A discussion draft of a bill proposed on Friday by Rep. Tom Graves (R-GA) that would exclude organizations from prosecution for hacking back is already stirring up some concerns about potential unintended consequences.
The Active Cyber Defense Certainty Act would exempt victims of computer crimes from prosecution for taking “active cyber defense measures.” The bill proposes an amendment to section 1030 of the Computer Fraud and Abuse Act, which prohibits unauthorized access of computers.
The bill identifies victims as those suffering from persistent unauthorized intrusions of their computers. Meanwhile, active cyber defense would constitute measures taken by the victims that include accessing the attacker’s computer without authorization in order to learn enough information for attribution that can be shared with law enforcement. The bill specifies that victims cannot cause destruction, or endanger public health or safety.
The language of the bill seems to be a conflation of two different strategies: active defense and hacking back. Active defense constitutes putting up hurdles on the victim’s side of the firewall in hopes of driving up the cost of a potential attack and frustrating a hacker to the point of moving on to another target. Think honeypots, recursive directories or false data tagged with a web beacon that leaves a trail for investigators. Hacking back, on the other hand, is quite illegal today under the CFAA and gives many researchers and legal experts great pause. The concerns are many, with first foremost being that given so many compromised computers are involved in attacks, a victim could rarely be certain they would be attacking the attacker rather than an innocent victim.
“This bill does expand active lawful cyber defense to hacking back for the expressed purpose of gathering information for attribution. That’s really broad and well intentioned, but it can result in a host of negative consequences for those engaging in this activity,” said Ed McAndrew, an attorney with Ballard Spahr in Washington, D.C., and a former federal cybercrime prosecutor. “One thing is the lack of limits placed on the conduct authorized under this statute.”
McAndrew said that attributing the malicious behavior accurately is one of the most difficult things to do.
“The first question that comes up with this, assuming you’re able to do it, is ‘Do you know who it is you would hack back against?’” he said. “This is a real concern. You could have people hacking back at pivots (in an attack). Are you hitting back against an attacker or someone accidentally in the middle?”
Paul Rosenzweig, founder of a homeland security consulting firm called Red Branch Consulting, said that while the bill has its shortcomings, it’s an encouraging step that legislators are bringing the topic to the forefront.
“I welcome the beginning of a discussion about active cyber defenses because this is a tool that should be seriously considered,” he said.
Rosenzweig suggest that should this eventually be refined and passed as law, it would require some sort of standard of practice for organizations, particularly for service providers, that could include some sort of licensure and bonding requirement.
“It’s very good that someone is thinking about this in a serious way,” he said.
In the meantime, the discussion draft as written gives rise to legal issues that could backfire, McAndrew said. For example, he wonders whether allowing a victim to access an attacker’s computer to gather information for law enforcement essentially deputizes them, or would inspire online vigilantism. Another nugget for thought is the Fourth Amendment, he said.
“You could have a Fourth Amendment defense arguing essentially that the individual engaged in self-help has engaged in unreasonable search and seizure of evidence through hacking back,” McAndrew said. “This could be a violation of the Fourth Amendment. Law enforcement would need a warrant today to carry this out. The bill, the way it’s written, could actually create a scenario that would make it difficult to prosecute attackers if they’re caught. This is why we don’t want private individuals playing cop.”
Hacking back could also create broad affirmative defenses for any hacker who gets prosecuted, McAndrew said, enabling them to conveniently use this law as a cover for their activity.
“Whatever you can convince a jury of is what truth is; that’s the view of a defense lawyer,” McAndrew said. “The hacker could tell their story that they were doing this activity to aid law enforcement. You’ve got a lot of situations where I could envision a defendant saying they’re doing this because they’re trying to help law enforcement or assist victims.”