Offensive Active Defense: The Bad, the Worse, and the Outright Dangerous
There are bad ideas and then there are really, really bad ideas.
Right now, there is a bill circulating in the House of Representatives that falls squarely into the latter category. The draft legislation is the work of Rep. Tom Graves of Georgia and it is one of a number of cybersecurity related bills floating around Capitol Hill at the moment. But this bill isn’t concerned with national security policy or regulating zero day exploits. Instead, it would give users who have been the victim of a cyber attack the authority to attack their attackers.
In other words, Graves’s bill is essentially a vigilante law for the Internet age.
Here’s how Graves words it in the bill:
“the term ‘active cyber defense measure’— ‘‘(i) means any measure— ‘‘(I) undertaken by, or at the direction of, a victim; and ‘‘(II) consisting of accessing without authorization the computer of the attacker to the victim’s own network to gather information in order to establish attribution of criminal activity to share with law enforcement or to disrupt continued unauthorized activity against the victim’s own network.”
This is a spectacularly bad idea, for a number of reasons, most of which will be clear to anyone who has spent even five minutes thinking about security. Or laws, for that matter. Let’s start with the fact that this bill would empower and encourage victims to become amateur detectives looking for clues about who sent that phishing email or was behind the drive-by download that hit their machine. There’s an entire industry of professional forensics investigators who do that kind of investigation for a living, and they will be happy to tell you that it is not easy. This isn’t CSI: Cyber The bad guys don’t leave a trail of red code for you to follow.
Just because someone has the authority to do something doesn’t mean he has the ability. I have the authority to do my own taxes, but God knows I don’t have the ability.
Let’s move on to the vague wording of the bill. As it is written, the bill allows victims to undertake “any measure” to access an attacker’s computer “to gather information in order to establish attribution of criminal activity to share with law enforcement”. The phrase “any measure” is flat-out terrifying. It conjures images of a Purge-like Internet free-for-all in which otherwise normal people are buying exploit kits and Trojans to go after ex-boyfriends or former roommates who may have once used their laptop without permission. Not ideal.
Then there’s the question of how all of this mess would be monitored and regulated. If victims are allowed to go after attackers, pity the law enforcement agents who would have to go in and untangle the digital spaghetti that would result from amateurs attacking each other. It would quickly devolve into a lot of finger-pointing and Han-shot-first nonsense. How would any of that work? Not well, is the answer.
If this bill is somehow moved forward, we could also see a market develop for consumer-focused offensive tools. Spend 30 seconds imagining what that would look like and you will have a hard time sleeping tonight.
Let’s just not.