Grey hat hacking continues to present unique challenges to legal experts given that the nature of grey hat cyber activities appear to exhibit both harmless and invasive qualities. Kirsch (2014) observes that “”the purpose, techniques and intent of hackers differs greatly within the international hacking community” (p. 385). In this instance, the allegations are that a firm, Anomalous, conducted grey hat hacking activities on the Office of Personnel Management (OPM). Anomalous, a non-US entity, insisted that its activities were in response to a breach in its own systems by a US-based firm, Equation Set. Grey hat hacking refers to hacking activities that, while not malicious in intent, have the potential for constructive or disruptive utility (Brown, 2015). Consequently, the results of grey hat hacking primarily rest with the intent of the hacker.
Cyber-attacks may result physical damage to strategic assets, fraud, or result in informational gaps (Barros & Barros, 2015; Brown, 2015). Grey hat hackers typically probe systems to determine whether there are any vulnerabilities, usually without the consent of the owners of systems they are compromising. The ruling in United States v. Auernheimer (2012) exemplifies the legal and civil liabilities that grey hat hackers have to contend with and exemplifies the challenges that CyberTech faces, considering both its civil and legal exposure (Kirsch, 2014). The US v. Auernheimer (2012) case also demonstrates why grey hat hackers not only prize, but rigorously maintain anonymity at all times. The stealth with which grey hat hackers compromise systems, usually without leaving trails that can be traced back to them, compounds any legal and ethical evaluations of their actions (Kirsch, 2014). For example, grey hat hackers cannot report their activities, even though they may have information pertinent to an ongoing investigation (Barros & Barros, 2015). Self-reporting would be challenging because while they may have the material evidence necessary to wind up a case, the manner in which they acquired the material is suspect.
The nebulous and ever changing functionalities of technology and the attendant proprietary information structures means that any cyber laws are usually reactive, or are activated after a cyber incident has occurred. Although laws to curtail the excesses arising from cyber activities abound, international laws arbitrating the same have been wanting. The lawsuit involving Equation Set, Anomalous and CyberTech well illustrates the difficulties of arbitrating cybercrimes. The law firm that has retained CyberTech’s forensic services represents Anomalous, a lead suspect in the OPM hacking incidence. Equally, some of CyberTech’s clients though in unrelated OPM breach cases, place the firm in a difficult position. Of importance in evaluating CyberTech’s conflict of interest is understanding that essentials of information such as confidentiality, non-repudiation and integrity do not exist in practice in hacking. The only time characteristics such as non-repudiation apply is when there is evidence of a cybercrime and only after the crime undergoes full prosecution. Grey hat hackers for most of the part avoid the legal pitfalls attendant to their work by ensuring they leave little or no traces in the systems they compromise.
In order to retain its reputation as an objective firm, it is important that CyberTech maps out its position vis-à-vis its obligations to the client that contracted it, law firm, and its other clients. An initial step would be to conduct due diligence to determine among other liabilities, possible conflicts of interest. In CyberTech’s instance, the firm has identified possible conflict of interest, where it appears that CyberTech will be offering evidence in defense of a plaintiff. Prevailing conflict of interest rules stipulate that it is not possible for an entity, such as lawyer or a firm, where there is a “…concurrent conflict of interest” (Katz, 2006, p. 4). The plaintiff, in turn, is a lead suspect in the OPM hack, with CyberTech representing some of the victims. As a result, it is not legally possible for CyberTech to present evidence that strengthens the plaintiff’s case without running afoul of its other clients, particularly those that the OPM hack in which Anomalous is the lead suspect.
The primary concern for CyberTech is in mitigating exposure to legal scrutiny. Representing conflicting clients is a risky undertaking for any business and especially firms offering cyber security services. To illustrate the risk, court rulings pursuing a matter might compel a cyber security firm that embroils itself in a conflict of interest liability to disclose information that might jeopardize other clients not related to the suit. Information technology firms, particularly those that provide cyber security services, face unique challenges that the local and international jurisprudential systems are yet to accommodate (Springman, 2003). Further, most of the stakeholders, particularly in the legal field that prosecute cybercrimes are limited by gaps in knowledge of not only the use but also the extent to which technology finds utility in materializing illicit ends (Brown, 2015). The fact that cyber activities transcend jurisdictional and physical barriers makes designations like conflicts of interest problematic, because cyberspace primarily converges information.
Courts have increasingly become weary of making declarations sui generis, for the reason that there are sufficient precedents in both local and international laws from which to extricate guidance on ongoing proceedings (Brown, 2015). Additionally, courts tend to apply the laws on cybercrimes in the broadest way to demonstrate to potential cyber criminals that laws apply to their activities (Van De Velde, 2017). The creative interpretation of international law in attempts to seek redress, particularly if the plaintiff and defendant in hacking charges are two countries, can result in severe actions and counteractions. Invariably, the question of ethics arises, particularly considering that both Equation Set and Anomalous appear to be grey hat outfits.
The exploitation of available legal loopholes is the de facto approach to managing cybercrimes. Exploiting the loopholes is the often the only recourse left for countries to effectively overcome the red tape that comes with multiple legal jurisdictions, conflicting priorities and laws make it difficult to prosecute cybercrimes (Springman, 2003; Van De Velde, 2017). Most U.S. government cybersecurity programs allow for the development and deployment of technology with an emphasis on inbuilt preventive capacities. The preventive approach is however inadequate when considering that the online community, of which hackers are prominent, relies on open-sourced information technology resources. Open sourced technologies typically evolve faster than information technologies developed in regulated or controlled environments.
The recommendation of a neutral intermediary, preferably another cyber security consultant, can mitigate the legal liabilities that may arise from allegations of conflict of interest. Alternatively, CyberTech can conflict itself out of the suit by turning down the offer in the present case (Katz, 2016). Legally, conflicts of interest void any argument about objectivity, professionalism, compartmentalization and so forth that CyberTech can make about their representation of conflicted parties. CyberTech’s acceptance to consult with the law firm representing Anomalous will be directly adversarial to its other clients who, though not directly related to the Anomalous v. Equation Set case, are victims of the OPM attack. Also, CyberTech’s clients’ roaster consisting of the OPM hack victims means that the firm is materially limited in the services it can offer its extant clients as well as a law firm representing Anomalous.
Cybercrimes are usually a transnational issue and for this reason, firms that offer cyber security have to comply with higher legal thresholds, something that is difficult for grey hat hacking outfits. Because CyberTech clearly has a conflict of interest with the law firm it is consulting with, it is important for the firm to recuse itself beforehand, an act that will in the long run ensure the discretion that security firms rely on for operations. Failure to recuse itself on the other hand means that CyberTech, in addition to being conflicted out of the case, will ran afoul the compounded by the Computer Abuse and Fraud Act. Specifically, the law firm may require CyberTech’s expert testimony as a security consultant in the OPM hacking case in court. Such a move would compel CyberTech to divulge details of the OPM hacking that might compromise their other clients’ privacy, even though the latter are not related to Anomalous v. Equation Set suit in progress.
In withdrawing its services from the Anomalous v. Equation Set suit, CyberTech raises questions about how the law should regard grey hat hacking. Specifically, while CyberTech retains information that could materially affect the outcome of the cases, it also has an obligation to its clients as well as a reputation to maintain. The Bret McDanel v. United States of America illustrates the legal challenges that face grey hat hacking activities (Springman, 2003). In particular, Bret McDanel v. United States of America demonstrated that even without malicious intent, grey hat hacking operations can result in prosecution and sentencing.
In conclusion, CyberTech should withdraw its services from the law firm, citing conflicts of interests. Given the nebulous relationship between legal practices and cutting edge technologies, cyber security firms do well to err on the safe side. The interconnectedness that comes with information technologies presents the business as well as legal communities with the difficult decision of balancing non-malicious use of hacking with the very real cyber threats the hackings are meant to preempt.
Barros, U. S., & Barros, M. S. (2015). A Survey of Ethical Hacking process and Security. In 4th International Conference on System Modeling & Advancement in Research Trends (SMART) College of Computing Sciences and Information Technology (CCSIT). /college-of-computing-sciences-and-it/wp-content/uploads/sites/17/2016/10/CCSIT329.pdf”>http://tmu.ac.in/college-of-computing-sciences-and-it/wp-content/uploads/sites/17/2016/10/CCSIT329.pdf
Brown, C. S. (2015). Investigating and prosecuting cyber-crime: Forensic dependencies and barriers to justice. Interactional Journal of Cyber Criminology 9(1), 55-119.
Katz, D. S. (2006). Legal ethical issues in the representation of multiple parties: Issues affecting plaintiffs’ lawyers. 24th Annual Employment Law & Litigation Institute: Legal Trends and Practice Strategies. https://www.kmblegal.com/wp-content/uploads/2015/04/EthicsGeorgetownCLE-April-6-2006.pdf
Kirsch, C. (2014). The grey hat hacker: Reconciling cyberspace reality and the law. Northern Kentucky Law Review 41(3), 384-405.
Springman, C. (2003). The Federal Government’s strange defamation case against Bret McDanel: A prosecution that should never have been brought. FindLaw. Retrieved from com/legal-commentary/the-federal-governments-strange-cyber-defamation-case-against-bret-mcdanel.html”>https://supreme.findlaw.com/legal-commentary/the-federal-governments-strange-cyber-defamation-case-against-bret-mcdanel.html Van De Velde, J, (2017) The Law of Cyber Interference in Elections. Social Science Research Network http://dx.doi.org/10.2139/ssrn.3043828
Delivering a high-quality product at a reasonable price is not enough anymore.
That’s why we have developed 5 beneficial guarantees that will make your experience with our service enjoyable, easy, and safe.
You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.Read more
Each paper is composed from scratch, according to your instructions. It is then checked by our plagiarism-detection software. There is no gap where plagiarism could squeeze in.Read more
Thanks to our free revisions, there is no way for you to be unsatisfied. We will work on your paper until you are completely happy with the result.Read more
Your email is safe, as we store it according to international data protection rules. Your bank details are secure, as we use only reliable payment systems.Read more
By sending us your money, you buy the service we provide. Check out our terms and conditions if you prefer business talks to be laid out in official language.Read more