Sony Pictures. Equifax. Yahoo. Companies always look hapless at best, criminally negligent at worst, when they have to confess to being hacked. But suppose a corporation has the skills, resources, and will to fight back. What exactly is it supposed to do? Measures such as infiltrating the attacker’s network to retrieve stolen data, collect information, or cause damage are technically feasible. But the rights of US hacking victims are limited, governed by the Computer Fraud and Abuse Act, which makes it a federal crime to access a computer without authorization.
Some members of Congress want to significantly revise the law to allow companies and individuals who are hacked to hack back. Nicholas Schmidle explores the issue in depth in a new story for the New Yorker, in which he interviews lawmakers and numerous cybersecurity experts. It seems unfair that victims’ hands should be tied, when government protection is often non-existent on the wild frontiers of the internet. But there is also reason to worry that loosening the law could lead to mis-directed vigilantism. As Schmidle writes, “Should hacking back become legal, it may well help individual victims of cybercrime, but it is unlikely to make the Internet a safer place.”