Do Hack-Backs Violate the Computer Fraud and Abuse Act?
In cybersecurity circles I often hear that firms are increasingly taking matters into their own hands in the face of cyber-exploitations or cyber-attacks by taking retaliatory steps against the computer systems that are the source of the exploitations or attacks. A legal obstacle to such “hack-backs” is the Computer Fraud and Abuse Act (CFAA). I had always t
Published by The Lawfare Institute
in Cooperation With
In cybersecurity circles I often hear that firms are increasingly taking matters into their own hands in the face of cyber-exploitations or cyber-attacks by taking retaliatory steps against the computer systems that are the source of the exploitations or attacks. A legal obstacle to such “hack-backs” is the Computer Fraud and Abuse Act (CFAA). I had always thought, based on cursory analysis, that the CFAA prohibited self-defensive hack-backs. But Stuart Baker makes the case that they do not (always) do so. His argument invited a response from Orin Kerr, and subsequent rounds of argument here and here and here(and Orin will likely go at it one more round). An illuminating exchange.
PS: Orin’s final post is here.
Jack Goldsmith is the Learned Hand Professor at Harvard Law School, co-founder of Lawfare, and a Non-Resident Senior Fellow at the American Enterprise Institute. Before coming to Harvard, Professor Goldsmith served as Assistant Attorney General, Office of Legal Counsel from 2003-2004, and Special Counsel to the Department of Defense from 2002-2003.
-(1).jpg?sfvrsn=c9f1cccc_5)
