PerspectiveHackback is back: Assessing the Active Cyber Defense Certainty Act

Published 17 June 2019

The “hackback” debate has been with us for many years. It boils down to this: Private sector victims of hacking in some instances might wish to engage in self-defense outside their own networks (that is, doing some hacking of their own in order to terminate an attack, identify the attacker, destroy stolen data, etc.) but for the prospect that they then would face criminal (and possibly civil) liability under 18 USC 1030 (the Computer Fraud and Abuse Act, or CFAA).  Robert Chesney writes in Lawfare that a tricky question of policy therefore arises: Should the CFAA be pruned to facilitate hackback under certain conditions?  On one hand, this might produce significant benefits in terms of reducing harm to victims and deterring some intrusions. On the other hand, risks involving mistaken attribution, unintended collateral harms and dangerous escalation abound. It’s small wonder the hackback topic has spawned so much interesting debate (see here and here for examples).