Dialing back the crazy on hack back law
Changes to a proposed law would dial back the crazy on efforts to let breached firms ‘hack back’ against their assailants.
A proposed bill in the U.S. House of Representatives that would give breached companies the ability to hack back at assailants has been revised, putting safeguards in place, according to a statement by Georgia Representative Tom Graves, one of the bill’s proponents.
Updates to the Active Cyber Defense Act (yes…ACDC) bill, which was first introduced in March, explicitly rule out destructive attacks that would cause financial injury, require offended firms get approval from law enforcement before retaliating and add restrictions to protect against collateral damage from so-called “hack back” campaigns.
“These changes reflect careful analysis and many thoughtful suggestions from a broad spectrum of industries and viewpoints,” said Rep. Graves in a statement. “I look forward to continuing the conversation and formally introducing ACDC in the next few weeks.”
The original draft of the Active Cyber Defense Act legislation, unveiled in March, drew criticism for being overly broad. As reported by Threatpost in March, the bill conflated measures like “active defense,” which typically involve raising barriers for would-be intruders to make it more difficult to compromise networks, with hacking back – allowing victims to launch offensive attacks on those believed to be responsible for compromising their network with an eye to identifying perpetrators or clawing back stolen data.
In the revised version of the legislation, organizations are permitted to use “limited defensive measures that exceed the boundaries of one’s network in an attempt to identify and stop attackers.” Once a cybercriminal is identified, the victim can share that information with law enforcement and use the information to “try to disrupt an ongoing attack."
“The enhanced flexibility will allow individuals and the private sector to develop and use tools that are currently restricted under the CFAA to protect their own network,” Rep. Graves said in a statement. “By allowing defenders to develop and deploy new tools, it will also serve as a disincentive for criminal hacking.”
However, the new bill “protects privacy rights by prohibiting vigilantism, forbidding physical damage or destruction of information on anyone else’s computer, and preventing collateral damage by constraining the types of actions that would be considered active defense,” Representative Graves said.
The law creates a category of activity dubbed “active defense measures” that comprise accessing “without authorization” an attacker’s computer in order to attribute a crime, disrupt unauthorized activity against the victim’s network or monitor the behavior of an attacker.
Not allowed: destroying or rendering inoperable systems not belonging to the attacker, causing physical or financial injury to another person, creating a threat to public health or safety, or exceeding the level of activity needed to perform reconnaissance in order to attribute the attack.
Hacking back carries a number of risks. Cyber attribution is notoriously difficult to get right. Both sophisticated and unsophisticated attackers use compromised networks or third-party assets to launch attacks, host malicious software and command and control systems and siphon off data from victims. Attacks aimed at those assets may affect other law abiding organizations that also use those resources, while having little impact on the perpetrators.
For this reason, security experts and policy makers have generally been skeptical of efforts to authorize ‘vigilante justice’ in online attacks. However, the scale of attacks on both private and public-sector organizations has prompted a re-evaluation of hacking back – under the moniker of “active defense.” So too has the ascendency of Donald Trump to the U.S. Presidency. In an interview with The Security Ledger in October, Trump advisor Michael Flynn indicated that active defense and retaliatory actions were among the tools the Trump Administration were considering to address cyber attacks. A report by George Washington University called for more public-private collaboration on active defense measures in light of the changing threat landscape.