May 1, 2017 | By Yacin Nadji
Rep. Tom Graves (R-Ga.) organized a gathering of information security business and academic leaders in Atlanta on May 1 to collect opinions about discussion draft legislation that would allow victims of cyberattacks to “hack back” into networks not their own. The legislation -- the Active Cyber Defense Certainty Act (or AC-DC) -- aims to give individuals more power to identify and stop cyberattackers, his office says. A "victim" would be defined as one who has been hit with a "persistent unauthorized intrusion." Although it would allow victims to disrupt suspected cyberattacks, the draft prohibits information destruction, physical injury, or creating threats to public health or safety during the course of a "hack back."
IISP Analyst Yacin Nadji: “Hacking back" is not a new concept, but this draft has helped revive the discussion around the issue. When I was a Ph.D. student, I worked briefly with some companies to identify ways to respond to distributed denial of service (DDoS) attackers. In this case, the companies knew of a DDoS that was headed their way within minutes and they wanted to eliminate or mitigate the damage actively, rather than just wait and react defensively.
This proposal is different, however, in that it only considers victims to be those who have machines that are persistently compromised. This covers most of what one would consider to be a compromise, but does not include transient attacks like DDoS. While I like using "hacking back" to determine if criminal activity is taking place (and the AC-DC acronym), the problems of potential misattribution and collateral damage -- or lack of established actors to perform the "hack back" correctly -- make the existing draft problematic.
First, the attribution problem here is a catch-22: To know which machines to hack back, attribution must be performed, but to perform the hack back, attribution must be already done to comply with the proposed law. What happens when the hack back reveals the "attacker's machine" is not actually owned by the attacker? Furthermore, what constitutes proof of ownership? It is well known that attackers use "stepping stones," or compromised machines for C&C servers, routing points, or dropsites, while continuing to allow their benign activity. Who owns these machines in the eyes of this draft? Disrupting the unauthorized activity must be done carefully if it is not to simultaneously cause a legitimate business financial damages—say lost revenue—just because they happened to have been compromised, or co-located with unsavory Internet miscreants. Without reliable attribution and controls for limiting collateral damage, the current form may cause more harm than good.
Second, the bill currently allows any victim to "hack back," but ignores the potential consequences of them doing it wrong. Let's return to the compromised host example where a naive attacker leaves the very vulnerability they used to gain access unpatched. An industrious employee of the victim organization realizes this and hacks back; now what? First, does the employee know what information is relevant to law enforcement officers (LEO) looking to prosecute cyber criminals? Second, what if the intrusion alerts the attacker that something is amiss, giving them time to clean up their tracks and make subsequent LEO action more difficult or impossible? Leaving the question of "who hacks the hackers?" unanswered may simply make LEO investigations even harder. The draft makes it clear that active measures can be taken "by, or at the direction of, a victim" but it isn't clear that just because one is a victim that they are prepared or equipped to perform — or lead — an active cyber retaliation effort. Furthermore, a great deal of information that can assist in legal action can be provided by the company without hacking back, such as financial damages, lost intellectual property, and logs from the compromised hosts within their network. Often, this information is enough for LEO to obtain warrants to seize the machines that would be hacked back as a response.
There are reasons to perform more active measures, but we cannot open this Pandora's box without the proper safeguards in place. My concrete recommendations to improve the bill are:
- provide more clear definitions for "the computer of an attacker;"
- require the establishment of a consortium of experts that will coordinate with LEO to assess if a "hack back" will yield useful and admissible evidence to pursue legal action as well as perform the active investigation, and
- develop a more thorough list actions that cannot be performed, e.g., undue financial damage to co-located organizations and businesses.
Personally, I think a more prudent course is to improve the ability for LEO to do their job well. This includes research in automated attribution, estimating financial damages incurred from compromises, and speeding up the process of seizing machines when they are implicated in cyber crime. As it stands, open-ended laws permitting "hack backs" may only complicate matters in the long run.”
For further reading
- U.S. News & World Report: https://www.usnews.com/news/articles/2017-03-09/self-defense-bill-would-allow-victims-to-hack-back
- Lawfare: https://www.lawfareblog.com/legislative-hackback-notes-active-cyber-defense-certainty-act-discussion-draft
- Rep. Tom Graves' draft legislation: https://tomgraves.house.gov/uploadedfiles/discussion_draft_ac-dc_act.pdf