Proposing a Self-Help Privilege for Victims of Cyber Attacks

As the Internet occupies increasingly important functions in modern society, cyber attacks pose an increasingly serious threat to private companies and ordinary citizens. Sophisticated hackers threaten the nation’s military and foreign policy interests and can destabilize the nation’s financial, telecommunications, and energy sectors. In order to combat these threats, Congress has enacted laws specifically criminalizing hacking, and courts have fashioned doctrines for finding liability for tortious Internet activity. These legal tools, however, provide inadequate protection against today’s sophisticated hackers. Developed decades ago, these doctrines are difficult to apply with respect to hostile criminal organizations or foreign state actors. Indeed, legal ambiguity creates an uncertain legal environment that deters legitimate security professionals from using a full range of defenses against unknown attackers.

Congress should amend the Computer Fraud and Abuse Act to grant a limited self-help privilege to victims of cyber attacks. Providing legal clarity in this fashion would allow legitimate security organizations to adopt more proactive defenses for themselves and for ordinary Internet users. Information sharing would improve between the private entities closest to the action and the government agencies responsible for securing American interests on the Internet. This proposal would result in better situational awareness for private and public security organizations, as well as a more secure Internet for everyone.