Do Hack-Backs Violate the Computer Fraud and Abuse Act?

Jack Goldsmith
Wednesday, October 17, 2012, 9:01 AM
In cybersecurity circles I often hear that firms are increasingly taking matters into their own hands in the face of cyber-exploitations or cyber-attacks by taking retaliatory steps against the computer systems that are the source of the exploitations or attacks.  A legal obstacle to such “hack-backs” is the Computer Fraud and Abuse Act (CFAA).  I had always t
Meet The Authors

Published by The Lawfare Institute
in Cooperation With
Brookings

Subscribe to Lawfare
In cybersecurity circles I often hear that firms are increasingly taking matters into their own hands in the face of cyber-exploitations or cyber-attacks by taking retaliatory steps against the computer systems that are the source of the exploitations or attacks.  A legal obstacle to such “hack-backs” is the Computer Fraud and Abuse Act (CFAA).  I had always thought, based on cursory analysis, that the CFAA prohibited self-defensive hack-backs.  But Stuart Baker makes the case that they do not (always) do so.  His argument invited a response from Orin Kerr, and subsequent rounds of argument here and here and here(and Orin will likely go at it one more round).  An illuminating exchange. PS: Orin’s final post is here.
Back to Top
Jack Goldsmith

Jack Goldsmith

@jacklgoldsmith
Read More
Jack Goldsmith is the Learned Hand Professor at Harvard Law School, co-founder of Lawfare, and a Non-Resident Senior Fellow at the American Enterprise Institute. Before coming to Harvard, Professor Goldsmith served as Assistant Attorney General, Office of Legal Counsel from 2003-2004, and Special Counsel to the Department of Defense from 2002-2003.

Subscribe to Lawfare