If a hacker disrupts a company's networks, does the company have the right to track the hacker down and try to knock him offline? If a thief tries to steal proprietary data, can a company seed its networks with documents rigged to unleash malware on the intruder's system when he opens them?
These questions have increasingly been a subject of debate, in articles, at security conferences, and during a small roundtable discussion I attended in Cambridge, Mass., early this week. I'm not at liberty to disclose the individual participants, but I can say they are subject matter experts from government, private industry, and academia, and that we all spent a significant amount of time on this nettlesome and fascinating set of questions.
The overarching context for our meeting was how the proliferation of relatively inexpensive and increasingly easy-to-get technologies such as malware and drones is creating an environment in which threats of violence, or actual violence, are essentially available to anyone. The notion of companies "hacking back" against their aggressors resonated in this context, because while government agencies or the military may have the legal authority to retaliate against an intruder, the means to do so are not exclusively theirs.
There are a couple of schools of thought here. In one view, private cyber offense is a form of illegal vigilantism, or at least has the potential to become so. If someone breaks into your house and steals your TV, you don't have the right to go to his house, break in, and steal it back. Given the proliferation of malware today, and the relatively low barrier to entry for hacking, malicious or otherwise, it's pretty easy to see how this tit for tat could turn into a private cyber war, with the potential for unforeseen colateral damage.
But might private offense be a legal form of self defense? Continuing with the TV analogy, if someone breaks into your house and threatens you or your property, states generally recognized that you have a right to defend yourself through the exercise of violence, or the threat of it.
This is a subject that I'll turn to again on the blog and elsewhere. But for now, it seemed particularly relevant in light of tomorrow's release by President Obama of an executive order on cyber security.
Simply put, there is only so much that the government can do to assit private industry and defend it from espionage or attack. In light of that, a new practice--dare we call it in industry?--of private cyber offense is growing, and it takes it cues, I'd argue, from the official strategy of active defense that is overtly practiced by the military and the intelligence community. The legal and ethical implications here are profound.
It will be interesting to see if Obama's executive order addresses this issue, or if in the language we can read any government position on the usefulness, or the harm, caused by private cyber offense.
As additional reading, I'd suggest Herb Lin's recent article in World Politics Review, as well as this synopsis of a session at the recent Spooks & Suits conference in Washington.