The trend of bolstering the cyber-grid in Washington and promoting related legislation has reached an important step on Capitol Hill, and has the potential for substantial consequences for the industry.
A bill designed to allow victims of online hacking to take retaliatory steps against criminals, or “hack back” has received a host of new, bipartisan co-sponsors. According to reports, the representatives now on board include sponsors from both sides of the aisle: Reps. Buddy Carter (R-Ga.), Henry Cuellar (D-Texas), Trey Gowdy (R-S.C.), Walter Jones (R-N.C), Barry Loudermilk (R-Ga.), Stephanie Murphy (D-Fla.) and Austin Scott (R-Ga.).
The Active Cyber Defense Certainty (ACDC) Act was originally proposed by Reps. Tom Graves (R-Ga.) in mid-October and has slowly been drawing additional backing. Essentially, the law would allow companies, under certain delineated circumstances, to enter the domain from which an attack emanated without authorization in order to ascertain the identity and other details of the culprits. This would, in theory, increase the rate of convictions, give victims a better way of regaining damages, and also provide a deterrent against hackers in the first place.
Influenced by the string of serious cyber attacks experienced by the world over the past year (which have only increased in severity in recent months), the bill, while appearing as a way of empowering victims, may open a proverbial Pandora’s box of implications for the cyber arena.
Self-defense in the cyber realm is not as straightforward as it is in the real world. It’s very difficult to punch back at the wrong person when being attacked in the street. When it comes to cyber on the other hand, attribution is one of, if not the, largest challenges when it comes to dealing with the aftermath of an attack. A company “entering another domain” (i.e. hacking) in response to an attack can easily lead to a mistargeting of an innocent third party.
The drafters of the bill were not unaware of this. In fact, the bill requires that a company coordinate with the FBI before launching their retaliation.
This measure hasn’t pacified the community of experts, and the hacking community has always been skeptical, to say the least, of any hack-back legislation. Many have correctly pointed out that the very nature of some of the most devastating attacks are designed to capitalize on the servers and machines of sometimes thousands of unknowing victims, who end up passively participating in the attacks. The recent WannaCry epidemic in May, which we are still learning more about today over five months later, serves as a stark example. The result of all of the companies and individuals affected by such an attack, immediately turning on the multitude of servers that had unknowingly participated in it, may be worse in some cases than the attack itself. Ironically, Graves has brought up WannaCry as an example of an attack that could have been prevented by his bill.
Another consequence of ACDC that will almost certainly transpire if the bill becomes law, is the development of a hacker mercenary industry of sorts; guns for hire that will perform penetration services in the event of a hack. As a researcher heavily involved in the world of cyber, this author can testify that many such service providers already exist, not just in the criminal world, but under the guise of legitimate “investigators” that will provide “follow-up forensics” after a hack is committed.
While there are many issues to deal with in addressing the aftermath of cyber attacks, it is incumbent on lawmakers to consider what would result from legislation that essentially legalizes some forms of cyber attacks.
