Dmitri Alperovitch, CTO at startup CrowdStrike, which is launching its own active defense-style services, says to his knowledge there has not yet been a significant legal case in this area, though if there were one, it might help distinguish how far the victimized organization can go to pursue and disrupt an attacker.
If there's a "marquee case" where "someone takes the bullet" in a court battle arguing for the ability to strike back in active defense, then the result might be to raise awareness that could get Congress to modify current law. He added that Microsoft has shown some success in lawsuits oriented toward dismantling botnets around the world by going after individuals running them and also revealing their identities.
"We need to get some deterrence," said Alperovitch. It's his opinion that nation-state industrial espionage that occurs over the Internet, often linked to China, is simply something that for political reasons the U.S. government does not want to take on as a public issue now. Despite the huge number of computer intrusions blamed on Chinese attackers stealing U.S. data from corporations and government over the past few years, the U.S. government is not motivated to make waves over it. "On the nation-state side, the government is locked in inaction," said Alperovitch.
Hacking back at servers where you think attacks have originated violates the law and "you don't get much out of it," said Alperovitch. Active defense, he said, is better understood as "offensive tactics" that could involve everything from attempting to get stolen data back to legal action and public relations-oriented actions to expose the identities of attackers in full and their motivations.
Although there's certain to be debate, CrowdStrike is starting with the basic belief that the private sector has the authority "to go into a server to get that data back," said Alperovitch. He said there's a common-law precedent, and an affirmation defense under the law. But the usual circumstances would be that you'd first call the FBI or other law enforcement and have them try and take action, but "if the government and law enforcement is unwilling or unable to take that action, you can," he said. "It's defense of property," along with the idea, "I'm holding you until the law arrives." He said there's a lot of precedent in the legal system for this, but it hasn't really been done before for cyberattack response and he acknowledges that court rulings would be uncertain.