•  
  •  
 

Abstract

Federal law makes no distinction between "good" and "bad" hackers—the Computer Fraud and Abuse Act criminalizes hacking by a private citizen in any form. While an anti-hacking statute is necessary to deter and punish cybercrime, the current law prohibits private entities from "hacking back" or, more precisely, from engaging in active defensive measures in response to a cyberattack. If these measures were legalized, they could allow private entities to assist law enforcement and reduce the financial and reputational costs of a cyber incident. Absent a change in the law, private entities are dependent on law enforcement to provide active cyber defense. This article explores the precarious position of private entities under the current regime, especially given the rapid escalation of cybercrime in both frequency and financial impact. It argues that the current law is unfit to keep pace with the evolving threat landscape. Drawing on previous active cyber defense proposals and the False Claims Act's qui tam provisions, this article proposes a legal framework that would allow private entities to take limited, government-supervised steps to "hack back" in response to a cyberattack. A public-private partnership for active cyber defense could strengthen law enforcement efforts, reduce costs to private entities, and deter future attacks. Ultimately, this article suggests that an ancient method of confronting crime could address a modern problem: The government should enlist private entities with aligned incentives to act on its behalf. Only this time, those entities act in cyberspace.

Download

Share

COinS
 
 

To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.