The legality of defensive hacking

Monday 30 September 2013 @ 8.49 a.m. | IP & Media | Legal Research

Retaliatory hacking might not be illegal in Australia, says one legal expert.  

As a general rule, penetration testers are free to break into others' computers when given permission. While these "white hat" hacking services can help customers mitigate vulnerabilities, "hack back" takes the battle to the attacker's turf. Rob McAdam, chief executive of penetration-testing firm PureHacking, says that he's been asked in the past to "hack back; however, he had refused.

"Hack back is illegal as hell in the US," says one researcher, "and even if you're military or intelligence, it's illegal until you get approval directly from the executive branch." 

While there have been calls in the US for more freedom to hack back, a new breed of security company has emerged promising "active defence," which serves to identify hackers, reveal their intent and disrupt their intrusion. 

The legality of cyber retaliation is still an ambiguous issue for lawmakers in Australia, with supporters calling it a necessary evolution in the fight against malicious hackers.

"Depending how it is done, it may not be illegal," says Dr. Maurushat, a  senior lecturer at the UNSW's Law Faculty, who has contributed to cyber elements of Australia's Model Criminal Code (MCC). She cites a 2001 MCC Officers Committee report, which considered whether "computerised counter attack against cybernet intruders" could be construed as self-defence.

According to her research, the process of "hacking back" is reasonably common in Australia. She advocates legislation that permits it if it meets several conditions such as "sufficient attribution of the source of an attack" and "reasonable, proportionate and necessary" measures that also avoid damage to unintended third-parties. 

TimeBase is an independent, privately owned Australian legal publisher specialising in the online delivery of accurate, comprehensive and innovative legislation research tools including LawOne and unique Point-in-Time Products.

Sources:

Related Articles: