Hacking Back: Optimal Use of Self-Defense in Cyberspace

Should the law permit hackback? How should the law on self-defense in cyberspace be designed? In this paper, we use game-theoretic analysis to develop criteria that determine whether police enforcement, litigation, or hackback is best, and under what circumstances. Our model suggests that the law should permit hackback only if: (1) other alternatives, such as police enforcement and resort to courts, would be ineffective; (2) there is a serious prospect of hitting the hacker instead of innocent third parties; and (3) the damages that can be potentially mitigated to the defender's systems outweigh the potential damages to third parties. The law should require that counterstrikers use only force that is necessary to avoid damage to their own systems. Also, proper liability rules will induce counterstrikers to internalize the damages of third parties in their decision-making. Finally, better intrusion detection systems (IDS) and traceback technology improve the deterrent effect and efficacy of hackback.

Suggested Citation: Suggested Citation

Majuca, Ruperto P. and Kesan, Jay P., Hacking Back: Optimal Use of Self-Defense in Cyberspace (March 18, 2009). Chicago-Kent Law Review, Vol. 84, No. 3, 2010, Illinois Public Law Research Paper No. 08-20, Available at SSRN: https://ssrn.com/abstract=1363932 or http://dx.doi.org/10.2139/ssrn.1363932