RSA 2013: Hacking back is illegal, says legal advisor

Active defence against cyber attacks is illegal if it is tantamount to hacking back or vigilantism, says security startup CrowdStrike.

Offensive security or active defence against cyber attacks is illegal if it is tantamount to hacking back or vigilantism, says Steven Chabinsky, senior vice president of legal affairs at security startup CrowdStrike.

“Any action by a company that can be regarded as revenge should be taken off the table,” he told attendees of RSA Conference 2013 in San Francisco.

The only time acting outside the law can be justified is when law enforcement and the courts would be unable to act quickly enough to prevent serious harm being done from an attack in progress, he said.

However, he warned that any such action needs to be demonstrably “necessary” in terms of speed required and “proportionate” in that it goes no further than needed to put the matter back in the hands of law enforcement.

This would be the equivalent of tackling a terrorist about to storm the flight deck of an aircraft and handing him over to police, rather than taking him down with the intent to kill, said Cabinsky.

Read more

Offensive security involves proactive deception tactics

CrowdStrike advocates offensive security, proactive defense approach

Hacking back puts security on the offensive

US to use virtual internet to test defensive and offensive technologies

US to develop offensive cyber-weapons

IT managers go on the offensive against threats

Cyber security will change ideas of the nation state, says Stonesoft

In the cyber world, this would be taking actions outside your network to stop an attack, recover stolen data, or identify the attacker, said George Kurtz, president and CEO of CrowdStrike.

Other examples could include taking action that could result in harm outside your network, and taking action in your network without proper consent.

The least risky type of active defence, said Kurtz, would be taking actions that interact with the adversary inside or outside your network with proper consent and without causing harm.

“The aim of active defence should be to take whatever legal aggressive measures you can to drive up costs for the attacker such as feeding fake credentials and inaccurate data to attackers” he said.

Active defence, said Kurtz, also involves good attack detection systems to ensure organisations have the opportunity to act, warning potential attackers that you retain the right to monitor all network activity, and deploying technology to discover, track, isolate and manipulate adversaries in your network.

“Active defence is not revenge, it is more about fully understanding the nuances of the law and doing whatever you can within legal limits to hamper hacker activities,” he said.



Read more on Hackers and cybercrime prevention