DOJ Cyber Unit Mulling Guidance On Hacking Defensive Countermeasures

Bloomberg BNA’s Corporate Law & Accountability Report is available on the Corporate Law Resource Center. This news service keeps corporate practitioners informed of legal developments of...

By Yin Wilczek

May 20 — The Justice Department's Cybersecurity Unit is considering whether to issue guidance on “effective and truly defensive countermeasures” for companies that have been hacked, a senior official said May 20.

The unit also is assessing whether it can help in the implementation of those countermeasures by issuing guidance to clarify related legal issues, said Assistant Attorney General Leslie Caldwell, who heads the DOJ's Criminal Division.

However, Caldwell warned that one countermeasure companies shouldn't attempt is hacking back at those whom they think breached their systems.

Caldwell also noted that the Cybersecurity Unit has begun working with other federal agencies on cyber issues. As an example, she cited the Federal Trade Commission's statement—posted on its website May 20—that it will view companies “more favorably” if they cooperate with authorities on data breaches.

The FTC's statement was coordinated with the unit and the DOJ, Caldwell said. She spoke at a cybersecurity conference hosted by Georgetown University Law Center and sponsored by Bloomberg BNA.

Losses Mounting 

One study estimates that business losses from cybercrime could total $2 trillion by 2019. In the past two years, companies such as Target Corp., JPMorgan Chase & Co., Anthem Inc. and Home Depot Inc. have suffered high-profile breaches.

The DOJ's Criminal Division announced its Cybersecurity Unit in December to serve as a central hub for expert advice and legal guidance on cyber issues. The unit recently issued guidance on best practices for companies that experience cyber incidents.

In her address, Caldwell noted that at a recent discussion with leading cybersecurity experts, the unit learned more about the challenges faced by in-house counsel when dealing with unfamiliar legal issues arising from their companies' cyber defenses and breach incidents. The unit has scheduled an initial legal training session with in-house attorneys from a “vital sector” on the matter, she said.

Hacking Back 

As to hacking back, Caldwell said the DOJ considers the retaliatory activity generally unlawful based on a simple reading of the Computer Fraud and Abuse Act. Even if it were lawful, “we would still recommend against it” because sound policy, including the possibility of interfering with an ongoing government investigation, “militates against the use of hackback tactics,” she said.

Caldwell cited other reasons for why companies shouldn't hack back, including that it:

• poses a significant threat to innocent third parties whose infrastructures may have been hijacked by cybercriminals;

• is illegal in some countries and may jeopardize international relations; and

• has a low likelihood of being beneficial.


A recent poll of Bloomberg subscribers found that most think companies should defer to law enforcement agencies to take retaliatory action for cyber breaches.

In other comments, Caldwell urged companies to read the Cybersecurity Unit's best practices guidance. Even though the recommendations may seem pure common sense, the 2014 Sony hacking incident showed that many companies are unprepared, she said.

The recommendations provide step-by-step advice on what to do before, during and after a cyberattack, and “are the product of experience,” she said.

To contact the reporter on this story: Yin Wilczek in Washington at

To contact the editor responsible for this story: Ryan Tuck at

The text of Caldwell's speech is available at

The FTC statement is available at