Recommendation:
Reconcile necessary changes in the law with a changing technical environment.
When theft of valuable information, including intellectual property, occurs at network speed,
sometimes merely containing a situation until law enforcement can become involved is not an entirely
satisfactory course of action. While not currently permitted under U.S. law, there are increasing calls
for creating a more permissive environment for active network defense that allows companies not
only to stabilize a situation but to take further steps, including actively retrieving stolen information,
altering it within the intruder’s networks, or even destroying the information within an unauthorized
network. Additional measures go further, including photographing the hacker using his own system’s
camera, implanting malware in the hacker’s network, or even physically disabling or destroying the
hacker’s own computer or network.
The legal underpinnings of such actions taken at network speed within the networks of hackers,
even when undertaken by governments, have not yet been developed. Further, the de facto sanctioning
of corporate cyber retribution is not supported by established legal precedents and norms. Part of the
basis for this bias against “offensive cyber” in the law includes the potential for collateral damage on
the Internet. An action against a hacker designed to recover a stolen information file or to degrade
or damage the computer system of a hacker might degrade or damage the computer or network
systems of an innocent third party. The challenges are compounded if the hacker is in one country
and the victim in another.
For these reasons and others, the Commission does not recommend specific revised laws under
present circumstances. However, current law and law-enforcement procedures simply have not kept
pace with the technology of hacking and the speed of the Internet. Almost all the advantages are on
the side of the hacker; the current situation is not sustainable. Moreover, as has been shown above,
entirely defensive measures are likely to continue to become increasingly expensive and decreasingly
effective, while being unlikely to change the cost-benefit calculus of targeted hackers away from
attacking corporate networks.