This sign actually leads to a class in cybersecurity, not hacking, at New York University in April 2013.Craig Ruttle/ AP
Liu says his own firm doesn’t offer the service, even though it’s in demand, because he’s not sure if it’s legal.
“That’s a very gray area because you’re attacking them back,” he said.
Lawyer David Willson has a different take on it. He’s a retired Army JAG officer who has given legal advice on computer networks and information security to the Defense Department and National Security Agency.
“No, it’s not legal, not unless the blackmailer gave permission,'' he said. "But who’s going to report it? Not the bad guy.”
The Computer Fraud and Abuse Act, passed in 1986, prohibits unauthorized access of a computer. It does not carve out exceptions for self-defense or vigilante justice.
But Willson argues that it should.
He is now at the law firm Titan Info Security Group in Colorado Springs, Colo., which advises companies on active defense. “Gray area” has become a term of art among cybersecurity experts.
As hacking experts flock from the Pentagon to the private sector, Willson is touting a legal theory around how private citizens can exercise surveillance powers similar to the government and, “out of necessity,” enter someone else’s server without permission.
Say a company is the target of an ongoing attack. Their defenses are up, but they’re bleeding intellectual property or bank account numbers because the intruder keeps on breaking in.
Willson says the CEO has to step up.
“You have a fiduciary responsibility to protect your company, which requires the leadership to gather as much information as possible and decide how to move forward,” he said. “Call law enforcement or not. Call the server owner or disrupt the server. Stop the attack.”
The CEO can deal with retribution or blowback from lawsuits or media. “If you’re losing a hundred thousand dollars a week, and you think a lawsuit involved could cost five hundred thousand total, you may decide to take a chance with the lawsuit.”
Willson admits, however, that this approach could spiral out of control.
In most cases, good hackers don’t take stolen goods back to their server. They take it to another server they’ve compromised, he said, “somebody who – I don’t want to call an innocent bystander – but who is also a victim."
"You’re running the risk of having them think you’re attacking them,'' he said, "when you’re really just trying to figure out who attacked you.”