Is the hack back legal? There is a heated debate about the concept of active defense. What about the Active Cyber Defense Certainty (ACDC) Act?
In a time where attribution of cyber crimes is all but impossible, the idea of allowing companies to ‘hack back‘ at their attackers seems far-fetched. However, Tom Graves (R-GA) has introduced an amendment to the Active Cyber Defense Certainty (ACDC) Act which would shield companies from criminal prosecution if they attempt to actively hack back at their attackers. To receive this protection, victim companies must notify the FBI National Cyber Investigation Joint Task Force with:- details of how they were harmed,
- how they will protect evidence of the initial cyber intrusion, and
- how they intend to avoid harm to uninvolved third parties’ systems.
Problem #1: Attribution
In the early days of denial-of-service (DoS) protection, it was a common defense to drop all traffic originating from the attacking network. However, it is not difficult to masquerade the source of this attack such that an innocent third party ends up being impacted. For example, Company A and Company B regularly do business. All of a sudden the bad guys send a flood of traffic against Company B’s firewall that looks like it came from Company A. Company B’s firewall blocks all traffic from Company A as expected, however, this also stops legitimate traffic from moving between the two companies. It was quickly determined that this type of defense is worse than the initial DoS attack and we have moved on to other techniques.
Now suppose this isn’t simple DoS traffic, but the appearance that Company A hacked Company B. If Company B turns around and hacks Company A in retaliation where does the liability lie? There is nothing in the amendment that requires the victim to provide justification or evidence for the attribution. We have seen time after time that attribution is very difficult to achieve on the Internet. When Sony was compromised in 2014, it was commonly thought that North Korea was behind the hack, however years later, with the resources of several governments supporting the efforts, attribution is still not definitive.
“Ordinarily, you could determine who the attacker was by the weaponry. When you saw a tank driving down your street, you knew the military was involved because only the military could afford tanks. Cyberspace is different. In cyberspace, technology is broadly spreading its capability, and everyone is using the same weaponry: hackers, criminals, politically motivated hacktivists, national spies, militaries, even the potential cyberterrorist. “, said Bruce Schneier in 2015
If they can’t figure it out for certain, why do you think you could? Are your company’s resources more capable than a government’s and several top Incident Response firms?
Problem #2: Scale of Resources
Speaking of resources, you don’t have enough. Consider the scenario: you have already been hacked, you are known to be vulnerable and the bad guys are not afraid to attack. Just because you are wearing a bear suit, does it seem reasonable to poke a bear in the eye? Maybe you identified and patched the hole the bad guys exploited. Are you confident there are no other vulnerabilities? Your team is constrained by ethics, budget, competing priorities with other tasks, etc. The bad guys have no ethical constraints and access to overwhelming malware-as-a-service options that you cannot hope to compete with. Look at the statistics for botnets and you quickly realize the bad guys are simply better equipped. It is unfortunate, but attack capabilities on the Internet are asymmetrical and you are on the wrong end of the equation.
Problem #3: Freedom from Prosecution Isn’t Freedom From Liability
The ACDC Act promises “defense to prosecution for fraud and related activity” but nothing is said about civil liabilities. Imagine the bad guys compromised a shared server hosted with a cloud provider and used it to attack the victim. The victim turns around, counter-attacks the shared server and impacts a number of innocent companies’ operations. Do these innocent 3rd parties get to sue for damages? From their perspective they were hacked, do they get to hack back against the initial victim company? “[What] If the third party doesn’t suffer direct damages, but they are subject to data breach notification requirements, would the hacking by the victim result in a situation requiring notification?”
Problem #4: What Is The Point?
Cyber attacks often feel very personal, and I understand the desire to strike back at the person who wronged you. But what do you expect to achieve? If you lost data in a ransomware attack, it doesn’t magically come back after you attack your opponent — assuming you can even identify them. From your shareholders’ perspective: you still don’t have the data, and you lost additional time and money. Maybe it was Personally Identifiable Information (PII) that was “stolen.” Unlike real world theft, you likely still have the original data and the attackers have a copy. If you were able to miraculously identify the bad guys, AND break into their systems, AND “retrieve” the stolen PII, you probably only have a third copy of the data. The bad guys could still have their copy of it, if only in a backup somewhere. The ongoing challenge of digital theft is that there is no loss of use making damages difficult to assess.
We currently rely on law enforcement and governments for satisfaction following a cyber attack, but they have had very limited success. The idea of vigilante justice for cyber attacks is appealing because nothing else has worked, but if large government organizations are unable to succeed why would we expect individual companies to fare better? It isn’t clear what benefit a victim company would see by hacking back, and it is even more uncertain what happens if the counter-attack impacts an innocent 3rd party. What is certain is that the amendment raises a lot of questions and that a company’s shareholders likely do understand the implications well enough to recommend taking this type of action.
Yacin Nadji, an analyst at Georgia Tech’s Institute for Information Security and Privacy, said companies may not be equipped to perform a “active cyber retaliation effort”.
“Personally, I think a more prudent course is to improve the ability for LEO (law enforcement officers) to do their job well. This includes research in automated attribution, estimating financial damages incurred from compromises, and speeding up the process of seizing machines when they are implicated in cyber crime. As it stands, open-ended laws permitting “hack backs” may only complicate matters in the long run.”, said Yacin Nadji.
Tags:
Security