On Monday, the Financial Times published a story concerning a proposed bill form Representative Tom Graves, a Republican from Georgia's 14th district.
Graves has proposed changing the Computer Fraud and Abuse Act (CFAA) to allow organizations to fight back when being attacked online. But is this a smart, or even workable solution for enterprise operations?
Graves' proposal, the Active Cyber Defense Certainty Act (ACDC) was introduced in March of this year. The two-page draft has left some legal and security experts Thunderstruck, because 'hacking back' is a slippery slope that has more cons than pros.
According to Graves, the bill will alter the CFAA in order to allow the use of "limited defensive measures that exceed the boundaries of one's network in an attempt to identify and stop attackers."
“This bill is about empowering individuals to defend themselves online, just as they have the legal authority to do during a physical assault. While the bill doesn’t solve every problem, it's an important first step," Graves said.
Salted Hash consulted legal experts and security managers for their take on the topic. On the legal side, experts said the draft (as it stands) is vague and lacks teeth. For example, a victim is defined as an "entity that is a victim of a persistent unauthorized intrusion of the individual entity’s computer."
So, what counts as persistent? Does the usage of the word intrusion exclude DDoS attacks and Phishing as offenses that an entity can respond to?
We were then directed to a post published earlier this year by Lawfare contributor Robert Chesney. The post talks about the proposed bill and some of the legal challenges it presents. It's a solid primer for those wishing to understand some of the legal context.
The security experts Salted Hash consulted were against 'hack back' scenarios in any shape or form. Not only because they lack the resources to mount such an effort, but because the legal risks are not worth the effort.
So why is all of this back in the news?
After the person(s) responsible for WannaCry did their dirty deed earlier this month, (dirt cheap too, as the Bitcoin wallets used for ransom payments are still sitting untouched), Graves said his bill, if it were passed already, would've "had a positive impact potentially preventing the spread to individuals throughout the U.S."
“Our proposal is to empower individuals and companies to fight back basically and defend themselves during a cyberattack," Graves added.
That isn't exactly true. The spread of WannaCry was slowed because a researcher located the kill switch and activated it. Even then, a 'hack back' law would not have addressed the reason the Ransomware was able to spread in the first place, and worse, such a law could've had damning consequences, as many of the attacking systems were victim's themselves.
Would Graves' proposal address missing patches, and policy issues that leave an entity exposed to attack? As the draft stands now, it doesn't, and that's a big deal. Victim blaming doesn't really help, but at the same time, ignoring the basics (e.g. patches, compensating controls) isn't helping either.
The draft released in March is being rewritten to include some additional safeguards, including law enforcement notification if they choose to 'hack back'.
The larger problem though, is that if an organization can't protect its own data, how are they going to launch an accurate and meaningful counteroffensive?
For more on Active Defense, the Center for Cyber & Homeland Security published a report on the topic last October.