Full Report
Former DoJ attorney John Carlin writes about hackback, which he defines thus: “A hack back is a type of cyber response that incorporates a counterattack designed to proactively engage with, disable, or collect evidence about an attacker. Although hack backs can take on various forms, they are—by definition—not passive defensive measures.” His conclusion: As the law currently stands, specific forms of purely defense measures are authorized so long as they affect only the victim’s system or data. At the other end of the spectrum, offensive measures that involve accessing or otherwise causing damage or loss to the hacker’s systems are likely prohibited, absent government oversight or authorization. And even then parties should proceed with caution in light of the heightened risks of misattribution, collateral damage, and retaliation...
Analysis Summary
# Legal and Policy Landscape of "Hack Back" Cyber Responses
## Key Points
- **Definition of Hack Back:** A cyber response incorporating a counterattack designed to proactively engage with, disable, or collect evidence about an attacker. It is explicitly *not* a passive defensive measure.
- **Permitted Actions (Passive Defense):** Specific forms of purely defensive measures are authorized, provided they affect *only* the victim’s system or data.
- **Prohibited Actions (Offensive):** Offensive measures that involve accessing or causing damage/loss to the hacker’s systems are likely prohibited, unless authorized by the government.
- **Risks of Offensive Action:** Proceeding with offensive measures carries heightened risks concerning misattribution, collateral damage, and retaliation, even with authorization.
- **Legal Gray Area:** A broad range of hack back tactics falling between active defense and outright offensive measures exist in a legal gray area, requiring government oversight or authorization.
- **Potential Legal Clarification:** The article suggests existing laws (CFAA and CISA) would benefit from amendments to clarify parameters for specific self-defense measures.
## Threat Actors
- Not specified; the discussion focuses on the legal framework surrounding actions taken *against* unknown attackers.
## TTPs
- **Offensive Countermeasures:** Counterattacks designed to proactively engage with, disable, or collect evidence about an attacker.
- **Specific Tactics Discussed (Legally Delineated):**
1. Purely defensive measures affecting only the victim's system.
2. Offensive measures accessing or damaging the attacker's systems (likely prohibited without authorization).
## Affected Systems
- Not specified, as the source discusses the legality of responding to attacks rather than a specific incident. The discussion covers actions against the **attacker's systems** versus actions limited to the **victim's system or data**.
## Mitigations
- **For Private Parties:** Engage in broad hack back tactics only with established government oversight or authorization (e.g., partnering with law enforcement or seeking court authorization).
- **For Policymakers:** Legislation (amendments to CFAA and CISA) is recommended to clarify the scope of authorized self-defense measures.
## Conclusion
The current legal status severely restricts activities defined as "hack backs." Private entities are generally limited to purely defensive actions confined to their own systems. Any active counterattack involving interaction with or damage to an attacker's infrastructure is likely illegal without explicit governmental clearance due to significant risks associated with misattribution and escalation.