Hacking back is a perennial and contentious issue. Its latest instance comes in the form of a ‘Discussion Draft’ bill proposed by Representative Tom Graves (R-GA): The Active Cyber Defense Certainty Act. Graves claims it is gaining bipartisan support, and he expects to present it to the House of Representatives for vote within the next few months.
The Draft Bill (PDF) is an amendment to the Computer Fraud and Abuse Act (CFAA). The CFAA is a deterrent to hacking through potentially severe sanctions; but it has not been effective in preventing cybercrime, and it has made hacking back illegal. The new bill would remove those parts of the CFAA that effectively prevent private business from taking their own action against hackers: “It is a defense to a prosecution under this section that the conduct constituting the offense was an active cyber defense measure.”
Noticeably, the bill uses the term ‘active cyber defense’ throughout, and never once mentions the term ‘hacking back’. Active cyber defense is defined by SANS as “The process of analysts monitoring for, responding to, and learning from adversaries internal to the network.” It is discussed in detail and expanded in the study titled Into the Grey Zone: The Private Sector and Active Defense against Cyber Threats published by the George Washington University in October 2016.
The George Washington University report warns, “Today, when active defense is discussed, too often the discussion shifts to ‘hacking back’ — offensive cyber measures that are beyond the scope of what we define as permissible activity in this report.” This has clearly happened with the Graves proposal: it conflates active defense with hacking back.
The proposed Act will provide a CFAA defense when a ‘victim’ organization responds in a manner “consisting of accessing without authorization the computer of the attacker to the victim’s own network to gather information in order to establish attribution of criminal activity to share with law enforcement or to disrupt continued unauthorized activity against the victim’s own network.”
This is limited by a requirement not to destroy information, not to cause physical injury, and not to create a threat to public health or safety. Nevertheless, it fundamentally gives victim organizations the right to access the attackers’ computer without authorization… to disrupt the hackers’ action — and this is hacking back.
Hacking back already happens under limited circumstances. Law enforcement does it, and often uses the expertise of security firms to help.
“To a limited extent,” comments security researcher David Harley, “this Act would formalize a cooperative framework that already exists between security companies and law enforcement agencies.” This relationship gives law enforcement security expertise and capacity, while offering some legal protection to the security firms.
But, he adds, “I would have to worry about a framework that extended this protection to companies that don’t often have that expertise and may be motivated to misuse that protection for competitive advantage… Apart from the ethical issues, I suspect that the quality of those investigations might in many cases be severely compromised.”
So, two immediate problems with allowing hacking back is that a lack of expertise could either compromise forensic evidence, or accidentally cause actual harm to the attackers’ supposed computers. Without adequate expertise, the supposed servers might not even be the attackers’ servers. “Because of (compromised) proxies,” comments F-Secure’s security advisor Sean Sullivan, “hacking back/active defense is complicated and it’s quite unlikely that the US Congress would be able to properly define what should be allowed or not.”
The Graves proposal makes some attempt at this. It defines the attacker as “a person or an entity that is the source of the persistent unauthorized intrusion into the victim’s computer.” The use of ‘intrusion’ would seem to exclude private companies from seeking to takedown botnets delivering a DDoS attack, where actual intrusion is rare. But it is not at all clear what ‘persistent’ would mean in a court of law.
The FBI’s official position, for now at least, is that it should not be done. FBI Director James Comey said on March 8 this year, “Don’t do it; it’s a crime. It’s not only against the law but it runs the risk of tremendous confusion in a crowded space.” Comey’s preference would be for more consistent reporting of cybercrime to the FBI.
The reality, however, is the right to hack back is a concept that will not go away.
Luis Corrons, technical director at PandaLabs, fears that the whole issue is too complex and context-sensitive for law; and would prefer greater use of common sense. “Having laws that consider each particular case is unviable, and common sense should be applied. Cybercriminals are not going to present charges if you break into their server and make a copy of the key to unencrypt your data. And no Law Enforcement agency should go after you for that if nobody is reporting it. However, that data might be in a compromised server, and the way to get into it could cause problems within it, causing the owner of that server to contact law enforcement for the disruption caused.”
In a sense, Corrons’ solution is that the authorities should simply turn a blind eye to hacking back that causes zero collateral damage; and that private industry needs to take responsibility for any collateral damage it causes.