November 01, 2012, 11:58 AM — MIAMI -- The questions are being asked more often: When a cyberattack hits your network, is it right to launch a counter-attack of some type to try to at least identify the source if not stop it? Since the wheels of justice do indeed grind slowly, should frustrated IT professionals with security skills take matters into their own hands or hire others to do so?
"You want to go after them and block them," said David Willson, an attorney and retired Army JAG officer who, like other lawyers in the field, is concentrating on understanding the limits of what IT and security managers can or should do under the limits of today's law. Speaking at the Hacker Halted conference, Willson said there is no consensus among lawyers focusing on this topic. But he emphasized that companies being attacked "should look beyond your network and figure out what's coming after you," and there's a case to be made that you should "strike back defensively."
"Can you do it technically? Yes. Legally? I'd argue, yes," he said. Although some have argued in the past that even using a network-based honeypot to fool cybercriminals into thinking they've broken into a network is illegal, Willson said he disagrees. Companies might want to try and pinpoint attackers through use of so-called beacons and "digital dye-packs," such as documents that when stolen can report back where they are.
But there are tough questions about how far an IT manager can go to actually try and pursue attackers who are often organizing and launching attacks through compromised computer systems all over the world. The U.S. Computer Fraud and Abuse Act, which applies to anyone in the U.S. regardless of what they do across the global Internet, suggests you can't make unauthorized entry into a computer owned by another entity.
Willson says this law, too, gets argued over as to what unauthorized access really means. But he says companies should believe they have the right to "defend persons or property." This means that potentially the corporate management in an organization -- not the IT department, he says -- could make a decision to go after an attacker in some way based on risk, liability and other legal issues.
This general concept is being described in the security industry as "active defense," and Willson advocates that organizations pull together a team to have an active defense plan and a way to document findings. "You have to make the CEO as comfortable with this as possible," he said, because active defense may become something that could be challenged in court.