On April 21, a special Capitol Hill discussion on The Law and Active Cyber Defense was sponsored by the Daniel Morgan Graduate School of National Security (DMGS) in cooperation with the Office of Senator Mark Kirk. The purpose of this event was to advance thinking on active cyber defense (less euphemistically known as cyber offense). At issue is whether U.S. law can be interpreted to allow a private sector actor to retaliate for an intrusion by hacking the hacker back. That is to say, by committing the same offense perpetrated against that actor. It has long been accepted that the U.S. Government can commit active cyber defense and the private sector cannot. Accordingly, the question is whether U.S. law as it stands can be interpreted to permit retaliation or do we need new law.

The panel, moderated by Senior Research Fellow Ken Jenson, covered in great detail the many issues facing cyber defense policy and the law. Panelists Jeremy Rabkin, Professor of Law at George Mason University, and Anthony Glosson, Associate of Government and Regulatory Affairs at Drinker, Biddle, & Reath, LLP  discussed what active measures, if any, can be taken by the government to protect private companies, private companies to protect themselves, and whether the cyber threat is damaging enough to warrant direct cyber responses (“hack back” and Active Cyber Defense or ‘Cyber Offense’).

The panelists and commenters,  Ruth Wedgwood, the Edward B. Burling Professor of International Law and Diplomacy at Johns Hopkins SAIS, and Abram Shulsky, Senior Fellow at the Hudson Institute, paid special attention to the need to identify and assess what the target would be if an active or offensive strategy were to be carried out. Similarly discussed were the lengths at which the private sector would be able to go in defending themselves be it “hacking back” or simply identifying, tracing, and even exposing the attacker.

It seems as though the worst of what the US has endured is ‘disruption’. Intellectual property theft is the biggest liability when an attack is carried out. Other modes of attack aim to merely disrupt service through schemes like phishing and malware. There are only a few cases where a cyber-attack or virus has done real infrastructural damage. Ultimately, the panel concluded that the private sector cannot necessarily afford to wait for public sector solutions. Yet, the law would still feature prominently in the area of cyber warfare; hopefully, ensuring that innocent computer users don’t suffer and cyber warriors are supported and protected.