Legal BY: Sean Cox ///////////////////////////////////////////////////////////////////////////////////////////////////////////////// FIGHTING FIRE WITH FIRE Legal and Ethical Issues of Active Defense and M HACKING BACK It’s happened. Despite all the recommended precautions, despite a robust IT security architecture, despite the correct polices and procedures, despite proper employee training, your enterprise has been hacked. Th e breach plan is ready to go. Everyone knows their job and what to do. You bring in a forensic security professional and she says that the best response is to go on the off ense. She recommends that you hack the hacker. Your plans did not prepare you for this possibility, and your fi rst question is, “Can we do that?” any security experts point out that the low risk is a key driver in the prevalence of cyber crime. To many, the best approach to reversing the trend is for private industry to aggressively counter cyber crime and strike back against these criminals. Enterprises can pursue a spectrum of active countermeasures. This spectrum, referred to as active defense, comprises measures taken outside the enterprise’s network perimeter to enhance the security of the network. Examples include sharing threat information with industry and law enforcement, traps for cyber criminals, beacons that alert when confi dential fi les are compromised, and dark web investigations. Hacking back represents the extreme end of the active defense spectrum and describes striking back at the cyber criminal by accessing, damaging, or breaching the criminal’s own system. The reasons for hacking back can be several: recovering or unlocking data, obtaining evidence, exposing the bad actor, preventing further attacks, disabling botnets, or even attacking and shutting down the attacker’s system. Much of the active defense spectrum is uncontroversial and is becoming commonplace. Many of the tools are the result of coordination between industry, cyber security companies and law enforcement. However, general frustration with the seeming inability of traditional cybersecurity methods to stop a stream of high profi le attacks is encouraging many to explore new options. For example, in the case of ransomware, the FBI does not recommend paying the ransom, but acknowledges that victims should weigh the costs of doing or not doing so. When a company’s very existence is at stake, the desire to do something, or to get payback can be strong. Going on the offense may seem like the best, if not only, response. Despite the legal risks, a feeling of helplessness can lead enterprises down a dangerous path. In many cases after a breach, the authorities can be little or no help. Doing so may cause greater complications. However, when enterprises start considering countermeasures that risk collateral damage, the potential legal repercussions, both crimi-nal and civil, are very real. Any unorthodox response should be carefully considered, legal ramifi cations weighed, and strict parameters set. 36 Fall 2017 HOSPITALITY UPGRADE www.hospitalityupgrade.com