Hacking is pervasive and a source of anxiety for nearly every company. Hacked companies facing financial and reputational harm and even regulatory action find themselves in the spotlight with little recourse and often without knowledge of the attacker’s identity. It is understandable that a hacked company would want to "hack back" — proactively investigating an attack, seeking attribution of the attacker, and recovering stolen property.
Current law makes that difficult.
The Computer Fraud and Abuse Act prohibits unauthorized access to a computer, without specifying intent or methodology. Enacted in 1986, the CFAA’s applicability to current technology is unclear, creating a gray area for companies wishing to deploy cyberthreat defense mechanisms outside the perimeter of their own firewalls.
A bipartisan bill formally introduced in Congress Oct. 13 aims to address that gray area by amending the CFAA. Co-sponsored by Reps. Tom Graves, R-Ga., and Kyrsten Sinema, D-Ariz., the Active Cyber Defense and Certainty Act (H.R. 4036) comes with lofty goals. According to Rep. Graves, ACDC would give “authorized individuals and companies the legal authority to leave their network to:
1) establish attribution of an attack,
2) disrupt cyberattacks without damaging others’ computers,
3) retrieve and destroy stolen files,
4) monitor the behavior of an attacker,
5) and utilize beaconing technology.”
Authority granted under the ACDC extends to any “person or entity that is a victim of a persistent unauthorized intrusion of the individual entity’s computer” who takes an “active cyber defense measure” as defined in the statute. The meaning of “persistent unauthorized intrusion” is unclear, though it would logically require a repeated or prolonged intrusion.
The tactics authorized under the ACDC include practices often referred to as “hacking back,” or more broadly as “active defense.” Perhaps the least controversial active defense tactic that would be permitted under the ACDC is the use of beaconing technology, whereby code is attached to data while stored on the authorized party’s system. If the data is stolen, the beacon can allow the authorized party to locate the data. On the opposite end of the active defense spectrum, the ACDC could permit a hacking victim to break into the hacker’s servers and actually destroy stolen data.
Though the ACDC is uniquely bipartisan and has been subject to a lengthy, multidisciplinary discussion and feedback process, the bill has been received with sharp criticism from academics and industry specialists.
Tech journalist Josephine Wolff colorfully condemns the ACDC as the “worst idea in cybersecurity.” As Wolff notes, tactics permitted as active defense mechanisms could easily be misused for nefarious purposes: “Want to go after a competitor? Stage an attack directed at yourself coming from their servers, and then hack back! … Of course, once that company realizes what’s going on, it may decide to take matters into its own hands and indulge in a little active defense directed at you. What could go wrong?”
Even without malicious intent, a lot could go wrong. As Robert Chesney of the University of Texas School of Law noted in his comments to the original discussion draft, “…it is hard to open the door wide enough to make a genuine difference for victims, without opening the door to a host of unintended problems under two big headings: mistaken attribution and unintended collateral impacts.” Joseph Cox’s recent Daily Beast article echoes Chesney’s concern, noting that hackers “often use other people’s computers or servers to launch attacks from. So when the victim of a breach retaliates, they may not be targeting the hacker’s computer, but striking back against an arguably innocent system.”
A less obvious unintended collateral impact arises from the introduction of a voluntary preemptive review process with the FBI National Cyber Investigative Joint Task Force, whereby the FBI could assess measures proposed by private parties wishing to deploy active defense and make recommendations for improvement and compliance.
At first glance, designating the FBI to serve an advisory role sounds promising. Providing for consultation with input from a government body could resolve uncertainty for companies wishing to exercise responsible defense, while also mitigating the risk of more aggressive actors. However, as Kristen Eichensehr of the UCLA School of Law explains, adding the FBI to the process actually creates a new concern under international law. “The FBI’s participation in the review process may trigger the U.S. government’s international legal responsibility for actions of private actors.” Potential consequences range from diplomatic tension to cyberwarfare. “If the United States is responsible for international law violations committed by private actors, then international law permits aggrieved foreign governments to take countermeasures against the United States...”
A bill that could actually inhibit international cooperation, and increase the likelihood of global retaliatory hacking, is not a solution.
The international legal concerns highlight the need for international norms governing the behavior of nation states in cyberspace, but the reality of a Digital Geneva Convention, as proposed by Microsoft President and Chief Legal Officer Brad Smith, remains far off. A bill that could actually inhibit international cooperation and increase the likelihood of global retaliatory hacking is not a solution.
Wolff claims that nearly no one, other than former NSA General Counsel Stewart Baker, wants to see active defense tactics authorized. It may be true that few are advocating for formal policy, but the silence is not for lack of interest. Hacked companies are hacking back anyway, and bearing the risk of prosecution. As Cox reported, “[D]espite being something of an open secret in the information security world, examples of what exactly happens behind the scenes of these [retaliatory] hacking campaigns rarely make their way into the public, stifling the debate on whether this practice should be the norm.”
Further, a GWU Center for Cyber and Homeland Security report recognized the value of a framework for active defense against cyberthreats, prescribing as the first step “for the government to eliminate the legal 'gray areas' by more clearly and explicitly defining which types of techniques fall within the bounds of the law.”
In its present state, ACDC does little to eliminate the grey areas.
ACDC is not a wrapped-up solution, but it is a means of keeping important conversations about cyber defense and international norms going, and in a manner that engages professionals from a variety of disciplines and political leanings. To be sure, ACDC is flawed, but it is certainly not “the worst idea in cybersecurity.”
photo credit: Defence Images Computer Circuit Board via photopin (license)