When investigating hacked networks, FBI agents have long told company executives that they can’t share information on what was stolen and who took it. “Sorry, that’s classified,” was all the victims got.
And for years, this has frustrated companies and victims that wanted to hack back. That could entail, for example, identifying and crippling computers behind a distributed denial-of-service (DDoS) attack (a service some security firms have in fact marketed), or perhaps launching an attack from servers situated offshore (the FBI has investigated banks for such activities).
Hack backs aren’t exactly what you’d call legal, regardless of such actions being justified as defensive maneuvers. In fact, such actions run afoul of the Computer Fraud and Abuse Act (CFAA), the US law that criminalizes unauthorized access to a computer.
But a bill is being floated in Congress that would, in limited measure, update the CFAA to decriminalize “active cyber defense measures”. The bill, known as the Active Cyber Defense Certainty Act (PDF), was introduced as a discussion draft earlier this month by Tom Graves (R-GA).
If passed, the ACDC would decriminalize defensive deeds that it defines as those undertaken by, or at the direction of, a victim. Such defensible defensive actions would consist of accessing, without authorization, the computer of the attacker who went after the victim’s network.
The bill would protect defensive computer intrusion that’s done to gather information about who’s behind an attack and that’s shared with law enforcement or used to disrupt a continued attack or intrusion.
What the bill would explicitly forbid: blowing anything up or other types of sweet, sweet revenge. From the bill…
(ii) [the ACDC] does not include conduct that—
(I) destroys the information stored on a computers of another;
(II) causes physical injury to another person; or
(III) creates a threat to the public health or safety
What could possibly go wrong?
Bobby Chesney has delved into the ways. He’s the Charles I. Francis professor in law and associate dean for academic affairs at the University of Texas School of Law and a member of a task force convened by the Center for Cyber and Homeland Security at George Washington University, which recently issued a report (PDF) on active defense.
From a post he published on Tuesday on the Lawfare blog:
The catch is that it is hard to open the door wide enough to make a genuine difference for victims, without opening the door to a host of unintended problems under two big headings: mistaken attribution and unintended collateral impacts.
Put more directly, it is not hard to see how the more aggressive forms of active defense might result in harms to innocent parties. Some amount of risk along those lines may be worth it, depending on the benefits also obtained; it’s just awfully hard to know for sure.
An example: often, attacks can come from a chain of computers, as Chesney points out. Working back to the computer of the attacker could mean gaining unauthorized access to all the computers in the chain, including those belonging to innocents.
Granted, the bill is just in draft form now. As such, much of the language is vague.
Another example of wording that could use fine-tuning is the exception for physical injury. That’s a good start, Chesney said, but defensive attacks could cause other harm, such as financial. Another way innocent parties could be harmed would be if their personal details or sensitive information were to be doxxed, which could lead, at a minimum, to embarrassment.
Are the risks worth whatever benefits might be gained? It’s hard to say at this point. That’s why Chesney has recommended oversight and data-gathering if the bill goes into effect, as well as a sunset clause after a year or two.
After that, we’d have some actual experience with which to judge hack-back in practice. At this point, it’s all too vague, though it is a good start, he said.
jkwilborn
I thought it was too late this legislative session to introduce any new bills… ?
secgauntlet
Hacking the Hackers is not new. That was the trend back in the early 2002s for people who knew how to hack, The prob was most of the hacks were coming from US Gov sites and away to jail you go. Besides as a real hacker your not going to find where I am really coming from. Really dumb back then and really dumb today.
Mike
Where does it stop?
Jack the Hacker hacks into Wendy’s computer, bots it and uses it as a proxy to attack Dave and Heather’s PCs. Wendy does her weekly security scan and learns she’s being hacked by three attackers. Does she now have the right to hack back at all three of them?
M. E. Kabay, PhD, CISSP-ISSMP
IPv4, still the predominant protocol still in use on the ‘Net, lacks any mechanism for secure authentication of packet origin. Attackers can easily fake the origination address of their packet stream to implicate a nonexistent or worse, innocent person’s or organization’s IP address. Attacking the wrong IP address in a fit of anger will just make the situation worse. IPv6 does, on the other hand, have proper packet authentication, so _maybe_ IPv6 attacks could justify retaliation. The issue raised by “Mike” above still holds, though: if an innocent’s system in compromised and then used for an attack, retaliation may harm the innocent rather than the hacker.