Recommendation:
Reconcile necessary changes in the law with a changing technical environment.
When theft of valuable information, including intellectual property, occurs at network speed,
sometimes merely containing a situation until law enforcement can become involved is not an entirely
satisfactory course of action. While not currently permitted under U.S. law, there are increasing calls
for creating a more permissive environment for active network defense that allows companies not
only to stabilize a situation but to take further steps, including actively retrieving stolen information,
altering it within the intruder?s networks, or even destroying the information within an unauthorized
network. Additional measures go further, including photographing the hacker using his own system?s
camera, implanting malware in the hacker?s network, or even physically disabling or destroying the
hacker?s own computer or network.
The legal underpinnings of such actions taken at network speed within the networks of hackers,
even when undertaken by governments, have not yet been developed. Further, the de facto sanctioning
of corporate cyber retribution is not supported by established legal precedents and norms. Part of the
basis for this bias against ?offensive cyber? in the law includes the potential for collateral damage on
the Internet. An action against a hacker designed to recover a stolen information file or to degrade
or damage the computer system of a hacker might degrade or damage the computer or network
systems of an innocent third party. The challenges are compounded if the hacker is in one country
and the victim in another.
For these reasons and others, the Commission does not recommend specific revised laws under
present circumstances. However, current law and law-enforcement procedures simply have not kept
pace with the technology of hacking and the speed of the Internet. Almost all the advantages are on
the side of the hacker; the current situation is not sustainable. Moreover, as has been shown above,
entirely defensive measures are likely to continue to become increasingly expensive and decreasingly
effective, while being unlikely to change the cost-benefit calculus of targeted hackers away from
attacking corporate networks.
New options need to be considered. As a first step, corporations need better information, and thus
an open, two-way communications flow between companies and U.S. government agencies is more
necessary than ever before. Companies cannot be asked to share more information unless they have a
reasonable expectation that they will receive useful information in return, and they need protections
from lawsuits if they do provide information. The Cyber Information Security Protection Act is an
example of a statutory effort to address this problem, and the Commission recommends its passage.
Second, an aggressive assessment of the sufficiency of current legal norms to address the new
circumstances needs to be undertaken, and new statutes should be considered. The law needs to
be clarified to match common sense. The Department of Homeland Security, the Department of
Defense, and law enforcement agencies should have the legal authority to use threat-based deterrence
systems that operate at network speed against unauthorized intrusions into national security and
critical infrastructure networks.
Finally, new laws might be considered for corporations and individuals to protect themselves in
an environment where law enforcement is very limited. Statutes should be formulated that protect
companies seeking to deter entry into their networks and prevent exploitation of their own network
information while properly empowered law-enforcement authorities are mobilized in a timely way
against attackers. Informed deliberations over whether corporations and individuals should be legally
able to conduct threat-based deterrence operations against network intrusion, without doing undue
harm to an attacker or to innocent third parties, ought to be undertaken
