I have noticed, at least amongst lawyers, there does not seem to be much middle ground when it comes to “Active Defense” or hack back and the right of self-defense. Those who comment on it either agree self-defense exists in cyberspace, with very few in this camp, or it doesn’t, which is where the majority stand. All I ask of most is don’t simply jump to the conclusion that self-defense does not exist and “Active Defense” or hack back is illegal, but instead look at the arguments, potential fact scenarios, and definitions.
“Active Defense,” has many definitions and should not be strictly equated to hack back. Hack back, instead may be considered a subset of “Active Defense,” which does include cyber self-defense or cyber self-help. Whether or not a company can utilize these theories depends entirely on the given facts of a situation. For instance, if a company has suffered a cyber attack and cannot show the attack continues or is persistent, they will not likely be able to make a case for the use of self-defense. My draft definition of “Active Defense” (still a work in progress) is as follows: “a meticulous and escalated approach to a persistent cyber attack wherein the company leadership makes a decision whether or not to progress at pre-determined decision-points, evaluating risk, liability and legal issues.” Each decision-point will include all of the intelligence gathered, all potential options, tools, techniques, possible scenarios, potential risks, liability, and legal issues. Depending on the facts and the confidence of the decision-maker there can be few decision points or many. The number of decision-points is also a factor to consider in the scenario and the actual amount of liability, if any, may depend on how meticulous and cautious the decision-maker acted. For example, the first decision-point may be whether the attack(s) is or are persistent. “Active Defense” is very fact dependent.
Unfortunately most jump immediately to the conclusion that Active Defense, or hack back are illegal. In my opinion this is a very shortsighted view. If you are a company losing a lot of money, can show you have implemented good or better security, and have taken an escalated approach collecting intel and evaluating risk, liability and legal issues along the way, then I believe you do have a right to defend yourself. Again, it is very fact specific. This is where most people then pull out the “attribution” card and claim you will impact an innocent bystander.
If someone drugs and hypnotizes an innocent bystander and convinces him to shoot at you, don’t you have the right to shoot back in self-defense? This is similarly fact dependent. For instance, if you know the person is an innocent bystander you would likely try and run away and get help, maybe call the police. You might even attempt an escalated approach causing as little harm as possible to the innocent drugged and hypnotized bystander. In the end if it is you or him most will likely opt to save their own lives. Now remember, self-defense applies to person or property. So, in the end most will opt to save their own property over the property of the innocent bystander.
So, if a server is compromised and being used to attack my company, don’t I have the right to defend against that server? In this scenario I am assuming I cannot identify who owns the server. If I could I would simply call that person or company and ask that the server be shut down or the malware removed. Also, is the owner of the compromised used to attack me truly an innocent bystander? Is there contributory negligence on the part of that server owner for not having adequate security and allowing his system to be compromised? In a perfect world you could say no, but today many if not most compromises occur because companies have not used due diligence in keeping systems patched and implementing basic security. Enough for now, comments?