Representative Tom Graves (R-GA) released federal cybersecurity legislation in February 2017 (with updates in May) called the “Active Cyber Defense Certainty Act,” or ACDC. It’s intended to make it legal for victims of hacking attacks to “hack back” as a means of defense.
To qualify for the provisions in the bill, that rolls back measures in the Computer Fraud and Abuse Act (CFAA), there are a few conditions that would have to be satisfied. The threat would have to be a persistent threat; if the threat activity had already taken place and the threat was no longer present, you couldn’t hack back. But if still present, the victim can undertake activities to gain access to the attacker’s network(s) and computer(s) to gather information to establish attribution of criminal activity to share with law enforcement. The provisos are that the hack back may not destroy the information stored on systems of another, cause physical or financial injury to another, create a threat to public health and safety, and may not exceed reconnaissance activities on intermediary computers.
It’s an interesting proposition. While it conjures up colorful imagery in one’s imagination, such as a cyber action thriller where our protagonist lashes back at the threat actor or group, the reality would be much less entertaining, if possibly equally dramatic.
Consider first that, unless the environment is very well monitored, threat actors are rarely caught in the initial act. According to the Ponemon Institute’s report on breach costs in the U.S. for 2016, the mean time to detect and identify a corporate breach in 2016 was 191 days. In the same report, the mean time to contain a breach was 58 more days. Also, consider that it is difficult and sometimes impossible, to be able to tell exactly where the attacks originate. For instance, hackers will jump from server to server, creating a chain of connections, with only the last one opening a connection into the intended victim’s network. This is one way to obscure the attacker’s actual location. If you attacked and hacked back that last server, it would be another one of the hacker’s victims, not the hacker themselves.
Most compelling is speculation about what techniques victims would employ to hack back. Would the victims avail themselves of hacker toolsets, marketed illegally? That would expose the victims to risk, such as the recent story of a group of cybersecurity researchers that started a crowdfunding campaign to raise $25,000 to purchase Shadow Brokers’ exploits. The crowdfunding hacktivists intended to use the exploits to notify vendors of their vulnerabilities in advance of the exploits hitting the underground market. But, they cancelled their campaign upon realizing the legal problems they would encounter if they bought stolen exploits and hacks from a criminal organization – of note is that Shadow Brokers recently sold the stolen NSA exploit that led to the WannaCry ransomware outbreak of May 2017.
Given the market that such a bill would create, i.e., legalized hacking by demonstrated victims, the threat landscape would change dramatically. Lacking resources to hack back themselves, a market would be created for Hack Back As A Service (HBaaS perhaps). Who could or would legally provide such a service? Would laws be further changed to allow the marketing and sale of legal hacking toolkits? It doesn’t seem very feasible, as countermeasures for known functionality would certainly follow.
ACDC doesn’t look like a reasonable, practical or sustainable effort and it seems like it can create lots of uncertainty and confusion.
Who will determine that the threat is persistent? How can it control the length of the “hack back” and its impacts? From a corporate perspective, it’s better to close vulnerability gaps, raise security awareness, monitor main security events, manage your attack surface, and keep up with a changing threat landscape. What do you think of this proposed ACDC Cyber legislation?