The Active Cyber Defense Certainty Act seeks to “…provide a defense to prosecution for fraud and related activity in connection with computers for persons defending against unauthorized intrusions into their computers, and for other purposes“. The [draft] bill seems well intentioned but overly ambiguous, leaving a lot of room for abuse (and for other purposes just seems vague). We’ve written about the idea of ‘hacking back’ here before and won’t rehash all of that but do want to note a few concerns specific to this [draft] bill.
What does the bill allow, Active Defense or ‘hacking back’ (they’re different things)? The title seems to suggest ‘active defense’ but the body of the bill states “…consisting of accessing without authorization the computer of the attacker to the victim’s own network…”, which is very different than simply putting up honeypots or other stumbling blocks to frustrate a would-be attacker (i.e., active defense). Using the analogy of the robber in your house, active defense would be adding deadbolts, alarms, mantraps or an armed guard to prevent the robber from making entry. The bill seems to authorize hunting down the attacker after the fact (though, you aren’t allowed to cause any harm). What’s more, the bill states that the ‘hacking back’ can be “…undertaken by, or at the direction of, a victim…” so, if you weren’t comfortable hunting down the robber, you could hire someone (a digital hitman?) to do it for you. It also states that the victim can “…disrupt continued unauthorized activity against the victim’s own network…” as long as you don’t destroy the information stored on the computer, cause physical injury to another person or create a threat to the public health or safety, which leaves a LOT on the table as far as what can be done.
How would the law be applied / some legal questions? What constitutes a victim? The bill defines a victim as “…an entity that is a victim of a persistent unauthorized intrusion of the individual entity’s computer…”. What constitutes an attacker? The bill defines an attacker as “…a person or an entity that is the source of the persistent unauthorized intrusion into the victim’s computer…” If a victim a) does detect the attack, b) is able to find the actual attacker and c) finds evidence that can provide clear attribution, how does that victim collect the evidence in a way that creates and preserves a chain of custody that, when given to law enforcement, will hold up in court? How will the hacking back not be considered a violation of the alleged attackers fourth amendment rights (will the victim be required to get a warrant, signed by a judge, before they are able to ‘hack back’)? What happens when the attacker isn’t a domestic entity?
Tit for tat? What happens if the victim is wrong and the person that they ‘hack back’ isn’t the actual attacker? Do the tables then turn, allowing the originally accused attacker (now the victim) to attack the original victim and, if so, would the original attacker (now victim) be afforded the same legal protections as the original vicitm was?
What qualifies a victim to ‘hack back’? The majority of our business is ‘hacking’ organizations to help them understand where they are weak and how an attacker could exploit that weakness to breach the organization. While on engagements, we routinely find things like woefully outdated software (still lots of Windows XP and Server 2003 out there), weak or non-existent password policies, poor segmentation (guest wifi connected directly to the production / internal LAN), no disaster recovery plan (who needs backups?). These are often ‘managed’ networks that are managed by people who *should know better*. In the event one of these ‘managed’ networks were breached, who would do the ‘hack back’? The client, that outsourced the management of the network? The service provider who overlooked the vulnerabilities that led to the breach (if the service provider notified the client and the client decided that the cost of mitigation was greater than the risk and declined, that’s another story altogether)?
I believe that it’s a good thing that our legislators have this on the radar but have some concerns that we’re teetering on a ‘blind leading the blind’ condition where decisions (and laws) are made by people who do not understand the matter at hand and are making decisions (and laws) that serve a political end rather than anything else (Yes, Bob, you’re completely free to hack back against the company you claimed has hacked you but is also your competitor who may be getting ready to release a game changing new product). Kudos for putting it out there but please work with folks in the industry before opening Pandora’s box.
Misc / Erratta
- Draft Bill – https://tomgraves.house.gov/uploadedfiles/discussion_draft_ac-dc_act.pdf
- ThreatPost Article – https://threatpost.com/active-defense-bill-raises-concerns-of-potential-consequences/124112/
- HackerNews Article – http://thehackernews.com/2017/03/hacking-back-hackers.html
- Previous Hacking Back article – https://www.piratica.us/index.php/2016/11/03/hacking-back-defend-attacks-good-idea-pandoras-box/