Amidst growing concern over the occurrence of security breaches at top corporations and government agencies, momentum is growing within the United States to give these victims of hacker attacks a way to “hack back.” First floated back in early 2017, the Active Cyber Defense Certainty Act (ACDC) is back on the table. Rep. Tom Graves (Republican – Georgia) has reintroduced the bill in the U.S. Congress, and has already found bipartisan support for the Active Cyber Defense Bill on both sides of the aisle. The ACDC would give corporations and other hacker victims the green light to move beyond active defense in order to “hack back” and take a more aggressive stance against perpetrators.
Currently, of course, U.S. corporations are forbidden from taking part in any “hack back” initiatives. An existing law, the Computer Fraud and Abuse Act (CFAA), specifically notes that companies cannot engage in any form of digital vigilantism if they feel that they have been the subjects of attack. They are unable to pursue hackers across the Internet, and even the use of “beacons” to track and monitor who has broken into their computer systems would be in violation of the CFAA. Clearly, corporations feel like their hands have been tied, and as foreign hackers have become ever more brazen, they are clearly looking for new ways to protect themselves.
Key provisions of the Active Cyber Defense Bill
Which brings us to where we are today – the current thinking is that the only way to empower corporations so that they can protect themselves is to give them the right to hack back. Thus, the best way to think about the Active Cyber Defense Bill is that it is a way to chip away at some of the more restrictive provisions of the CFAA. For example Section 3 of the Active Cyber Defense Bill would appear to facilitate the use of beacons. If hackers attempt to copy and export any computer code, these beacons would give corporations a way to track and monitor where this code has been used. This would be similar to a bank marking a bag of cash, thereby giving them the opportunity to track down a group of bank robbers by looking for the cash with marked bills.
The Active Cyber Defense Bill also goes into considerable detail about the proper purposes for any active cyber defense measure (ACDM), as well as which types of third-party computer systems would be the proper targets for a “hack back” initiative. As the Active Cyber Defense Bill points out, the proper purposes for an ACDM would be to establish attribution of criminal activity; to disrupt unauthorized activity against a defender’s own network; and to monitor the behavior of attackers in order to develop future intrusion protections. Forbidden purposes of an ACDM would include intentionally destroying someone else’s data or recklessly causing physical injury or financial loss to a third party.
Moreover, the Active Cyber Defense Bill attempts to put safeguards into place by requiring corporations eager to “hack back” to contact law enforcement authorities (e.g. the FBI) in advance and seek guidance about how to proceed. The Active Cyber Defense Bill also mentions that any hack back initiatives should only be carried out by “qualified defenders” and only when corporations have a high degree of confidence in the identity of the hackers.
Concerns about impact of hack back measures
So what could possibly go wrong if corporations across the nation are suddenly taking the law into their own hands, in order to hack back? Cybersecurity experts are more than a little worried about all of the unintended consequences that might result from signing the Active Cyber Defense Bill into law. First and most importantly, most corporations lack the skills and cyber sophistication to take on professional hackers. While a big Silicon Valley company like Google might be able to carry out a hack back attack without causing any unwanted collateral damage, can the same be said for the average Fortune 500 company?
In addition, it is notoriously difficult to establish the true identity of the assailant behind a cyber attack. Even in the case of a major security data breach, it can take weeks to sort things out and positively attribute the source of a major hacking attack. Professional hacker groups are very skilled at using spoofed IP addresses and publicly available third-party tools, as well as using the computer systems of innocent corporations to carry out their attacks. Thus, there is a very real risk that companies that hack back might be hacking back against the wrong people as the result of false flag attacks. Things might escalate very quickly, and lead to a vicious cycle of reprisals.
And, finally, there is the very real risk that giving corporations the right to hack back might soon pit private companies against nation-states such as Russia, China or Iran. What happens, for example, if a major private sector defense company thinks that it has been hacked by China, and decides to hack back? This could have major national security implications if they decide to go after the computer of the attacker.
Setting up norms for active defense
So, if companies should not be hacking back against assailants, what steps should they be taking in the case of stolen data or unauthorized intrusions? The safest option, say cyber security experts, is to promote “active defense” (and similar types of defensive measures) as an alternative to the hack back. With such a defense strategy, companies would focus on monitoring assailants and learning about their attack patterns – but without actually breaking into their computer systems or following them across the Web. Instead, active defense puts a premium on “deep reconnaissance” and close interaction with law enforcement authorities.
The only problem, however, is that there is a large gray area for some forms of active defense. Simply put, even some forms of reconnaissance – such as the use of beacons – could be construed as a hack back. Complicating matters even further, some companies are already engaged in covert forms of defense that might be defined as hacking back. So there is certainly room for some clarification of what constitutes a hack back, and what does not.
Globally, government agencies and private sector players need to agree on certain norms and rules of engagement. Otherwise, the world’s computer systems could be crippled in the event of a false flag attack, or if corporations decide to go toe-to-toe with nation-states. The risk of overactive defenders making mistakes is just too high. As a result, it’s easy to see why the return of the “hack back” bill is already causing so much concern and anxiety in Washington, D.C. Signing the bill into law could usher in a very different era of potentially dangerous cyber defense.