Hack-back bill would legalize companies hacking their attackers

A couple of years ago, a counterterrorism expert had an idea: let’s arm US companies with cyber weaponry so they can hack-back cyberattackers, suggested Juan Zarate, a former US deputy national security advisor for counterterrorism during the administration of US President George W. Bush.

Mike Rogers, a former Republican congressman from Michigan and former FBI agent, said at the time that given the plethora of attacks coming from other nations, many businesses would wind up in over their heads in an escalating conflict – a nasty can of worms to open.

Besides, Rogers argued, who says that a given company has the capacity to track down culprits behind an attack? It’s not like all companies are adept at the forensics needed. Sources can be spoofed.

Figuring out the origin of an attack can hinge on subtle clues: what inference should be drawn, for example, in the similarities between the code in the WannaCry ransomware worm and the malware created by Lazarus, a hacking group believed to be linked to North Korea?

Nor is it a given that companies can launch a counter-attack that doesn’t wind up harming a slew of innocents. For example, a hack-back at the vast array of Internet of Things (IoT) devices that got sucked into the Mirai botnet would have seen attacks on home users’ cameras, with the perpetrators left unharmed.

Would we really want to empower an Equifax or a Yahoo, giving them a “cyberwarrant” that would grant private companies license to protect their systems, “to go and destroy data that’s been stolen, or maybe even something more aggressive,” as Zarate suggested?

Their histories of protecting their assets, after all, don’t inspire confidence. Why would we believe they have the ability to competently attack hackers without causing harm?

Rogers:

Some can do it very, very well. Some don’t have a clue of how to do it, but that wouldn’t stop them from [responding] anyway. How do you contain that?

Well, here’s how two legislators have contained the hack-back suggestion: they want to make it the law of the land.

As CNN Money reports, H.R.4036 – formerly called the Active Cyber Defense Certainty (ACDC) Act and informally called the hack-back bill – was introduced as an amendment to the Computer Fraud and Abuse Act (CFAA) last week. Its backers are US Representatives Tom Graves, a Georgia Republican, and Kyrsten Sinema, an Arizona Democrat.

ACDC would give a company the go-ahead to take active defensive measures to access an attacker’s computer or network to identify hackers, as well as to find and destroy stolen information. It makes sense to introduce it as an amendment to the CFAA, given that the CFAA outlaws unauthorized access to somebody else’s computer: a big legal hammer that’s found many nails.

ACDC would give authorized individuals and companies the legal authority to leave their network to:

  1. Establish attribution of an attack.
  2. Disrupt cyberattacks without damaging others’ computers.
  3. Retrieve and destroy stolen files.
  4. Monitor the behavior of an attacker.
  5. Utilize beaconing technology.

Will this lead to cyber-vigilantism? Graves says no; he told CNN that the bill is not opening the door to the Wild Cyber West. The horse is already out of the barn: we’re already living in the Wild Cyber West:

We are already dealing with the Wild West and there’s a lot of outlaws out there but we don’t have a sheriff, we don’t have a deputy and all we were asking for is a neighborhood watch.

But just as they did when Zarate brought up the notion two years ago, security experts are warning that the bill could have dire unintended consequences. CNN quotes digital forensics expert Lesley Carhart on the difficulties of determining whether the source of an attack has been spoofed:

In cybercrime and in nation state attacks, there are often lots of attempts to mislead and confuse researchers analyzing the attack timeline or malware. A savvy bad guy could fairly easily emulate an innocent third party, and draw down the wrath of unskilled analysts on them.

And if an attack were in fact coming from, say, North Korea, the ACDC wouldn’t be worth much. That’s because it limits hack-back actions to within the US. It also requires companies to report to the FBI-led National Cyber Investigative Joint Task Force before taking active-defense measures: a measure that “will help federal law enforcement ensure defenders use these tools responsibly.”

OK… so, why not just entrust cyber investigations and countermeasures with the FBI and the Department of Justice (DOJ) to begin with? According to a news release (PDF) from Graves, we can’t – they’re swamped.

While DOJ and the FBI do great work, the number of cyberattacks far exceeds the government’s ability to respond, identify and prosecute criminals.

At any rate, Graves told CNN, whether we like it or not, companies are already hacking back:

Word on the street is many companies are already doing some of these things. They know, you know, and I know that what they are doing is illegal. What we would be doing is bringing clarity to what some might already be doing and what tools might be successful.

In fact, he’s hoping that if the bill passes, it could spark the creation of new tools to protect against hackers.

One security expert likened the bill to the old Biblical law about retaliation: an eye for an eye, a tooth for a tooth. That dates back to Hammurabi, King of Babylon from 1792-1750BC.

Wise he may have been, but Hammurabi didn’t have to deal with (and nor could he have foreseen) the complex issue of figuring out who hacked who.