To Catch a Hacker, Companies Start to Think Like One

February 15, 2013 – In The News

With cyberattacks on the rise many companies are trying to outsmart hackers by strategically lining their systems with trapping devices known as honeypots. Attorneys warn that this aggressive practice could expose companies to liability under federal privacy and hacking laws.

Honeypots are developed within systems to lure and study hackers so that companies can in turn break into their system. Infiltrating a system believed to be tied to a cyberattack could allow companies the opportunity to recover valuable information, but attorneys caution that statutes such as the Wiretap Act and the Computer Fraud and Abuse Act don't include exceptions for self-defense, so this move could turn the victims into criminals.

For companies, the strategy of intentionally introducing vulnerabilities into their systems so they can monitor them can backfire in other ways, too, attorneys warn.

Companies that learn about problems with their systems and fail to remedy them could find themselves in hot water with regulators or class action plaintiffs in the event of future breaches, according to Scott Vernick.

“If you have a honeypot and do learn a lot from it but don't remedy or correct it, then there's a record that is discoverable and that you knew you had a problem and didn't fix it,” he said.

Honeypots can also carry the unintended consequences of improving the skills of hackers who learn how to identify them and of making companies more attractive targets, according to attorneys.

“If you're trying to get too cute with hackers, then that could create a situation where you become a directed target, where you wouldn't have necessarily been one before,” Vernick said. “You're running the risk of ticking off a hacker that was otherwise just casually observing a site if he or she discovers a honeypot has been set up.”

Allowing a hacker any access to a company's system also invites the risk that intruders could find a way to get more information then than the company intended, resulting in a self-created breach, Vernick noted.

If companies ultimately decide to use these tactics, attorneys strongly recommended that they seek the assistance of trained professionals and inform law enforcement to minimize risk.