I’ve long been an advocate for fewer restraints on how the private sector responds to hacking attacks. If the government can’t stop and can’t punish such attacks, in my view the least it could do is not threaten the victims with felony prosecution for taking reasonable measures in self-defense. I debated the topic with co-blogger Orin Kerr here. I’m pleased to note that my side of the debate continues to attract support, at least from those not steeped in the “leave this to the professionals” orthodoxy of the US Justice Department.
The members of the 9/11 Commission, who surely define bipartisan respectability on questions of national security, have issued a tenth anniversary update to the Commission’s influential report. The update repeats some of the Commission’s earlier recommendations that have not been implemented. But it also points to new threats, most notably the risk of attacks on the nation’s computer networks. No surprise there, but I was heartened to see the commissioners’ tentative endorsement of private sector “direct action” as a response to attacks on private networks:
Congress should also consider granting private companies legal authority to take direct action in response to attacks on their networks.
This “should consider” formulation avoids a full embrace of particular measures, and in that respect it parallels another establishment endorsement of counterhacking. The Commission on Theft of American Intellectual Property, said in its 2013 report:
Finally, new laws might be considered for corporations and individuals to protect themselves in an environment where law enforcement is very limited. Statutes should be formulated that protect companies seeking to deter entry into their networks and prevent exploitation of their own network information while properly empowered law-enforcement authorities are mobilized in a timely way against attackers. Informed deliberations over whether corporations and individuals should be legally able to conduct threat-based deterrence operations against network intrusion, without doing undue harm to an attacker or to innocent third parties, ought to be undertaken.
If repeated tentative embraces are the way new policy ideas become respectable, “direct action” is well on its way. The 9/11 Commission deserves credit, not just for moving the debate but for contributing a label that gives counterhacking a kind of anarcho-lefty frisson.