High-tech vigilantes face legal threat

Companies should be wary of carrying our counter attacks against hackers, even despite the fact that they still cannot rely on police for help
Written by Madeline Bennett, Contributor

Companies should be wary of carrying our counter attacks against hackers, even despite the fact that they still cannot rely on police for help

Companies cannot rely on the police to protect them from computer crime, but they should be wary of carrying out counter attacks against hackers because this could raise legal problems, say experts.

Speaking at the recent Infosecurity Europe conference, Peter Sommer, a lawyer specialising in Internet law, said the police do not have enough resources to tackle Internet crimes, with little prospect of much improvement in the next few years.

"Firms cannot expect police to routinely solve cybercrime, and businesses must bear the responsibility to protect themselves," said Sommer.

He said problems faced by the police include limited resources, a lack of adequate legislation and a reluctance by firms to spend time and money on collecting evidence.

In the US, firms are increasingly using hacking tools to attack the systems of hackers. Thirty-two percent of Fortune 500 companies have installed counter-offensive software, according to a survey by security consultancy WarRoom Research. Tactics include launching Trojan horse attacks to damage and disable a hacker's computer, and automated scripts that can erase an attacker's hard drive or hijack email.

However, Sommer pointed out that such measures could cause companies to break the law. "There is no clear line between cyber defence and attack," he said. If a company launches a counter-attack after detecting a hacker, it could inflict damage on a third party ­ because hackers often launch attacks via other companies' systems. This raises issues of legal liability for any damage caused, though the law in this area is still unclear.

To improve protection for UK firms, Sommer argued that legislation should be brought up to date, because the Computer Misuse Act 1990, which details laws for the prosecution of computer crime, takes no account of the Internet, and has not yet been updated to cover offences such as denial of service (DOS) attacks.

The extent of the problem faced by companies and the police is illustrated by the fact that the Love Letter virus is estimated to have cost firms $10bn (£7bn) worldwide, while the high-profile teenage hacker Mafia Boy caused $1.7bn (£1.3bn) of damage globally, according to research by security specialist Para-Protect.

Bob Ayers, vice president of Para-Protect Europe, said, "Police can't cope with the volume of cybercrime, prosecution can't match the rate of offences, and penalties are out of proportion with the damage caused, so firms are becoming cyber vigilantes."

The UK's recently launched National Hi-Tech Crime Unit did not attend the conference and said that its members were still in training. Ayers said the unit's decision not to attend was a mistake for a government body that was trying to forge close relationships with UK technology companies.

Take me to ZDNet's Net Crime Special

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the ZDNet News forum.

Let the editors know what you think in the Mailroom. And read other letters.

Editorial standards