In cybersecurity circles I often hear that firms are increasingly taking matters into their own hands in the face of cyber-exploitations or cyber-attacks by taking retaliatory steps against the computer systems that are the source of the exploitations or attacks. A legal obstacle to such “hack-backs” is the Computer Fraud and Abuse Act (CFAA). I had always thought, based on cursory analysis, that the CFAA prohibited self-defensive hack-backs. But Stuart Baker makes the case that they do not (always) do so. His argument invited a response from Orin Kerr, and subsequent rounds of argument here and here and here(and Orin will likely go at it one more round). An illuminating exchange.
PS: Orin’s final post is here.