Rep. Gohmert Wants A Law That Allows Victims To Destroy The Computers Of People Who Hacked Them
from the do-these-people-even-listen-to-themselves? dept
Last week, we had talked about some concerns about how various cybersecurity provisions would allow those hit by malicious hackers to “hack back” or, as some call it, engage in an “active defense.” There were significant concerns about this, but as Marvin Ammori briefly mentioned in last week’s favorites post, Rep. Louis Gohmert seems to not only think hacking back is a good idea, but that it should be explicitly allowed under the CFAA (Computer Fraud and Abuse Act). You can see his explicit statements to this effect below during last week’s House Judiciary Committee hearing on the CFAA. It appears he heard a story about someone installing some malware on a hacker’s computer to get a photograph of them, and has decided “that’s a good thing, that helps you get at the bad guys,” without ever thinking of the very, very long list of dangerous consequences of allowing such things:
Here’s the basic transcript. The really crazy part is where Gohmert says he doesn’t care as long as the hack back is “destroying that hacker’s computer.”
Rep. Gohmert: It’s my understanding that under 18 USC 1030 that it is a criminal violation of law to do anything that helps take control of another computer, even for a moment. Is that your understanding?
Orin Kerr: It depends exactly what you mean by “taking control.” If “taking control” includes gaining access to the computer, assuming a network your not supposed to take control of, then yes, that would clearly be prohibited by the statute.
Rep. Gohmert: For example, my understanding is that there was a recent example where someone had inserted malware on their own computer, such that when their computer was hacked and the data downloaded, it took the malware into the hacker’s computer, such that when it was activated, it allowed the person whose computer was hacked to get a picture of the person looking at the screen. So they had the person who did the hacking, and actually did damage to all the data in the computer. Now, some of us would think ‘that’s terrific, that helps you get at the bad guys.’ But my understanding is that since that allowed the hackee to momentarily take over the computer and destroy information in that computer and to see who was using that computer, then actually that person would have been in violation of 18 USC 1030. So I’m wondering if one of the potential helps or solutions for us would be to amend 18 USC 1030 to make an exception such that if the malware or software that allows someone to take over a computer is taking over a hacker’s computer, that it’s not a violation. Perhaps it would be like for what we do for assaultive offenses, you have a self-defense. If this is a part of a self-defense protection system, then it would be a defense that you violated 1030. Anybody see any problems with helping people by amending our criminal code to allow such exceptions or have any suggestions along these lines?
Orin Kerr: Mr. Gohmert, that’s a great question that is very much debated in computer security circles. Because, from what I hear there is a lot of this “hacking back” as they refer to it. But at least under current law, it is mostly illegal to do that…. The real difficulty is in the details. In what circumstances do you allow someone to counterhack, how broadly are they allowed to counterhack, how far can they go? The difficulty, I think, is that once you open that door as a matter of law, it’s something that can be difficult to cabin. So I think if there is such an exception, it should be quite a narrow one to avoid it from becoming the sort of exception that swallows the rule.
Rep. Gohmert: Well, I’m not sure that I would care if it destroyed a hacker’s computer completely. As long as it was confined to that hacker. Are you saying we need to afford the hacker protection so we don’t hurt him too bad?
Orin Kerr: (brief confounded look on his face) Uh… no. The difficulty is that you don’t know who the hacker is. So it might be that you think the hacker is one person, but their routing communications… Let’s say, you think you’re being hacked by a French company, or even a company in the United States…
Rep. Gohmert: Oh and it might be the United States Government! And we don’t want to hurt them if they’re snooping on our people. Is that…?
Orin Kerr: No.
Rep. Gohmert: I don’t understand why you’re wanting to be protective of the hacker.
Orin Kerr: The difficulty is first, identifying who is the hacker. You don’t know when someone’s intruding into your network who’s behind it. So all you’ll know is that there’s an IP address that seems to go back to a specific computer. But you won’t know who it is who’s behind the attack. That’s the difficulty.
First off, kudos to Orin Kerr for keeping a (mostly) straight face through that exchange. There are many amazing things about this particular exchange, but the fact that Rep. Gohmert is one of the people in charge of how the CFAA gets reformed, and doesn’t understand these very basic concepts, is immensely troubling. Among the headsmackers in that exchange: the idea that hackers are bad — and not just partially bad, but apparently obviously and totally bad, like out of a movie. Also: that they’re somehow easy to identify and that a freebie on hackbacks wouldn’t be abused in amazing ways. Further, as Kerr pretty clearly points out that you can’t automatically track back and (without saying so directly, but clearly implying) that hackers likely would shield their identity or fake someone else’s identity, Gohmert still doesn’t get it and somehow thinks that Kerr is saying we don’t want to allow hackbacks on US government snooping (which, again, Gohmert seems to have no problem with). Yikes. Please do not let people like this near laws that have anything to do with computers. To me, this level of misunderstanding is worse than the whole “series of tubes” garbage from a few years back by Senator Stevens.
I’m sorry, but it seems that if you can’t understand that there isn’t some magic list that says “these hackers are bad, and therefore we should destroy their computers,” I don’t think you should have any role in making laws around this topic.