From: ABA Journal
By James Podgers
Suppose a thief breaks into your house and steals your belongings. In efforts to cover his tracks, the thief hides your stuff in a neighbor’s garage. The neighbor doesn’t realize your property is in his garage, but you find it there. What do you do next–go into the neighbor’s garage to retrieve your stuff, or call the police and hope they respond promptly?
A much more complex version of that scenario is playing out in the cybersecurity field with no clear resolution in sight.
The problem was discussed at a program presented Saturday by the ABA Standing Committee on Law and National Security in Dallas, where the association is holding its 2013 Midyear Meeting.
The issue, agreed three experts who spoke on the panel, is to what extent private concerns may go to track down the intruders who break into their computer systems and where the intruders hide that data to avoid detection. The dilemma, said Steven Chabinsky, is that the federal government has the statutory authority to carry out such investigations but lacks the resources and capabilities, while the private sector has the capability but lacks clear legal authority.
The private sector has learned it has to explore the legality of doing it on its own,” said Chabinsky, because there hasn’t been sufficient dialogue between private companies and the government on how to proceed. “This discussion has to emerge,” said Chabinsky said, who was a deputy assistant director at the FBI before joining the cybersecurity firm CrowdStrike.
The strategy of tracking compromised data to identify intruders often is described as “active defense,” but panelist Stewart Baker said it might be more appropriate to call it passive-aggressive defense. A key concern is that the U.S. Computer Fraud and Abuse Act raises questions about whether a private concern may go out of its own network and break into outside systems to find its stolen data. A related issue, he said, is whether a company may put information into its system for the sole purpose of tracking where it goes in the case of a breach. And under many foreign laws, self-defense actions by private companies amount to espionage. Baker is a partner at Steptoe & Johnson, and a former general counsel for the National Security Agency.
Leave a Reply