Offensive security or active defence against cyber attacks is illegal if it is tantamount to hacking back or vigilantism, says Steven Chabinsky, senior vice president of legal affairs at security startup CrowdStrike.
The only time acting outside the law can be justified is when law enforcement and the courts would be unable to act quickly enough to prevent serious harm being done from an attack in progress, he said.
However, he warned that any such action needs to be demonstrably “necessary” in terms of speed required and “proportionate” in that it goes no further than needed to put the matter back in the hands of law enforcement.
This would be the equivalent of tackling a terrorist about to storm the flight deck of an aircraft and handing him over to police, rather than taking him down with the intent to kill, said Cabinsky.
In the cyber world, this would be taking actions outside your network to stop an attack, recover stolen data, or identify the attacker, said George Kurtz, president and CEO of CrowdStrike.
Other examples could include taking action that could result in harm outside your network, and taking action in your network without proper consent.
The least risky type of active defence, said Kurtz, would be taking actions that interact with the adversary inside or outside your network with proper consent and without causing harm.
“The aim of active defence should be to take whatever legal aggressive measures you can to drive up costs for the attacker such as feeding fake credentials and inaccurate data to attackers” he said.
Active defence, said Kurtz, also involves good attack detection systems to ensure organisations have the opportunity to act, warning potential attackers that you retain the right to monitor all network activity, and deploying technology to discover, track, isolate and manipulate adversaries in your network.
“Active defence is not revenge, it is more about fully understanding the nuances of the law and doing whatever you can within legal limits to hamper hacker activities,” he said.