Tuesday, October 16, 2012

Hacking Back - are you authorized? A discussion of whether it's an invitation to federal prison or a justified reaction/strategy?

The concept of hacking back has continued to gain attention as cyber-attacks continue. I'd be remiss if I didn't point readers to the Volokh Conspiracy and its latest coverage on the issue. The contenders in this argument, which has gone back and forth for 4 days so far, are Stewart Baker, a Partner at Steptoe & Johnson, with experience working for DHS, and Orin Kerr, Fred C. Stevenson Research Professor of Law at The George Washington University.

As an initial matter, Jeffrey and I did a back and forth on this in June. Our posts can be found here:

Justin's take - The Illegality of Striking Back Against Hackers
Jeffrey's argument in the alternative - An Attempt to Make the Case for "Hacking Back"

In a generalized way, it appears I side with Orin Kerr, whereas Jeffrey's argument in the alternative (which is not necessarily his view) is more favorable to Stewart Baker. Here are the posts from the Volokh Conspiracy, in chronological order:

October 13th, Stewart Baker, RATs and Poison: Can Cyberespionage Victims Counterhack?
October 14th, Stewart Baker, RATs and Poison II — The Legal Case for Counterhacking
October 15th, Orin Kerr, The Legal Case Against Hack-Back: A Response to Stewart Baker
October 16th, Stewart Baker, The Legality of Counterhacking: Baker Replies to Kerr

I will update if the back and forth on the VC continues.

Update Oct. 16th, 12:53pm CST: Kerr just responded in another post
October 16th, Orin Kerr, More on Hacking Back: Kerr Replies to Baker

Update Oct. 16th, 5:00pm CST: Baker's final response
October 16th, Stewart Baker, The Legality of Counterhacking: Baker’s Last Post

Update Oct. 17th, 6:18pm CST: Kerr's final post
October 17th, Orin Kerr, A Final Post on Hacking Back


  1. An eye for an eye, even on the web just isn't how things are done these days. Honestly, unless you really know what you're doing, hiring a commercial lawyer and suing the pants off of the hacker would be a better choice.

  2. In my opinion, hacking back is just a waste of resources. Rather than doing this, companies should just focus on increasing their security measures and working on gaining some ROI.