When investigating hacked networks, FBI agents have long told company executives that they can’t share information on what was stolen and who took it. “Sorry, that’s classified,” was all the victims got.
And for years, this has frustrated companies and victims that wanted to hack back. That could entail, for example, identifying and crippling computers behind a distributed denial-of-service (DDoS) attack (a service some security firms have in fact marketed), or perhaps launching an attack from servers situated offshore (the FBI has investigated banks for such activities).
Hack backs aren’t exactly what you’d call legal, regardless of such actions being justified as defensive maneuvers. In fact, such actions run afoul of the Computer Fraud and Abuse Act (CFAA), the US law that criminalizes unauthorized access to a computer.
But a bill is being floated in Congress that would, in limited measure, update the CFAA to decriminalize “active cyber defense measures”. The bill, known as the Active Cyber Defense Certainty Act (PDF), was introduced as a discussion draft earlier this month by Tom Graves (R-GA).
If passed, the ACDC would decriminalize defensive deeds that it defines as those undertaken by, or at the direction of, a victim. Such defensible defensive actions would consist of accessing, without authorization, the computer of the attacker who went after the victim’s network.
The bill would protect defensive computer intrusion that’s done to gather information about who’s behind an attack and that’s shared with law enforcement or used to disrupt a continued attack or intrusion.
What the bill would explicitly forbid: blowing anything up or other types of sweet, sweet revenge. From the bill…
(ii) [the ACDC] does not include conduct that—
(I) destroys the information stored on a computers of another;
(II) causes physical injury to another person; or
(III) creates a threat to the public health or safety
What could possibly go wrong?
Bobby Chesney has delved into the ways. He’s the Charles I. Francis professor in law and associate dean for academic affairs at the University of Texas School of Law and a member of a task force convened by the Center for Cyber and Homeland Security at George Washington University, which recently issued a report (PDF) on active defense.
From a post he published on Tuesday on the Lawfare blog:
The catch is that it is hard to open the door wide enough to make a genuine difference for victims, without opening the door to a host of unintended problems under two big headings: mistaken attribution and unintended collateral impacts.
Put more directly, it is not hard to see how the more aggressive forms of active defense might result in harms to innocent parties. Some amount of risk along those lines may be worth it, depending on the benefits also obtained; it’s just awfully hard to know for sure.
An example: often, attacks can come from a chain of computers, as Chesney points out. Working back to the computer of the attacker could mean gaining unauthorized access to all the computers in the chain, including those belonging to innocents.
Granted, the bill is just in draft form now. As such, much of the language is vague.
Another example of wording that could use fine-tuning is the exception for physical injury. That’s a good start, Chesney said, but defensive attacks could cause other harm, such as financial. Another way innocent parties could be harmed would be if their personal details or sensitive information were to be doxxed, which could lead, at a minimum, to embarrassment.
Are the risks worth whatever benefits might be gained? It’s hard to say at this point. That’s why Chesney has recommended oversight and data-gathering if the bill goes into effect, as well as a sunset clause after a year or two.
After that, we’d have some actual experience with which to judge hack-back in practice. At this point, it’s all too vague, though it is a good start, he said.