Companies hit by hackers typically limit themselves to playing defense to comply with a federal law against invading someone’s computer. But some specialist cybersecurity firms say they can pursue criminals without launching their own attacks.
Most cybercrimes in the U.S. fall under the Computer Fraud and Abuse Act, a 1986 law that prohibits unauthorized access of computer systems. The law effectively places offensive cybersecurity actions solely in the hands of the federal government.
Striking back against hackers directly might be off limits but some former spies and cyber cops say that disrupting an attack in progress is a different story, as long as defenders follow the letter of the law. That often means persuading a hacker to give consent to access the computer or database being used in the suspected cyberattack, for instance by posing as a customer for stolen data.
the chief executive of security-services provider Redacted Inc., advocates proactively going after digital criminals. Businesses hire Redacted to manage their security, but the company can also take on hackers, he said.
Redacted’s employees, 60% of whom are former intelligence officers, will engage with cybercriminals such as ransomware operators, those offering his clients’ data for sale on the dark web, or serial online harassers, he said.
Mr. Kelly’s team builds a profile of the attackers by gathering information about them from the public internet and hidden hacker forums on the dark web. The investigators can often find out which hacking tools were used and where they were bought and can trace emails to identify a culprit, he said.
A direct confrontation often can be enough to get them to back off, said Mr. Kelly, who previously worked at the Federal Bureau of Investigation, the National Security Agency and
“[The attackers] think they’re impervious and can’t be touched,” he said. “As soon as you come and poke at them, and they’re able to connect that to the activity they’re involved with, they disappear.”