Is proposed US ‘hacking back’ law really going to help?

Heavy metal bands can be a great source of vengeance lyrics so it may be no coincidence that the acronym for the proposed US law on hacking back hackers is actually ACDC. The Active Cyber Defense Certainty Act proposes that limited retaliatory strikes against hackers that attack them will be legal. Seventies rockers AC/DC on the other hand wrote a song called Inject the Venom, with the lyrics, “No mercy for the bad if they need it, No mercy from me. …” and so on. Clearly whoever came up with the name for the hacking back act has a sense of humour, if not a sense of clarity.

ACDC, the Bill not the band, will amend the Computer Fraud and Abuse Act (CFAA) of 1986. Its aim is to give individuals and businesses legal authority to go beyond their own networks to disrupt cyber-attacks, retrieve and destroy stolen files, monitor the behaviour of an attacker and deploy beaconing technology to trace the hacker’s location.

US congressman Tom Graves, one of the original sponsors of the bill, recently wrote that “although ACDC allows a more active role in cyber defense, it protects privacy rights by prohibiting vigilantism, forbidding physical damage or destruction of information on anyone else’s computer, and preventing collateral damage by constraining the types of actions that would be considered active defense.”

That’s a tough one to police. David Monahan, managing research director of Security and Risk Management at Enterprise Management Associates puts it more succinctly: “This is going to be bedlam,” he says.

So, will the legislation really help companies retrieve stolen data?

“Though some aspects of a hack are like a fingerprint, few, if any, really are,” says Monahan. “Tools, code and methods that are used to help identify who a hacker or hacking group are can be imitated by someone as equally skilled as the “identified” hacker. At the top level, very little digital evidence is irrefutable. The largest issue with attack back is the difficulty in gaining that real attribution. If the hacker is skilled, he or she can jump through multiple countries and shell servers to make it look like he or she came from just about anywhere. Then there are the international politics involved with some cyber-response regardless of if the country is friendly or not. Each has its issues.”

While the bill states that anyone planning a hack back has to inform the FBI’s National Cyber Investigative Joint Task Force, presumably so businesses don’t contravene international law or tread on the toes of an ongoing investigation, it still all seems a bit of a grey area, open to interpretation, costly and potentially dangerous. In reality the bill is giving US businesses a green light to investigate hacking incidents but only within its borders, which sort of seems pointless anyway.

Not that it would stop anyone. Two years ago a poll of security experts resulted in over 80 percent advising against it. What do they know? A fear of escalation and questionable efficacy were sited. Has anything changed to add clarity? A new president perhaps?

Certainly there are concerns around the increased breaches with data being leaked left right and centre with Uber the latest to reveal it was hacked. It suggests current security methodologies are limiting and no doubt businesses are confused and frustrated.

Andrew Bushby, UK director at Fidelis Cybersecurity agrees that many businesses are frustrated and the proposed legislation will only add to the confusion. “It’s very difficult to legislate,” says Bushby, “especially as hacks are often done through stepping stones, bouncing around various networks. We could end up hurting innocent networks and people.”

Interestingly Fidelis recently carried a survey of 500 UK businesses and found that 56.8 percent of respondents believe an offensive security policy is a good idea, while 51.6 percent claim that they have already put in place an offensive policy that enables them to minimise damage after a breach or even retrieve stolen data.

It suggests businesses, in the UK at least, are already taking matters in to their own hands to recover stolen data or even obtain decryption keys from hackers to stop ransomware attacks.

“We’ve found that more organisations feel as though they should have the right to be more offensive against hackers,” says Bushby, “but perhaps the term ‘hack back’ is wrong and it should be ‘proactive retrieval’?”

This of course would fit with Fidelis’s deception technology push—it bought deception tech specialist TopSpin Security in October this year, what Bushby describes as “a managed honeypot inside the estate.”

Bushby likens it to a canary in a coalmine, an early warning system that something is wrong but it’s also a decoy, sending hackers up the wrong path and following them. It can learn their methods and potentially track them too.

Monahan likes the idea. “If deployed properly, deception technology shows how both threats are behaving and can help identify activities that indicate malicious or otherwise dangerous activity. Though it may not detect a skilled administrative insider gone rogue, it will help against just about every other scenario.”

Businesses certainly need to do something more. According to the annual EY Global Information Security Survey (GISS), Cybersecurity regained: preparing to face cyber-attacks (a survey of nearly 1,200 C-level leaders across the globe), only 12 percent say they are likely to detect a sophisticated cyber-attack. While 56 percent are making or planning to make changes to their strategies and plans due to the increased impact of cyber threats, risks and vulnerabilities, 87 percent say they require up to 50 percent more funding to address increased cyber threats.

Bushby adds that sometimes this is where new legislation can help, whether you like it or not. He says that ACDC could actually trigger increased funding in security tools and technology as businesses are made more aware of the potential of proactive security tactics and software. The Bill has now been referred to the Subcommittee on Crime, Terrorism, Homeland Security, and Investigations of the House Judiciary Committee. This one is not going to go quietly.