Fordham Law

Companies Battle Cyberattacks Using 'Hack Back'

Joel Reidenberg on CNBC, June 04, 2013

Media Source

It's something computer security professionals don't want to talk about, and companies won't admit to doing.

It's called a "hack back," when the victim of a cyberattack turns the tables and actively fights back against their attacker.

"This literally is a wild west out there," Greg Hoglund, a cypersecurity specialist, told CNBC.

Hoglund is the founder and former CEO of HBGary and has worked on cybersecurity for the Pentagon and the U.S. intelligence community.

"When I think of hack back, I think of more of a counterstrike, or a mitigative action to stop an imminent or ongoing attack. You're not going out and trying to find trouble, you're in trouble and trying to stop the pain right then," he said.

A hack back could mean a company shutting down a cyberattack already in progress, or hacking into a cybercriminals' network to delete or alter information that's already been stolen.

The bad guys are so pervasive, according to Hoglund, that some companies are taking matters into their own hands. Victims of attacks are fighting back by hacking the hackers where the hacker becomes the hackee.

But this new way of fighting cybercrime is in legally uncharted territory.

"Reverse hacking is a felony in the United States, just as the initial hacking was. It's sort of like, if someone steals your phone, it doesn't mean you're allowed to break into their house and take it back," Fordham University law professor Joel Reidenberg told CNBC.

But Reidenberg said law enforcement is unlikely to detect or prosecute a hack back. "If the only organization that gets harmed is a number of criminals' computers, I don't think it would be of great interest to law enforcement."