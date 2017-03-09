Congressman Introduces Bill That Would Allow People And Companies To 'Hack Back' After Attacks
from the a-limited-offensive-weapon-that-can-only-be-raised-as-a-defense dept
Probably not the best idea, but it's something some legislators and private companies have been looking to do for years: hack back. Now there's very, very, very nascent federal legislation in the works that would give hacking victims a chance to jab a stick in the hornet's nest or work on their attribution theories or whatever.
A new bill intended to update the Computer Fraud and Abuse Act would allow victims of computer attacks to engage in active defense measures to identify the attacker and disrupt the attack.
Proposed by Rep. Tom Graves (R-Ga.), the bill would grant victims of computer intrusions unprecedented rights. Known as the Active Cyber Defense Certainty Act, the legislation seeks to amend the CFAA, the much-maligned 1986 law that is used in most computer crime prosecutions.
The CFAA amendment [PDF] would (sort of) authorize very limited "hack back" permissions. The powers can only be used for good, so to speak. The attacked can turn the tables slightly by invading the attacker's domain solely for the purpose of determining the person/group behind the attack.
What it won't allow is retribution and revenge, which may come as a disappointment to those who have been brutally breached.
(ii) does not include conduct that—
(I) destroys the information stored on a computers of another;
(II) causes physical injury to another person; or
(III) creates a threat to the public health or safety
That may temper the enthusiasm of supporters, but it's best the victims don't stoop to the level of their attackers, if only because the CFAA is already a hideously out-of-date mess that would be helped NOT AT ALL by endorsing the same behavior it criminalizes elsewhere.
The bill is only a "discussion draft" at this point, so by the time it reaches a vote, it may bear little to no resemblance to this embryo of an idea.
While it may be tempting to give private companies the power to hack attackers, there's always the chance mission creep will turn these permissions into violations. A few years ago, the IP Commission suggested it might be a good idea to allow software companies to "hack" computers owned by those suspected of infringement in order to uncover their identities and the location of the purloined software. The commission suggested the deployment of malware -- something more aligned with the FBI's child porn investigation tactics (which themselves have been found to be of dubious legality) than with what's being suggested here.
But this is only a suggestion. There's still a lot of legislative meat to be put on these bones and it's unlikely the same companies who thought it would be a fine idea to deploy malware against suspected pirates have changed their opinion over the last four years.
Rep. Tom Graves is the person behind the bill and had this to say about it -- part of which is pretty much dead on.
“This bill is about empowering individuals to defend themselves online, just as they have the legal authority to do during a physical assault,” said Graves. “While the bill doesn’t solve every problem, it’s an important first step. I hope my bill helps individuals defend themselves against cybercriminals while igniting a conversation that leads to more ideas and solutions that address this growing threat.”
"Empowering individuals" through federal law can go sideways in a flash. The second half of Graves' statement is better. A conversation does need to take place about responses to security breaches and attacks. But that conversation shouldn't start until those wishing to speak up start doing a much better job locking down their digital valuables. Offense is more fun to play than defense, but defense is where it all should start.
It also should be pointed out this bill is not open season on hackers. It doesn't give companies or individuals explicit permission to hack back, but rather provides them with a defense should they happen to be sued or prosecuted for engaging in this behavior. An affirmative defense is rarely as useful as explicit permission, as anyone who's argued fair use in court can attest. The DOJ has engaged in some very creative readings of the CFAA over the years, and an affirmative defense is only going to go so far in preventing bogus prosecutions.
Reader Comments
Sounds good - until...
For instance, a while back a dam control system was being used as a anonymous proxy to launch penetration attacks against other systems. There was no rDNS to give a clue as to who this was, and the ARIN allocation was for a telecom with no suballocation.
Now, imagine the fun that would happen with a counter hack should they accidentally do something like, oh, command the floodgates to open past the point where the pinions could engage the rack on the mechanics of the gates, thus making it impossible to close them until all the water has been released.
This would first cause uncontrolled flooding, destroying property down stream. Next, since dams are usually there for water impoundment, no drinking or irrigation water, usually for 2 years (average impoundment reserve).
One of the things I pass time with is just passive network inspection in data centers. I don't probe, just listen to what is present on my own network port. Some of the things you see (generally broadcasts since switches are not promiscuous - or at least, shouldn't be) is kinda eye opening. For instance, you can tell a lot about what is around you network wise just by the ARP broadcasts and the MAC.
It sounds good to be able to "hit back", but target selection is not guaranteed to be safe, thus making it impossible to know if you are causing more damage than the system trying to hack you.
Hack CIA and NSA
Given that these botnets are composed of innocent computers it's more like defending yourself against Brian Douglas Wells.
hacking
Foreign governments spy to give their nations companies an advantage, or to get a leg up in a negotiation. They want to know what internationals are doing.
Bad idea!
They could claim they were hacked, and "hack back" to install ransomware on the the target computers. Eliminates the need for those pesky collection/settlement calls and letters.
