The problem with commercial offensive cyber attacks is that no private enterprise wants to talk about (or admit to using) the strategy for fear of legal liability issues. Keban and Hayes argued, “Mitigative counterstriking is also legally justifiable under several areas of domestic and international law, and can be made consistent with other areas of law by amending the law or by reinterpreting it.”
Jeff Bardin, CIO of Treadstone 71
Dave Aitel, CEO and owner, Immunity, agreed that while the law is pretty clear in most cases, there has traditionally been some flexibility with interpreting it. “We’ve been using prosecutorial discretion to make it not such a big deal for when big companies break the law for what we think are pretty good reasons,” Aitel said.