US Government Hack-Back and the Computer Fraud and Abuse Act

By Herb Lin
Wednesday, October 21, 2015, 12:32 PM

Robert Dietz has an op-ed in the Washington Times today in which he argues that the US Government needs the legal authority to “hack back” to attribute the party responsible for a cyberattack against the United States.

The op-ed cites the Computer Fraud and Abuse Act as one of the legal impediments to such action. Dietz writes:

Under various U.S. laws — no surprise — it is felonious to hack into domestic computer systems. Among others is the Computer Fraud and Abuse Act (10 U.S.C. 1030). The problem is that laws prohibiting hacking apply to government officials defending the nation’s computer systems as well as to private citizens bent on mischief.

But curiously, his piece is silent on the following clause in the CFAA – 18 USC 1030(f):

(f) This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.

Dietz, a former general counsel for the National Security Agency, is surely aware of this clause, which on the face of it would seem to *allow* US intelligence agencies to conduct a lawfully authorized investigative activity that might otherwise violate the Computer Fraud and Abuse Act.

So what am I missing? Doesn’t existing law allow for just the kind of hackback that Dietz advocates?