Cyber Private Eyes Go After Hackers, Without Counterattacking

Companies hit by hackers typically limit themselves to playing defense to comply with a federal law against invading someone’s computer. But some specialist cybersecurity firms say they can pursue criminals without launching their own attacks.

Most cybercrimes in the U.S. fall under the Computer Fraud and Abuse Act, a 1986 law that prohibits unauthorized access of computer systems. The law effectively places offensive cybersecurity actions solely in the hands of the federal government.

Striking back against hackers directly might be off limits but some former spies and cyber cops say that disrupting an attack in progress is a different story, as long as defenders follow the letter of the law. That often means persuading a hacker to give consent to access the computer or database being used in the suspected cyberattack, for instance by posing as a customer for stolen data.

Max Kelly, the chief executive of security-services provider Redacted Inc., advocates proactively going after digital criminals. Businesses hire Redacted to manage their security, but the company can also take on hackers, he said.

Source: WSJ