Attorney Jon Stanley, who also spoke on the panel at RSA, says any company that believes it is under cyberattack faces another consideration the company may need to notify its insurance carrier. Then there may be a decision to call law enforcement or not. The sad and ironic aspect of a company that's a "legal entity" being used as a proxy for an attacker is that a legal discussion will ensue between what are basically two victimized companies now wary of each other. And it's happening in a legal environment where there's "almost no guidance in case law," said Stanley. "You'll quickly find yourself in no man's land." Concepts of aggression and disorder simply haven't been clearly defined, he said.
Shugg noted that in the midst of such a cybercrime episode, there may also be the presence of law enforcement trying to quietly monitor what's going on, especially when the stakes are high. "Law enforcement may be putting a case together," he said, and you may be stepping into something bigger than you think.
Shugg said he thinks that the courts in this country are split on how far anyone can go to push back against an attacker. However, Eric Hibbard, CTO for security and privacy at Hitachi Data Systems, who also spoke on the panel, said he considers attackback to be "very dangerous" as a path to go down. It raises the question, "what's an adequate defense before you move to counter?" and other questions, such as why were you compromised to begin with, have you not patched your systems in a long time?
But it's all pretty murky, and when asked about what the law of trespassing we have today for the physical world might mean in cyberspace in terms of repelling an attacker or striking back. Stanley said anyone who wants to do it and defend that practice will probably end up as the test case for the rest of us. "I'd advise not to strikeback. Somehow we have to stop this in the inside."
Sign up for CIO Asia eNewsletters.