike.

Offensive security or active defence against cyber attacks is illegal if it is tantamount to hacking back or vigilantism, says Steven Chabinsky, senior vice president of legal affairs at security startup CrowdStrike.

“Any action by a company that can be regarded as revenge should be taken off the table,” he told attendees of RSA Conference 2013 in San Francisco.

The only time acting outside the law can be justified is when law enforcement and the courts would be unable to act quickly enough to prevent serious harm being done from an attack in progress, he said.

However, he warned that any such action needs to be demonstrably “necessary” in terms of speed required and “proportionate” in that it goes no further than needed to put the matter back in the hands of law enforcement.

This would be the equivalent of tackling a terrorist about to storm the flight deck of an aircraft and handing him over to police, rather than taking him down with the intent to kill, said Cabinsky.

In the cyber world, this would be taking actions outside your network to stop an attack, recover stolen data, or identify the attacker, said George Kurtz, president and CEO of CrowdStrike.

Other examples could include taking action that could result in harm outside your network, and taking action in your network without proper consent.

The least risky type of active defence, said Kurtz, would be taking actions that interact with the adversary inside or outside your network with proper consent and without causing harm.

“The aim of active defence should be to take whatever legal aggressive measures you can to drive up costs for the attacker such as feeding fake credentials and inaccurate data to attackers” he said.

Active defence, said Kurtz, also involves good attack detection systems to ensure organisations have the opportunity to act, warning potential attackers that you retain the right to monitor all network activity, and deploying technology to discover, track, isolate and manipulate adversaries in your network.

“Active defence is not revenge, it is more about fully understanding the nuances of the law and doing whatever you can within legal limits to hamper hacker activities,” he said.

 

 

CW+

Features

Enjoy the benefits of CW+ membership, learn more and join.

Read more on Hackers and cybercrime prevention

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

This is why global organisations should base their information security opeations outside the United States - e.g. inside the City of London. The legisation covering the City of London Police is different to that covering the rest of the UK and enables a level of co-operation regarding economic crime that is unique. You will, however, pay a price. Those involved will expect a rather higher standard of "genuine" (as opposed to tick box) governance before they co-operate with you.

Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close