Private enterprises in the US may soon be able to legally take a page from the Old Testament and implement “an eye for an eye” policy when it comes to cyberattacks. Sort of.
Well okay, not really.
In fact, we’re a bit confused about the point of some new legislation aimed at amending the Computer Fraud and Abuse Act in the US—it’s equal parts toothless and reckless.
A discussion draft filed by Rep. Tom Graves (R-Ga.) (a revision of a previous bill) essentially says that victims of a cyberattack can “hack back.” They can, in other words, break into the computer that launched the assault in order to deploy proactive counteroffensive measures and hunt for attribution. They’re calling this “active defense”—which has all of the legitimacy from a terminology standpoint as “re-education” does in autocratic societies.
That said, before IT departments run out and invest in a nice branded set of black hoodies, they should know that there are limits: These efforts can be aimed only at disrupting an attack—they can’t carry out other efforts, like destroying the data on attackers' systems, causing physical or financial injury, or "creating a threat to public health or safety." The fear and loathing will continue to be a one-way street stretching out from the Dark Side.
The bill, dubbed the Active Cyber Defense Certainty Act 2.0 (it just rolls off the tongue, doesn’t it?), would also require organizations to notify law enforcement when they use these so-called active cyber-defense measures.
Yet another provision sunsets the bill after two years—which is probably about as long as it will take most companies to find the talent and funding necessary to build out any sort of competency in this area.
While there’s plenty in there that appears to defang these capabilities to a great extent, with an eye to preventing a free-for-all of mutually assured destruction (or worse, a path to conflict with other nation states), in many ways it’s not restricted nor specific enough, according to Jen Ellis, VP of community and public affairs at Rapid7.
"While the new version of the ACDC Act provides more specificity on what’s being authorized and how, it still does not address the significant challenges that make hack back a bad idea,” she said. “There is no clear framework for ensuring appropriate levels of oversight so that accidental or intentional abuses can be avoided. There is no information on how organizations would ensure they are correctly attributing attacks, and interpreting motivations and actions; as well as limiting the reach and impact of their response. And there is nothing on what recourse should be available for unintended victims of hack back activities. Without meaningfully addressing these issues, any attempt to authorize hack back can only be viewed as reckless. The potential fallout from a hack back misstep could be too severe and far-reaching to authorize the activity without the appropriate oversight."
So it looks like there’s a long way to go before hack back starts looking like something useful or well-conceived. It will be interesting to see how congressional discussions go on this. For now, the collective response seems to be about as positive as the Pope’s face during the Trump meeting.