[1] Rush, The Body Electric, on Grace under Pressure (Mercury Records 1984).
[2] Sean Sposito, Banks Remain the Top Target for Hackers, Report Says, Am. Banker (April 23, 2013, 10:04 AM), http://www.americanbanker.com/issues/178_78/banks-remain-the-top-target-for-hackers-report-says-1058543-1.html.
[3] Eric A. Fisher, Cong. Research Serv., R 42114, Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions 3 (2013), available at http://fas.org/sgp/crs/natsec/R42114.pdf (discussing, for example, the Federal Information Security Management Act).
[4] See Yonatan Lupu, The Wiretap Act and Web Monitoring: A Breakthrough for Privacy Rights?, 9 Va. J.L. & Tech. 3, ¶¶ 7, 9 (2004) (discussing the use of the ECPA and the lack of words such as “Internet,” “World Wide Web,” and “e-commerce” in the text or legislative history); see also Eric C. Bosset et al., Private Actions Challenging Online Data Collection Practices Are Increasing: Assessing the Legal Landscape, Intell. Prop. & Tech. L.J., Feb. 2011, at 3 (“[F]ederal statutes such as the Electronic Communications Privacy Act (ECPA) and the Computer Fraud and Abuse Act (CFAA) . . . were drafted long before today’s online environment could be envisioned . . . .”); Miguel Helft & Claire Cain Miller, 1986 Privacy Law Is Outrun by the Web,N.Y. TIMES (Jan. 9, 2011), http://www.nytimes.com/2011/01/10/technology/10privacy.html?pagewanted=all&_r=1& (noting that Congress enacted the ECPA before the World Wide Web or widespread use of e-mail); Orin S. Kerr, The Future of Internet Surveillance Law: A User’s Guide to the Stored Communications Act, and a Legislator’s Guide to Amending It, 72 Geo. Wash. L. Rev. 1208, 1208, 1213-14, 1229-30 (2004); see generally The Electronic Communications Privacy Act: Government Perspectives on Privacy in the Digital Age: Hearing Before the S. Comm. on the Judiciary, 112th Cong. 1-2(2011) (statement of Sen. Patrick Leahy, Chairman, S. Comm. on the Judiciary), available at http://fas.org/irp/congress/2011_hr/ecpa.pdf (“[D]etermining how best to bring this privacy law into the Digital Age will be one of Congress’s greatest challenges. . . . [The] ECPA is a law that is hampered by conflicting standards that cause confusion for law enforcement, the business community, and American consumers alike.”).
[5] See generally Nat’l Inst. of Standards & Tech., Framework for Improving Critical Infrastructure Cybersecurity 4 (Version 1.0, 2014) available at http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf (describing The Framework as “a risk-based approach to managing cybersecurity risk”).
[6] See, Eric Griffith, What is Cloud Computing?, PC Magazine (May 13, 2013) http://www.pcmag.com/article2/0,2817,2372163,00.asp.
[7] See, e.g., Ken Dilanian, A New Brand of Cyber Security: Hacking the Hackers, L.A. Times (Dec. 4, 2012), http://articles.latimes.com/2012/dec/04/business/la-fi-cyber-defense-20121204/2 (proposing that “companies should be able to ‘hack back’ by, for example, disabling servers that host cyber attacks”).
[8] See, e.g., Scott Carle, Crossing the Line: Ethics for the Security Professional,SANS Inst. (2003), http://www.sans.org/reading-room/whitepapers/hackers/crossing-line-ethics-security-professional-890. Readers, doubtless, will know of earlier references.
[9] Techopedia, http://www.techopedia.com/definition/23172/back-hack (last visited June 28, 2014); see also NetLingo, http://www.netlingo.com/word/back-hack.php (last visited June 28, 2014)(“[Back-hack is t]he reverse process of finding out who is hacking into a system. Attacks can usually be traced back to a computer or pieced together from ‘electronic bread crumbs’ unknowingly left behind by a cracker.”).
[10] Melissa Riofrio, Hacking Back: Digital Revenge Is Sweet but Risky, PCWorld (May 9, 2013, 3:00 AM), http://www.pcworld.com/article/2038226/hacking-back-digital-revenge-is-sweet-but-risky.html.
[11] Dmitri Alperovitch, Active Defense: Time for a New Security Strategy, Crowdstrike (Feb. 25, 2013),http://www.crowdstrike.com/blog/active-defense-time-new-security-strategy/.
[12] Comm’n on the Theft of Am. Intellectual Prop., The IP Commission Report 81 (2013) [hereinafter The IP Commission Report], available at http://ipcommission.org/report/IP_Commission_Report_052213.pdf; see also Sam Cook, Georgia Outs Russian Hacker, Takes Photo with His Own Webcam, Geek (Oct. 31, 2012, 4:28 PM), http://www.geek.com/news/georgia-outs-russian-hacker-takes-photo-with-his-own-webcam-1525485/. See Jay P. Kesan & Carol M. Hayes, Thinking Through Active Defense in Cyberspace, in Proceedings of a Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy
327, 328 (The National Academies Press ed., 2010) (“Counterstrikes of this nature have already been occurring on the Internet over the last decade, by both government and private actors, and full software packages designed to enable counterstriking have also been made commercially available, even though such counterstrikes are of questionable legality”).
[13] See The IP Commission Report, supra note 12.
[14] Tom Fields, To ‘Hack Back’ or Not?, BankInfoSecurity(Feb. 27, 2013), http://www.bankinfosecurity.com/to-hack-back-or-not-a-5545.
[15] Id.
[16] Id.
[17] Hackback? Claptrap!—An Active Defense Continuum for the Private Sector, RSA Conf. (Feb. 27, 2014, 9:20 AM), http://www.rsaconference.com/events/us14/agenda/sessions/1146/hackback-claptrap-an-active-defense-continuum-for.
[18] Shane McGee, Randy V. Sabett, & Anand Shah, Adequate Attribution: A Framework for Developing a National Policy for Private Sector Use of Active Defense, 8 J. Bus. & Tech. L. 1 (2013) Available at: http://digitalcommons.law.umaryland.edu/jbtl/vol8/iss1/3
[19] See, e.g., Rafal Los, Another Reason Hacking Back Is Probably a Bad Idea, InfosecIsland (June 20, 2013), http://www.infosecisland.com/blogview/23228-Another-Reason-Hacking-Back-is-Probably-a-Bad-Idea.html; Riofrio, supra note 10.
[20] Dilanian, supra note 7;see also William Jackson, The Hack-Back vs. The Rule of Law: Who Wins?, Cybereye, (May 31, 2013, 9:39 AM) http://gcn.com/blogs/cybereye/2013/00/hacking-back-vs-the-rule-of-law.aspx (stating “[i]n the face of increasing cyber threats there is an understandable pent-up desire for an active response, but this response should not cross legal thresholds. In the end, we either have the rule of law or we don’t. That others do not respect this rule does not excuse us from observing it. Admittedly this puts public- and private-sector organizations and individuals at a short-term disadvantage while correcting the situation, but it’s a pill we will have to swallow.”).
[21] James Andrew Lewis, Private Retaliation in Cyberspace,Center for Strategic & Int’l Studies (May 22, 2013), http://csis.org/publication/private-retaliation-cyberspace.
[22] See Cyber Intelligence Sharing and Protection Act, H.R. 624, 113th Cong. (2013).
[23] Christopher M. Matthews, Support Grows to Let Cybertheft Victims ‘Hack Back’, Wall St. J. (June 2, 2013, 9:33 PM), http://online.wsj.com/news/articles/SB10001424127887324682204578517374103394466.
[24] See Alperovitch, supra note 11. The firm’s online marketing literature includes the following: “Active Defense is NOT about ‘hack-back,’ retaliation, or vigilantism . . . we are fundamentally against these tactics and believe they can be counterproductive, as well as potentially illegal.” Id.; see also Paul Roberts, Don’t Call It a Hack Back: Crowdstrike Unveils Falcon Platform, Security Ledger (June 19, 2013, 11:47 AM), https://securityledger.com/2013/06/dont-call-it-a-hack-back-crowdstrike-unveils-falcon-platform/.
[25] Charlie Mitchell, Senate Judiciary Panel Will Examine Stronger Penalties for Cyber Crimes and Espionage, Inside Cybersecurity (May 9, 2014) http://insidecybersecurity.com/Cyber-Daily-News/Daily-News/senate-judiciary-panel-will-examine-stronger-penalties-for-cyber-crimes-and-espionage/menu-id-1075.html (stating “[a]uthorization for so-called countermeasures is included in the draft cyber information-sharing and liability protection bill . . . White House and Department of Homeland Security officials . . . declined to discuss the administration’s view of deterrence issues such as active defense.”). To be distinguished from OCM, “countermeasure” is defined in the draft Cybersecurity Information-Sharing Act of 2014 as “an action, device, procedure, technique, or other measure applied to an information system or information that is stored on, processed by, or transiting an information system that prevents or mitigates a known or suspected cybersecurity threat or security vulnerability.” See H.R. 624.
[26] See, e.g.,Marcus Tullius Cicero, The Speech of M.T. Cicero in Defence of Titus Annius Milo, in The Orations of Marcus Tullius Cicero 390, 392-393 (C.D. Yonge trans., 1913).
[27] Sheng Li, Note, When Does Internet Denial Trigger the Right of Armed Self-Defense?, 38 Yale J. Int’l L. 179, 182 (2013).
[28] See, e.g., Walter Gary Sharp Sr., Cyberspace and the Use of Force 129-31 (1999).
[29] See U.S. Dep’t. of Def., Conduct of the Persian Gulf War: Final Report to Congress Pursuant to Title V of the Persian Gulf Conflict Supplemental Authorization and Personnel Benefits Act of 1991 (Public Law 102-25) N-1 (1992) (“Civilian employees, despite seemingly insurmountable logistical problems, unrelenting pressure, and severe time constraints, successfully accomplished what this nation asked of them in a manner consistent with the highest standards of excellence and professionalism.”).
[30] See CyCon, http://ccdcoe.org/cycon/index.html (last visited July 16, 2014).
[31] See NATO Coop. Cyber Defence Ctr. of Excellence, Tallinn Manual on the International Law Applicable to Cyber Warfare 4 (Michael N. Schmitt ed., 2013); see also U.N. Charter art. 2, para. 4 & art. 51 (governing the modern law of self-defense).
[32] See, e.g., Keiko Kono, Briefing Memo: Cyber Security and the Tallinn Manual, Nat’l Inst. For Def. Studies News, Oct. 2013, at 2, available at www.nids.go.jp/english/publication/briefing/pdf/2013/briefing_e180.pdf.
[33] See, e.g.,Siobhan Gorman & Danny Yadron, Banks Seek U.S. Help on Iran Cyberattacks, Wall St. J. (June 16, 2013, 12:01 AM), http://online.wsj.com/news/articles/SB10001424127887324734904578244302923178548; Christopher J. Castelli, DOJ Official Urges Public-Private Cybersecurity Partnership Amid Legal Questions,Inside Cybersecurity (April 1, 2014), http://insidecybersecurity.com/Cyber-Daily-News/Daily-News/doj-official-urges-public-private-cybersecurity-partnership-amid-legal-questions/menu-id-1075.html.
[34] One such example is the “Computer Trespasser” exception added by Congress to the Wiretap Act, which allows law enforcement officials to monitor the activities of hackers when (1) the owner or operator of the network authorizes the interception; (2) law enforcement is engaged in a lawful investigation; (3) law enforcement has reasonable grounds to believe the contents of the communications will be relevant to that investigation; and (4) such interception does not acquire communications other than those transmitted to or from the hacker. See 18 U.S.C. § 2511(2)(i)(I)-(IV) (2012); see also Bradley J. Schaufenbuel, The Legality of Honeypots, ISSA J., April 2008, at 16, 19, available at http://www.jdsupra.com/legalnews/the-legality-of-honeypots-50070/.
[35] See, e.g., David E. Sanger, White House Details Thinking on Cybersecurity Flaws, New York Times, (April 28, 2014) (discussing the Government’s admission that it refrains from disclosing major computer sercurity vulnerabilities that could be useful to “thwart a terrorist attack, stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks.”)
[36] See Sameer Hinduja, Computer Crime Investigations in the United States: Leveraging Knowledge from the Past to Address the Future, 1 Int’l J. Cyber Criminology 1, 16 (2007) (citation omitted).
[37] Id. at 19. But see Kesan & Hayes, supra, note 12 at 33 (“there is a more significant downside of entrusting active defense to private firms. Our model addressing the optimal use of active defense emphasizes that there are threshold points where permitting counterstrikes would be the socially optimal solution. However, it does not define these thresholds, and determining these thresholds requires some sort of standardization. It would be unwise to allow individual companies to make these decisions on a case by case basis.”)
[38] The IP Commission Report, supra note 12, at 81. See also Joseph Menn, Hacked Companies Fight Back With Controversial Steps, Reuters, June 18, 2012, available at http://www.reuters.com/article/2012/06/18/us-media-tech-summit-cyber-strikeback-idUSBRE85G07S20120618
[39] See Stephanie Olsen, Nearly Undetectable Tracking Device Raises Concerns, CNET(July 12, 2000), http://news.cnet.com/2100-1017-243077.html.
[40] See id. See also John Gilroy, Ask The Computer Guy, Wash. Post, Jan. 27, 2002, at H07 (describing web bugs in lay parlance).
[41] Sean L. Harrington, Collaborating with a Digital Forensics Expert: Ultimate Tag Team or Disastrous Duo?, 38 Wm. Mitchell L. Rev. 353, 363 (2011), available at http://www.wmitchell.edu/lawreview/Volume38/documents/7.Harrington.pdf.
[42] Id.
[43] See generallyBrian M. Bowen et al., Baiting Inside Attackers Using Decoy Documents, Colum. Univ. Dep’t of Computer Sci. (2009), available at http://www.cs.columbia.edu/~angelos/Papers/2009/DecoyDocumentsSECCOM09.pdf (last visited May 13, 2014) (introducing and discussing properties of decoys as a guide to design “trap-based defenses” to better detect the likelihood of insider attacks).
[44] See Matthews, supra note 23.
[45] Id.
[46] Id.
[47] Id.
[48] See Harrington, supra note 41, at 362-64.
[49]The Supreme Court has tacitly approved deception as a valid law enforcement technique in investigations and interrogations. See Illinois v. Perkins,496 U.S. 292, 297 (1990) (“Miranda forbids coercion, not mere strategic deception . . .”); United States v. Russell, 411 U.S. 423, 434 (1973) (“Criminal activity is such that stealth and strategy are necessary weapons in the arsenal of the police officer.”); Allan Lengel, Fed Agents Going Undercover on Social Networks Like Facebook, AOLNews (Mar. 28, 2010, 5:55 PM), http://www.ticklethewire.com/2010/03/28/fed-agents-going-undercover-on-social-networks-like-facebook/.
[50] See Model Rules of Prof’l Conduct R. 5.3 (2013).
[51] Model Rules of Prof’l Conduct r. 8.4(c); see, e.g., In re Disciplinary Action Against Carlson, No. A13-1091 (Minn. July 11, 2013)(public reprimand for “falsely posing as a former client of opposing counsel and posting a negative review about opposing counsel on a website, in violation of Minn. R. Prof. Conduct 4.4(a) and 8.4(c)”); In re Pautler, 47 P.3d 1175, 1176 (Colo. 2002) (disciplining a prosecutor, who impersonated a public defender in an attempt to induce the surrender of a murder suspect, for an act of deception that violated the Rules of Professional Conduct).
[52] See Sharon D. Nelson & John W. Simek, Muddy Waters: Spyware’s Legal and Ethical Implications, GPSolo Mag., Jan.-Feb. 2006, http://www.americanbar.org/newsletter/publications/gp_solo_magazine_home/gp_solo_magazine_index/spywarelegalethicalimplications.html (“The legality of spyware is murky, at best. The courts have spoken of it only infrequently, so there is precious little guidance.”).
[53] In re Disciplinary Action Against Zotaley, 546 N.W.2d 16, 19 (Minn. 1996) (quoting Minn. R. Prof’l Conduct 3.3 cmt. 3 (2005)).
[54]See Phila. Bar Ass’n Prof’l Guidance Comm., Op. 2009-02, at 1-2 (2009), available at http://www.philadelphiabar.org/WebObjects/PBAReadOnly.woa/Contents/WebServerResources/CMSResources/Opinion_2009-2.pdf.
[55] See N.Y.C. Bar Ass’n Prof’l & Judicial Ethics Comm., Formal Op. 2010-2 (2010), available at http://www2.nycbar.org/Publications/reports/show_html.php?rid=1134; cf. Justin P. Murphy & Adrian Fontecilla, Social Media Evidence in Government Investigations and Criminal Proceedings: A Frontier of New Legal Issues, 19 Rich. J.L. & Tech. 11, ¶ 21 n.76 (2013) (citing similar ethics opinions rendered by bar committees in New York State and San Diego County).
[56] David Bianco, Use of the Term “Intelligence” in the RSA 2014 Expo, Enterprise Detection & Response (Feb. 28, 2014) http://detect-respond.blogspot.com/#!/2014/03/use-of-term-intelligence-at-rsa.html.
[57] See Sameer, supra note 36, at 15 (citing A. Meehan, G. Manes, L. Davis, J. Hale & S. Shenoi, Packet Sniffing for Automated Chat Room Monitoring and Evidence Preservation, in Proceedings of the 2001 IEEE Workshop on Information Assurance and Security 285, 285 (2001))(“[T]he monitoring of bulletin-boards and chat-rooms by investigators has led to the detection and apprehension of those who participate in sex crimes against children.”), available at http://index-of.es/Sniffers/Sniffers_pdf/52463601-packet-sniffing-for-automated-chat-room-74909.pdf; see, e.g., Kimberly J. Mitchell, Janis Wolak & David Finkelhor, Police Posing as Juveniles Online to Catch Sex Offenders: Is It Working?, 17 Sexual Abuse: J. Res. & Treatment 241 (2005); Lyta Penna, Andrew Clark & George Mohay, Challenges of Automating the Detection of Paedophile Activity on the Internet, in Proceedings of the First International Workshop on Systematic Approaches to Digital Forensic Engineering (2005), available at http://eprints.qut.edu.au/20860/1/penna2005sadfe.pdf.
[58] Martin Moylan, Target’s Data Breach Link to ‘the Amazon of Stolen Credit Card Information’,MPRnews (February 3, 2014), http://www.mprnews.org/story/2014/02/02/stolen-credit-and-debit-card-numbers-are-just-a-few-clicks-away.
[59] See “Investigating the Dark Web — The Challenges of Online Anonymity for Digital Forensics Examiners,” Forensic Focus (July 28, 2014) (“It is certainly easier to access indecent images of children and similar content on the dark net.”) Available at http://articles.forensicfocus.com/2014/07/28/investigating-the-dark-web-the-challenges-of-online-anonymity-for-digital-forensics-examiners/. And see, e.g., Minn. Stat. § 617.247 subd. 4(a) (2013) (criminalizing possession of “a pornographic work [involving minors] or a computer disk or computer or other electronic, magnetic, or optical storage system or a storage system of any other type, containing a pornographic work, knowing or with reason to know its content and character”).
[60] See Rainer Link & David Sancho, Lessons Learned While Sinkholing Botnets—Not As Easy As It Looks!, in Proceedings of the Virus Bulletin Conference 106, 106 (2011), available at http://www.trendmicro.com/media/misc/lessons-learned-virusbulletin-conf-en.pdf.
[61] Id.
[62] Id.at 107.
[63] “[C]onsent may be demonstrated through evidence of appropriate notice to users through service terms, privacy policies or similar disclosures that inform users of the potential for monitoring.” Bosset et.al, supra note 4 (citing Mortensen v. Bresnan Commc’ns, LLC, No. CV 10-13-BLG-RFC, 2010 WL 5140454, at *3-5 (D. Mont. Dec. 13, 2010)).
[64] See Craigslist Inc. v. 3Taps Inc., 964 F. Supp. 2d 1178, 1182-83 (N.D. Cal. 2013).
[65] See Link & Sancho, supra note 60, at 107-08.
[66] Honeypot, SearchSecurity, http://searchsecurity.techtarget.com/definition/honey-pot (last visited June 29, 2014).
[67] Eric Cole & Stephen Northcutt, Honeypots: A Security Manager’s Guide to Honeypots, SANS Inst., http://www.sans.edu/research/security-laboratory/article/honeypots-guide (last visited May 13, 2014).
[68] See, e.g., Jerome Radcliffe, CyberLaw 101: A Primer on US Laws Related to Honeypot Deployments 6-9 (2007), available at http://www.sans.org/reading-room/whitepapers/legal/cyberlaw-101-primer-laws-related-honeypot-deployments-1746.
[69] See id. at 14-17.
[70] See Schaufenbuel, supra note 34, at 16-17 (“Because a hacker finds a honeypot by actively searching the Internet for vulnerable hosts, and then attacks it without active encouragement by law enforcement officials, the defense of entrapment is not likely to be helpful to a hacker.”).
[71] See Cole & Northcutt, supra note 67.
[72] Schaufenbuel, supra note 34, at 19.
[73] See generally id. (stating that the best way for a honeypot owner to avoid downstream liability is to configure the honeypot to prohibit or limit outbound connections to third parties).
[74] Scott L. Vernick, To Catch a Hacker, Companies Start to Think Like One, Fox Rothschild, LLP (Feb. 15, 2013), http://www.foxrothschild.com/print/convertToPDF.aspx?path=/newspubs/newspubsprint.aspx&parms=id|15032388757.
[75] See Kevin Parrish, Copyright Troll Busted for Seeding on The Pirate Bay,tom’s GUIDE (Aug. 19, 2013, 2:00 PM), http://www.tomsguide.com/us/torrent-pirate-bay-copyright-troll-prenda-law-honeypot,news-17391.html#torrent-pirate-bay-copyright-troll-prenda-law-honeypot%2Cnews-17391.html?&_suid=1396370990577022740795081848747.
[76] Id.
[77] See id.
[78] See, e.g., Sean L. Harrington, Rule 11, Barratry, Champerty, and “Inline Links”, Minn. St. Bar Ass’n Computer & Tech. L. Sec. (Jan. 27, 2011, 11:42 PM), http://mntech.typepad.com/msba/2011/01/rule-11-barratry-champerty-and-inline-links.html (discussing the vexatious litigation tactics of Righthaven, LLC).
[79] See Scott Cohn, Companies Battle Cyberattacks Using ‘Hack Back’, CNBC (June 04, 2013, 1:00 PM), http://www.cnbc.com/id/100788881 (“[L]aw enforcement is unlikely to detect or prosecute a hack back. ‘If the only organization that gets harmed is a number of criminals’ computers, I don’t think it would be of great interest to law enforcement.”); Aarti Shahani, Tech Debate: Can Companies Hack Back?, Al Jazeera Am. (Sept. 18, 2013, 5:57 PM), http://america.aljazeera.com/articles/2013/9/18/tech-debate-can-companieshackback.html (“The Justice Department has not prosecuted any firm for hacking back and, as a matter of policy, will not say if any criminal investigations are pending”).
[80] See Cohn, supra note 79 (statement of Professor Joel Reidenberg) (“‘Reverse hacking is a felony in the United States, just as the initial hacking was. It’s sort of like, if someone steals your phone, it doesn’t mean you’re allowed to break into their house and take it back.’”); Shahani, supra note 79 (statement of David Wilson) (“‘No, it’s not legal, not unless the blackmailer gave permission. . . . But who’s going to report it? Not the bad guy.’”).
[81] See, e.g.,Nathan Thornburgh, The Invasion of the Chinese Cyberspies (and the Man Who Tried to Stop Them),TIME (Sept. 5, 2005), http://courses.cs.washington.edu/courses/csep590/05au/readings/titan.rain.htm (discussing the “rogue” counter-hacking activities of Shawn Carpenter, who was working with the FBI and for whose activities Carpenter claimed the FBI considered prosecuting him).
[82] See Dilanian, supra note 7 (“Others, including Stewart Baker, former NSA general counsel, said the law does allow hacking back in self-defense. A company that saw its stolen data on a foreign server was allowed to retrieve it, Baker argued.”) (In preparation for this comment, the author asked Mr. Baker about the interview, and he replied, “[T]he LA Times interview didn’t involve me talking about a particular case where retrieving data was legal. I was arguing that it should be legal.”).
[83] John Strand et al., Offensive Countermeasures: The Art of Active Defense 207 (2013).
[84] David Willson, Hacking Back in Self Defense: Is It Legal; Should It Be?, Global Knowledge (Jan. 6, 2012), http://blog.globalknowledge.com/technology/security/hacking-cybercrime/hacking-back-in-self-defense-is-it-legal-should-it-be/.
[85] See id.
[86] Stewart Baker, The Hack Back Debate (Nov. 02, 2012) http://www.steptoecyberblog.com/2012/11/02/the-hackback-debate/.
[87] See W. Page Keeton et al., Prosser & Keeton on the Law of Torts § 22 (5th ed. 1984).
[88] See id.
[89] See id. at§ 24.
[90] See id. at§ 21. And see McGee, Sabett, & Shah, supra, note 18 (“Reaching consensus on applying the concepts of self-defense to the cyber domain has proven to be a difficult task, though not for the lack of trying”).
[91] See Jassandra Nanini, China, Google, and Private Security: Can Hack-Backs Provide the Missing Defense in Cybersecurity, (forthcoming 2015) (manuscript at 14-15) (on file with author).
[92] See id. (manuscript at 14).
[93] Id. (manuscript at 15-16).
[94] See Sean Harrington, Why Divorce Lawyers Should Get Up to Speed on CyberCrime Law, Minn. St. B. Ass’n Computer & Tech. L. Sec. (Mar. 24, 2010, 9:40 PM), http://mntech.typepad.com/msba/2010/03/why-divorce-lawyers-should-get-up-to-speed-on-cybercrime-law.html (collecting cases regarding unauthorized computer access).
[95] 18 U.S.C. § 1030 (2012); see Clements-Jeffrey v. Springfield, 810 F. Supp. 2d 857, 874 (S.D. Ohio 2011) (“It is one thing to cause a stolen computer to report its IP address or its geographical location in an effort to track it down. It is something entirely different to violate federal wiretapping laws by intercepting the electronic communications of the person using the stolen laptop.”).
[96] See generally Orin S. Kerr, Cybercrime’s Scope: Interpreting “Access” and “Authorization” in Computer Misuse Statutes, 78 N.Y.U. L. Rev. 1596, 1624–42 (2003) (showing how and why courts have construed unauthorized access statutes in an overly broad manner that threatens to criminalize a surprising range of innocuous conduct involving computers).
[97] In re DoubleClick Privacy Litig., 154 F. Supp. 2d 497, 526 (S.D.N.Y. 2001) (emphasis added).
[98] See In re Pharmatrak, Inc. Privacy Litig., 329 F.3d 9, 13 & 21-22 (1st Cir. 2003) (holding use of tracking cookies to intercept electronic communications was within the meaning of the ECPA, because the acquisition occurred simultaneously with the communication).
[99] See Peter J. Toren, Amending the Computer Fraud and Abuse Act,BNA (Apr. 9, 2013), http://about.bloomberglaw.com/practitioner-contributions/amending-the-computer-fraud-and-abuse-act/.
[100] See, e.g., Holly R. Rogers & Katharine V. Hartman, The Computer Fraud and Abuse Act: A Weapon Against Employees Who Steal Trade Secrets,BNA (June 21, 2011) (“[E]mployers are increasingly using this cause of action to go after former employees who steal trade secrets from their company-issued computers.”).
[101] A Byte for a Byte,Economist (Aug. 10, 2013), available at http://www.economist.com/node/21583268/; see also Lewis, supra note 21 (“There is also considerable risk that amateur cyber warriors will lack the skills or the judgment to avoid collateral damage. A careless attack could put more than the intended target at risk. A nation has sovereign privileges in the use of force. Companies do not.”); John Reed, The Cyber Security Recommendations of Blair and Huntsman’s Report on Chinese IP Theft, Complex Foreign Pol’y (May 22, 2012), http://complex.foreignpolicy.com/posts/2013/05/22/the_cyber_security_recomendations_of_blair_and huntsman_report_on_chinese_ip_theft (“While it may be nice to punch back at a hacker and take down his or her networks or even computers, there’s a big potential for collateral damage, especially if the hackers are using hijacked computers belonging to innocent bystanders.”).
[102] John Reed, Mike Rogers: Cool It with Offensive Cyber Ops, Complex Foreign Pol’y (Dec. 14, 2012, 5:07 PM), http:/complex.foreignpolicy.com/posts/2012/12/14/mike_rogers_cool_it_with_offensive_cyber_ops (audio recording of full speech available at http://www.c-span.org/video?314114-1/rep-rogers-rmi-addresses-cyber-threats-economy). But see See McGee, Sabett, & Shah, supra, note 18 (urging the adoption of a “Framework for ‘good enough’ attribution”).
[103] For definitions and discussion of these terms, seeEric A. Fischer et al., Cong. Research Serv., R42984, The 2013 Cybersecurity Executive Order: Overview and Considerations for Congress2-4,(2013), available at http://www.fas.org/sgp/crs/misc/R42984.pdf.
[104] Max Fisher, Should the U.S. Allow Companies to ‘Hack Back’ Against Foreign Cyber Spies?, Wash. Post (May 23, 2013, 10:43 AM), http://www.washingtonpost.com/blogs/worldviews/wp/2013/05/23/should-the-u-s-allow-companies-to-hack-back-against-foreign-cyber-spies/ (quoting Lewis, supra, note 21).
[105] Los, supra note 19.
[106] See Fahmida Y. Rashid, Layered Security Essential Tactic of Latest FFIEC Banking Guidelines,eWeek (June 30, 2011), http://www.eweek.com/c/a/IT-Infrastructure/Layered-Security-Essential-Tactic-of-Latest-FFIEC-Banking-Guidelines-557743/ (“Banks must adopt a layered approach to security in order to combat highly sophisticated cyber-attacks, the Federal Financial Institutions Examination Council said in a supplement released June 28. The new rules update the 2005 ‘Authentication in an Internet Banking Environment’ guidance to reflect new security measures banks need to fend off increasingly sophisticated attacks. . . . The guidance . . . emphasized a risk-based approach in which controls are strengthened as risks increase.”).
[107] See PCI 2.0 Encourages Risk-Based Process: Three Things You Need to Know, ITGRC (Aug. 23, 2010), http://itgrcblog.com/2010/08/23/pci-2-0-encourages-risk-based-process-three-things-you-need-to-know/.
[108] See Lee Vorthman, IT Security: NIST’s Cybersecurity Framework, NetApp (July 16, 2013, 6:01 AM), https://communities.netapp.com/community/netapp-blogs/government-gurus/blog/2013/07/16/it-security-nists-cybersecurity-framework) (“It is widely anticipated that the Cybersecurity Framework will improve upon the current shortcomings of FISMA by adopting several controls for continuous monitoring and by allowing agencies to move away from compliance-based assessments towards a real-time risk-based approach.”).
[109] Reed, supra note 102.
[110] Geoffrey C. Hazard, Jr., Law, Morals, and Ethics, 19 S. Ill. U. L.J. 447, 453 (1995), available at http://repository.uchastings.edu/faculty_scholarship/252.
[111] Id.
[112] See generally Heinz C. Luegenbiehl & Michael Davis, Engineering Codes of Ethics: Analysis and Applications 10 (1986) (referring to the “Contract with society” theory on the relation between professions and codes of ethics).
According to this approach, a code of ethics is one of those things a group must have before society will recognize it as a profession. The contents of the code are settled by considering what society would accept in exchange for such benefits of professionalism as high income and high prestige. A code is a way to win the advantages society grants only to those imposing certain restraints on themselves.
[113] See, e.g., Official (ISC)2 Guide to the CISSP CBK 1214 (Steven Hernandez ed., 3d ed. 2013) (“The code helps to protect professionals from certain stresses and pressures (such as the pressure to cut corners with information security to save money) by making it reasonably likely that most other members of the profession will not take advantage of the resulting conduct of such pressures. An ethics code also protects members of a profession from certain consequences of competition, and encourages cooperation and support among the professionals.”).
[114] See id.
[115] (ISC)2, (ISC)2 Overview: Evolving in Today’s Complex Security Landscape 4 (2013), available at www.infosec.co.uk/_novadocuments/47180?v=635294483175930000.
[116] See id.
[117] David E. Sanger & John Markoff, After Google’s Stand on China, U.S. Treads Lightly,N.Y. Times (Jan. 15, 2010), http://www.nytimes.com/2010/01/15/world/asia/15diplo.html?_r=0.
[118] See, e.g.,Skipper Eye, Google Gives Chinese Hackers a Tit for Tat, Redmond Pie (Jan. 16, 2010), available at http://www.redmondpie.com/google-gives-chinese-hackers-a-tit-for-tat-9140352/.
[119] See Shelley Boose, Black Hat Survey: 36% of Information Security Professionals Have Engaged in Retaliatory Hacking, BusinessWire(June 26, 2012, 11:00 AM), http://www.businesswire.com/news/home/20120726006045/en/Black-Hat-Survey-36-Information-Security-Professionals (“When asked ‘Have you ever engaged in retaliatory hacking?’ 64% said ‘never,’ 23% said ‘once,’ and 13% said ‘frequently”. . . . [W]e should take these survey results with a grain of salt . . . . It’s safe to assume some respondents don’t want to admit they use retaliatory tactics.”).
[120] Lewis, supra note 21 (“Another argument is that governments are not taking action, and therefore private actors must step in.”).
[121] Reed, supra note 102.
[122] See About FS-ISAC, Fin. Serv.: Info. Sharing & Analysis Center, https://www.fsisac.com/about (last visited June 9, 2014). Launched in 1999, FS-ISAC was established by the financial services sector in response to 1998’s Presidential Directive 63. That directive ― later updated by 2003’s Homeland Security Presidential Directive 7 ― mandated that the public and private sectors share information about physical and cyber security threats and vulnerabilities to help protect the U.S. critical infrastructure. See id.
[123] See id.
[124] FS-ISAC Security Automation Working Group Continues to Mature Automated Threat Intelligence Strategy, Deliver on Multi-Year Roadmap, Fin. Serv.: Info. Sharing & Analysis Center (Feb. 26, 2014), https://www.fsisac.com/sites/default/files/news/FSISAC_PR_SAWG_Feb19-2014v1AH%20-%20DHE-ALL-EDITS-FINAL2%20EG.pdf.
[125] See id.
[126] Sean Sposito, In Cyber Security Fight, Collaboration Is Key: Guardian Analytics, Am. Banker (Oct. 08. 2013, 2:01 PM), http://www.americanbanker.com/issues/178_195/in-cyber-security-fight-collaboration-is-key-guardian-analytics-1062688-1.html.
[127] See generally, Taking Down Botnets: Public and Private Efforts to Disrupt and Dismantle Cybercriminal Networks: Hearing Before the S. Comm. on the Judiciary, 113th Cong. (July 15, 2014) http://www.judiciary.senate.gov/meetings/taking-down-botnets_public-and-private-efforts-to-disrupt-and-dismantle-cybercriminal-networks (providing access to testimony from the hearing).
[128] See Tracy Kitten, Microsoft, FBI Take Down Citadel Botnets, Bank Info Security (June 6, 2013), http://www.bankinfosecurity.com/microsoft-fbi-takedown-citadel-botnets-a-5819/op-1.
[129] See id.
[130] See id.
[131] See NCA Leads Global Shylock Malware Takedown, infosecurity (July 12, 2014) http://www.infosecurity-magazine.com/view/39289/nca-leads-global-shylock-malware-takedown/.
[132] See Gregg Keizer, Massive Botnet Takedown Stops Spread of Cryptolocker Ransomware,ComputerWorld (June 5, 2014 02:15 PM), http://www.computerworld.com/s/article/9248872/Massive_botnet_takedown_stops_spread_of_Cryptolocker_ransomware.
[133] John E. Dunn, Worried US Retailers Battle Cyber-attacks Through New Intelligence-Sharing Body, TechWorld (May 16, 2014, 6:29 PM), http://news.techworld.com/security/3517094/worried-us-retailers-battle-cyber-attacks-through-new-inte/.
[134] See, e.g.,Dan Dupont Retail, Financial Sectors Form Cybersecurity Partnership in Wake of Data Breaches (March 13, 2014), http://insidecybersecurity.com/Cyber-Daily-News/Daily-News/retail-financial-sectors-form-cybersecurity-partnership-in-wake-of-data-breaches/menu-id-1075.html.
[135] See Press Release, Dianne Feinstein, Senate Intelligence Committee Approves Cyber Security Bill (July 8, 2014) available at http://www.feinstein.senate.gov/public/index.cfm/2014/7/senate-intelligence-committee-approves-cybersecurity-bill.
[136]See Brent Rowe et al., The Role of Internet Service Providers in Cyber Security 7 (2011), available at http://sites.duke.edu/ihss/files/2011/12/ISP-Provided_Security-Research-Brief_Rowe.pdf.
[137] See, generally, Chatham House Rule, Chatham House; The Royal Institute of International Affairs http://www.chathamhouse.org/about/chatham-house-rule (explaining the Chatham House Rule).
[138] Section 631 of the Cable Communications Policy Act of 1984, 47 U.S.C. §§ 521, et seq. The Cable Act prohibits cable systems’ disclosure of personally identifiable subscriber information without the subscriber’s prior consent; requires the operator to destroy information that is no longer necessary for the purpose it was collected, to notify subscribers of system data collection, retention and disclosure practices and to afford subscribers access to information pertaining to them; provides certain exceptions to the disclosure restrictions, such as permission for the cable operator to disclose “if necessary to conduct a legitimate business activity related to a cable service or other service” provided to the subscriber, and disclosure of subscriber names and addresses (but not phone numbers), subject to an “opt out” right for the subscriber. Congress expanded, as part of the Cable Television Consumer Protection and Competition Act of 1992, the privacy provision of the Communications Act to cover interactive services provided by cable operators. Id.
[139] Protecting and Promoting the Open Internet, GN Docket No. 14-28, at App’x A, §§ 8.5, 8.11 (May 15, 2015).
[140] Id. at 1-2.
[141] Preserving the Open Internet, 76 Fed. Reg. 59192, 59209 n.102 (Sept. 23, 2011).
[142] Michel Van Eeten et al., The Role of Internet Service Providers in Botnet Mitigation: An Empirical Analysis Based on Spam Data 1 (2010), available at http://weis2010.econinfosec.org/papers/session4/weis2010_vaneeten.pdf.
[143] Rowe et al., supra note 136.
[144] See, e.g., Meir Orbach, Israeli Cyber Tech Companies on Rise in US Market, Al Monitor (Jan. 23, 2014) http://www.al-monitor.com/pulse/business/2014/01/us-cyber-security-market-israeli-companies.html.
[145] See New York Times Co. v. United States, 403 U.S. 713, 714 (1971).
[146] See David Bianco, The Pyramid of Pain, Enterprise detection & Response Blog(Mar. 1, 2014), http://detect-respond.blogspot.com/#!/2013/03/the-pyramid-of-pain.html.
[147] See id.
[148] See id.
[149] See Sposito, supra note 126.
[150] See FireEye Threat Analytics Platform, FireEye,http://www.fireeye.com/products-and-solutions/threat-analytics-platform.htm (last visited June 9, 2014).
[151] See Tim Wilson, CrowdStrike Turns Security Fight Toward Attacker, Dark Reading (June 25, 2013, 9:18 AM), http://www.darkreading.com/analytics/threat-intelligence/crowdstrike-turns-security-fight-toward-attacker/d/d-id/1139998?.
[152] See HP IDOL,HP Autonomy,www.autonomy.com/products/idol (last visited June 9, 2014).
DownloadPDF