Active cyber defense and interpreting the computer fraud and abuse act
In the cybersecurity field, the term “active defense” is often used in a variety of ways, referring to any activity undertaken outside the legitimate span of control of an organization being attacked; any non-cooperative, harmful or damaging activity undertaken outside such scope; or any proactive step taken inside or outside that span of control. As most Lawfare readers know, activities outside the legitimate span of control are quite controversial from a policy standpoint, as they can implicate the Computer Fraud and Abuse Act, or CFAA, which criminalizes both gaining access to computers without authorization as well as exceeding authorized access.
This logic suggests to many that “hacking back”—which might well be defined as a counter-cyberattack on an attacker’s computer—would violate the CFAA. That is, even if A gains unauthorized access to B’s computer, any action taken by B on A’s computer would violate the CFAA since A would not have given B authorization for access. This article will offer some technical commentary on the implications of interpreting the CFAA that way.