Abstract
As the information economy expands, network security threats proliferate. Large-scale data breaches have become something of a fixture in today’s news cycle: Target, Sony, Home Depot, JPMorgan Chase—the list goes on. Some estimates place the global costs of cyber insecurity at more than $400 billion. The United States is at something of a crossroads on one particularly crucial security issue: active defense. Sometimes called hacking back or counterhacking, the practice of confusing, identifying, and even incapacitating an attacker is increasingly catching the attention of security professionals and policymakers. This paper seeks to synthesize the available legal resources on active defense. It confronts the intertwined definitional, legal, and policy questions implicated in the active defense debate. The paper then proposes a legal framework to authorize active defenses subject to liability for third-party damages, an approach grounded in the technical and economic realities of the network security market.
