Hacker in the system

Hack-back legislation: What your security team needs to know

Companies tired of being a virtual punching bag for online cybercriminals and industrial spies may get the legal option to hack back at attackers, at least in a limited way, if a discussion draft of "active defense" legislation under consideration passes muster. 

The bill, known as the Active Cyber Defense Certainty (ACDC) Act, is currently in its second discussion draft, having been introduced in March and then updated in May. Rep. Thomas Graves (R-Georgia) plans to introduce legislation this summer to allow victims to conduct active defense, essentially giving them the power to take limited actions without running afoul of the Computer Fraud and Abuse Act, under which most cybercrimes are prosecuted.

The discussion draft is limited, currently allowing a victim to respond to an attack by accessing the attacker's computer to attempt three things: identify the attacker, stop or disrupt the activity, and monitor the behavior of the attacker. The draft also requires that any victim notify the FBI National Cyber Investigative Joint Task Force (NCI-JTF) before engaging in any of the activities.

So what should security professionals expect? Here are five observations from experts about likely legislation. 

State of Security Operations 2017

1. The legislation will be very limited

Giving companies exemptions for actions that could be seen as hacking will not be done quickly. Many security professionals have criticized the current bill for being too vague and avoiding important legal issues. 

The draft bill "does not adequately address important questions about how a regulatory or oversight framework for hack back would work to avoid accidental or intentional abuses," said Jen Ellis, vice president of community and public affairs at security firm Rapid7. "Nor is there any explanation of how reparations for unintended harm would be handled. As a result, many leading security experts are strongly advocating against it, including Rapid7’s CEO, Corey Thomas."

2. It would not be a liability shield

The discussion drafts to date been quite conservative, allowing a very limited form of active defense, without giving a liability shield to companies, even if they follow the notification rule and act in good faith. In particular, the bill does not protect the active defender if it causes collateral damage—so it focuses on the consequences and not the intent, Robert Chesney, a law professor and associate dean for academic affairs at the University of Texas School of Law, stated in a post discussing an earlier draft of the bill. Most companies, at least at first, will not likely want to face the risks of something going wrong.

The issue, however, is not necessarily a flaw in the legislation but a problem with the concept of hacking back when the vast majority of information infrastructure is privately owned.

"The catch is that it is hard to open the door wide enough to make a genuine difference for victims without opening the door to a host of unintended problems under two big headings: mistaken attribution and unintended collateral impacts," Chesney wrote. "Put more directly, it is not hard to see how the more aggressive forms of active defense might result in harms to innocent parties." 

3. Most companies will wait for precedents

Those uncertainties will mean that companies will either wait and let other early-adopter firms take the lead, or band together to create an industry group that can develop best practices and mitigate legal risks. Graves' bill leaves much of the discretion for whether a company has earned an exemption from prosecution to the Department of Justice, a provision that does not remove enough uncertainty, said David Aitel, founder and CEO of penetration-testing and tool maker Immunity Inc.

"Are we going to decide in court why someone did hacking every time? The answer is no," Aitel said. "So you get this very subjective enforcement regime, which is cheap, because it is super selective in who you prosecute. But it also makes companies hesitant to be the first to do it."

4. The law will likely give rise to private response firms

The lack of legal precedents, likely requirements to document every decision, and the need to pass off risks will make third-party firms the natural choice for performing hack-backs, Aitel said. While he does not see penetration testing firms likely to jump into the market, other major security firms that have offensive capability will likely develop services to conduct government-sanctioned hacking.

"I don't think you ever want to do it in-house," Aitel said. "You would always do it through a licensed third party. You know they are not going to exceed their scope, in the same way you trust a third party to conduct penetration testing without breaking your network."

5. Any law needs to make sense for US—and Russian—companies

Perhaps the best litmus test, however, is whether companies would be comfortable with the activities allowed by an active-defense law if those activities were directed at them by a competitor, Aitel said.

"You have to be okay with a system that you would not mind being used against you," he said. "We could not create one here and then complain that the Russians were doing the same thing."

That means that a transparent system will be crucial, so that the evidence gathering and hacking techniques could be analyzed after the fact.

Graves' office aims to continue to develop the bill, and while it may not pass the first time around, legislation—and the capability for more active defenses—is necessary, said an aide to Graves who spoke to TechBeacon on condition of anonymity.

"The bottom line is that the congressman believes that the status quo is unacceptable," said the aide. "American people and American businesses need the capability to defend themselves online."

Will the legislation move the needle on hacking?

The legislation a small step that could open a wider range of options for companies, Graves' aide said. In reality, many tech-savvy firms are already gaining intelligence on their attackers through such means, which puts them in legal jeopardy, the aide said. 

"There are a limited number of companies that are already doing this, but they are operating in a legal gray area," the aide said. "We want to give them the certainty."

While the issues surrounding hack-back and active defense are complex, recent papers have argued that allowing private firms to pay for investigative services could improve prosecution rates and combat cybercrime and cyber espionage more effectively than current strategies. A task force on the subject, organized by George Washington University's Center for Cyber & Homeland Security, argued that the private sector needs the ability to conduct active defense to protect its own and the United States' interests.

"While the U.S. government will always play an important role in cybersecurity, it lacks the resources to fully defend the private sector in the digital realm," the group stated in a report titled "Into the Gray Zone: The Private Sector and Active Defense against Cyber Threats." "But the current legal and policy environment for companies to defend themselves is ambiguous, making it risky for businesses to utilize active defense tools that may be effective in addressing malicious cyber attacks."

While the report and discussion draft uses the term active defense, that is widely seen as a euphemism. For the most part, any legislation would be about allowing companies to hack back, said Rapid7's Ellis, who argues that active defense is a better term for companies that take an active role in defending their system by taking action inside their networks.

"Generally speaking, active defense activities are already legal," she said. "Hack-back, however, is not—it is a violation of the Computer Fraud and Abuse Act."

State of Security Operations 2017
Topics: Security