Are the ‘Hack Back’ Laws Being Proposed by Congress a Good Idea?
Back in October 2017, U.S. Congressman Tom Graves spearheaded a modification of the Active Cyber Defense Certainty (ACDC) Act (PDF), which allows companies to “hack back” against hackers in an effort to identify and stop cyberattacks. In theory, the concept makes sense – in sports for example, defense doesn’t win championships, offense does. Responding to your attackers, or ‘taking them out’ in some cases, could be an effective way to get ahead of potential threats. However, discussions around hacking back in Congress today rely on analogies that are too simple and use examples focused on physical self-defense that fail to capture the true nature of online interactions.
One of the core ideas in this, and similar, proposals is to ensure that the “hack back” does not impact any innocent third parties. In Graves’ proposed law, Active Cyber Defense is only allowed against “a person or an entity that is the source of the persistent unauthorized intrusion into the victim’s computer,” otherwise it would be considered criminal hacking.
One issue raised by this idea is the need to be able to determine whether a given system belongs to the attacker or whether the hacker is controlling a system belonging to someone else.
Another issue is that it is not clear what would constitute a “persistent unauthorized intrusion.” Could logging into a site while violating its terms of service count, say by using a false name? Depending on how this is interpreted, it could create massive opportunities for abuse and make numerous innocuous users subject to active hacking.
An interesting idea floated in this bill is to allow companies to create a kind of cyber poison pill. They could place a file that identifies the attacker, or takes other actions, but only after the file has been stolen and placed on some other system. If the poison pill can only be acquired by hacking into a system, it would at least ensure that the subject of the pill was up to no good. It would not guarantee that it ran on the hacker’s own computer however. Many smart attackers would examine their stolen files while they are on some compromised third-party server.
Further complicating the situation, many companies may be unwilling to risk taking active countermeasures at all because a single slip could put them on the wrong side of the law. For example, the protection could be lost entirely if there is any damage to systems, data or functional impairment of the target computers. And exposure to criminal prosecution is not the only risk. Most of these kinds of proposals provide no protection from lawsuits. An injured third party could claim damages that could exceed the direct impact of the original hack.
Any analysis of “hack back” or active defense needs to look beyond the borders of the United States. Other countries will probably adopt similar laws with varying restrictions. Defensive actions will inevitably cross national boundaries and attackers will leverage servers in locations with laws most favorable to them. This will make it even more difficult for organizations to target attackers as they will be forced to comply with constraints unique to each country across the globe. This could also create international incidents with US companies being seen to attack servers in other countries.
While the frustration of organizations only being able to use defensive measures to combat threats is evident, few are willing to accept the possible repercussions of a misstep when going on the offensive or even possess the skills required to do so safely and effectively. I suspect that the result of any such legislation will be for attackers to become more sophisticated in their use of anonymity, false flags, and regulatory arbitrage, leaving the playing field largely unchanged.