Professor Jay Kesan from the University of Illinois College of Law, in joint work with Ruperto Majuca of the University of Illinois Department of Economics, argue in favor of legal rules that allow "hacking [data] back" in certain business circumstances. They analyze the strategic interaction between the hacker and the attacked company or individual and conclude that neither total prohibition nor unrestrained permission of hack-back is optimal. Instead, they argue that when other alternatives such as criminal enforcement and litigation are ineffective, self-defense is the best response to cybercrime because there is a high likelihood of correctly attacking the criminal, ad the mitigation of damages to the hacked victim's systems may outweigh the potential damages to third parties during the hack-back. In addition, the law should require that counterstrikers use only the requisite measures that are necessary to avoid damage to their own systems. Also, proper liability rules will induce counterstrikers to internalize the damages of third parties in their decision-making. Finally, better and ever-improving intrusion detection systems (IDS) and traceback technology improve the deterrent effect and efficacy of hack-back.
Jay P. Kesan & Ruperto Majuca,
Chi.-Kent L. Rev.
Available at: https://scholarship.kentlaw.iit.edu/cklawreview/vol84/iss3/10