This Bill Would Make Revenge Hacking Legal
The Active Cyber Defense Certainty Act, proposed by a GOP congressman, appears to contemplate hacker-versus-hacker gladiatorial combat—and that has security experts concerned.
Call it a Stand Your Ground law for cyberspace. A Republican congressman is floating a bill that would make it legal for victims of hacker intrusions to hack back against the attacker, the first move to legalize any form of computer intrusion since the federal Computer Fraud and Abuse Act was enacted in 1986.
As drafted by Rep. Tom Graves (R-GA), the Active Cyber Defense Certainty Act (AC/DC) would exempt from prosecution “those taking active cyber defense measures” by hacking into intruders’ machines. It would also allow victims to penetrate the computers of other hacking victims for “reconnaissance” purposes while tracing an attack to its source. The proposal revises a broader draft Graves released in March, which drew derision from security experts. “These changes reflect careful analysis and many thoughtful suggestions from a broad spectrum of industries and viewpoints,” said Graves in a statement.
“I think it’s a good start,” said security expert Tim Mullen, an early proponent of legalized counter-hacks, though he added that the draft still provides too little guidance for defenders. “Say I’m being attacked by someone, and I need to take matters into my own hands… You have to make decisions very quickly. Who gets to say what I can do to the guy? Do I blow his machine out of the water? Do I take his information?”
The proposed bill comes on the heels of the viral WannaCry ransomware outbreak, which rapidly infected upward of 400,000 Windows machines in 150 countries, before a U.K. security researcher stumbled on a built-in kill switch that effectively neutered the attack. Security experts at Google, Symantec, and Kaspersky have since uncovered forensic indicators that the government of North Korea might have been behind the attack.
AC/DC sets out some limits on hacking back. To claim the exemption, the counter-attacker would have to be careful not to destroy data, either the hacker’s or a third parties’, and could not take action that physically injures anyone or threatens “public health or safety.” Unlike the first draft, the new bill also makes clear that revenge is not a lawful motive for hacking a hacker. A victim can counter-hack only to gather information about the hacker or her techniques, stop an ongoing attack against the victim, or to help out local or federal police by identifying the hacker—a provision that effectively deputizes every hack victim to steal data the feds would need a search warrant to obtain.
Despite Graves’ do-over, most security experts who’ve voiced an opinion hold substantially the same reservations about the new draft as the old.
“It’s not really clear what the hell it wants to do,” said Eva Galperin, director of cybersecurity at EFF. “There’s nothing about this bill that would have allowed people to stop WannaCry or the Sony hack… Giving users a license to go break into other people’s systems because they think they might be attacking them is incredibly dangerous.”
Galperin spends much of her time tracking down nation-state hackers who’ve targeted activists and journalists, and she says that nothing in the bill would make that work any easier. “I’ve managed to do attribution for many years without violating the Computer Fraud and Abuse Act,” she said.
Because hackers usually route their attacks through a chain of compromised machines, much of the concern over the bill focuses on innocent third parties.
“If your counterattack disrupts or wipes data on someone else’s computer, then how are you any better than the people who attacked you?” writes veteran security analyst Graham Cluley.
Still, some in the security business welcome the effort from Congress.
Proofpoint executive Ryan Kalember says some sophisticated security defenders are already using tactics that would be legalized by AC/DC. “Most organizations should not even consider hacking back or undertaking offensive countermeasures,” he said. But “this act represents progress toward putting a legal framework around actions that many of the more sophisticated defenders already take in certain scenarios.”
And while the proposal has met with open mockery from much of the security community, it hasn’t spawned the backlash that Mullen, now a consultant for Charleston-based Stasmayer, felt 15 years ago when he addressed his peers at the Black Hat conference in Las Vegas to propose that counter-hacking be added to the security defender’s tool belt.
Reacting to two of the worst internet outbreaks of that era, Mullen argued for a more proactive counter-attack strategy: Every network’s automated defenses, he said, could be programmed to identify the security hole being exploited in an attack, then use the same hole to hack into the machines propagating the malware, purge the offending code, and patch the vulnerability. “Mine was an answer to the problem of globally propagating worms” like WannaCry, said Mullen.
Mullen’s suggestion prompted a bruising backlash over some of the same points now raised about Graves’ proposals. “They not only called me names, they were, like, ‘Try it on my box and see what happens, buddy,’” recalled Mullen. Today he says his plan was modest compared to the AC/DC bill, which seems to contemplate hacker-versus-hacker gladiatorial combat. “I was responding to a process on the machine,” he said. “When you’re dealing with a person who happens to be using the machine as an attack tool, you’re in a whole different realm.”
“This legislation seems to pave the way for me gain unauthorized access to any intermediate computer, as long as I don’t take the box out,” Mullen said. “That language needs to be cleaned up.”
Markus Jakobsson, chief scientist at Agari, sees another problem with the bill: too much red tape. In an attempt to counter some of the criticism over the first draft, Graves added a requirement that would-be counter-hackers register their intent with an FBI task force before suiting up for combat. “Whoever is receiving that reporting would be inundated,” said Jakobsson. “And if we have to report on all these tiny things, any act of keeping yourself or your company safe will result in overwhelming reporting requirements, and frankly nobody will benefit from that.”
“This is an important issue to address,” Jakobsson said. But “if it isn’t well thought out and very carefully written… the results could be horrible.”