US ‘hacking back’ law could create a cyber wild west of vigilantism

January 18, 2018
By Dan Swinhoe

In the ever-changing world of security, one thing never changes: the hackers attack, and businesses defend. Given the structure of legal systems around the world, this is how it’s been for decades. But one US Congressman is looking to change the rules to give businesses the option to strike back and hack the hackers. 

ACDC – I’m hacking back

The Active Cyber Defense Certainty Act (ACDC) currently being proposed would enable individuals and companies to conduct retaliatory attacks to delete stolen information and gain intel on the perpetrators.

The bill, put forward by US congressman Tom Graves, would amend the Computer Fraud and Abuse Act (CFAA) of 1986, which currently prevents any sort of offensive measures being taken to stop or retaliate against hackers. The ACDC act, however, would give individuals and companies legal authority to ‘leave their network in order to establish attribution of an attack, disrupt cyberattacks (without damaging others’ computers), retrieve and destroy stolen files, monitor the behavior of an attacker and utilize beaconing technology which would return information around location of infiltrated devices.’

“The status quo is unacceptable right now. This is really about allowing individuals and companies the right to defend themselves in an active manner, but it’s very limited,” he told CNN Tech. “We already deal in the wild west, and there’s a lot of outlaws out there but we don’t have a Sheriff.”

As well as original authors Graves and Kyrsten Sinema, the bill has bipartisan support from sevenother members of Congress.

“Anyone who reads ACDC,” Graves added in an op-ed for the Hill, “will find that it specifically prohibits vigilantism, forbids physical damage or destruction of information on anyone else’s computer, and prevents collateral damage by constraining the types of actions that would be considered active defense.”

An organization planning on ‘hacking back’ would have to inform the FBI’s National Cyber Investigative Joint Task Force, but are under no obligation to follow the agency’s advice if they recommend not to take up arms.

FBI Director James Comey has warned on multiple occasions that ‘hacking back’ would only cause “confusion” and “complications” for the agency’s own operations.

“Rep. Graves agrees with former FBI Director Comey and others who have concerns about unrestrained ‘hacking back,’ which is why this legislation is needed,” a spokesperson for Congressman Graves told IDG Connect.

“Former FBI Director Comey also said that the current approach is insufficient and law enforcement may never get ahead of the issue of criminal hacking. The current approach has resulted in very few prosecutions, despite the number of cybercrimes increasing dramatically.”

The bill doesn’t protect organizations from civil lawsuits in the event that a company targets and hacks the wrong individual, explicitly states that you can only destroy your own stolen data, and comes within the jurisdiction of the US. But these caveats have done little to allay concerns from security experts.

Is hacking back a good idea?

Hacking back isn’t a new phenomenon. A 2015 poll found 80% of security experts were against the idea of hacking back. Amongst those IDG Connect questioned in 2017, not a single security expert was in outright favor of the ACDC bill.

David Monahan of Enterprise Management Associates has already told IDG Connect such legislation would cause “bedlam,” and there’s no shortage of headlines [12345678] saying it’s a bad idea. But what about the security community?

IDG Connect asked over 30 cybersecurity professionals for their views on the legislation and some key questions about the wider implications of such a bill. Nearly two-thirds were actively against the concept and/or the bill, and even though some accepted new defensive capabilities might be useful or desired, they warned that either the bill itself wasn’t ready to pass or that hacking back comes with risks that outweigh the benefits.

“Hacking back will create new chaos and unintended consequences that cannot be fully imagined,” warned Levi Gundert, Vice President of Intelligence and Strategy at Recorded Future.

“This proposal is the product of people who are completely or willfully ignorant about how cybersecurity actually works,” according to BluVector CEO Kris Lovejoy.

“Even the CIA and NSA are having trouble defending their networks and maintaining control of their hacker tools. What makes Congress think that Target could do any better?” asks Kenneth Geers, senior research scientist at Comodo and NATO Cyber Centre Ambassador.

“Vigilantism” and “Wild West” are terms brought up by multiple experts when asked if the ACDC bill is a good idea. Several likened this to the cyber-equivalent to the right to bear arms and stand one’s ground in self-defense; long-held US laws that are uncommon in the rest of the world.

“While the intentions are good, the way it would likely play out in reality has the potential to escalate attacks, not resolve them,” adds Ken Spinner, VP of Field Engineering at Varonis. “Hack-back laws open the door for rampant misuse and essentially provide carte blanche to any organization to hack anyone else deemed suspicious without due process.”

“It is a very American sentiment to be able to protect your assets and intervene when they are being attacked,” says Jeff Engle, VP of Government and Legal Affairs, United Data Technologies. “It is good to discuss options for the ever-growing threat landscape but we are far from the level of development required for a viable legislative and regulatory framework to be implemented.”

“I am especially concerned that this law will create a new ‘cyber cold war’ arms race among organizations around the world who will rush to both bolster their active defenses and build out hotshot teams of ‘cyber commandos’ ready to launch their own stockpiled zero-days and specialized attacks,” says Richard Henderson, global security strategist at Absolute.

Some advocated updating the CFAA bill, which, at over 30 years old, was designed at a different time for a different technology landscape. Many of the experts we spoke to understand the frustrations that come with being hacked, but doubling down on defenses, and ensuring your own security systems were as watertight as possible was deemed more prudent than investing in offensive capabilities. 

Do organizations want to hack back?

“We have numerous clients that are hungry for more options to defend their enterprises,” says Andrew Howard, CTO of Kudelski Security. “When they see attacks over and over again from the same attacker, an offensive option is often desired.”

t seems that companies do have a hunger for retaliatory options. A recently-conducted study by Fidelis security found that over 56% of 500 UK organizations surveyed felt that ‘offensive security’ was a good idea, with 25% saying bad. 58% of responders said their organization would have the technical ability to identify an intruder, with 30% saying they wouldn’t. When asked whether they would prefer to pay a hacker in the event of a ransomware attack or hack back to recover decryption keys if that option was legal, just over half picked the latter and the rest evenly split between paying up or doing neither.

The potential dangers weren’t lost on these organizations, however. Collateral damage, mistaken identity, vigilantism, and violating foreign policy were all listed as potential risks. 5% of those asked thought that there were no risks.

“Organizations feel as though they should have the right to be more offensive against hackers,” Andrew Bushby, UK director at Fidelis Cybersecurity previously told IDG Connect.

The public, however, is far less certain about how it feels on the matter. The study found that 45% of 2,000 UK consumers thought organizations should be able to hack back to retrieve customer info, with just under 40% unsure, and 30% said they would neither support or object to hack back legislation.

Do organizations have the tools, talent, and money to hack back?

Retaliatory hacking between intelligence agencies and related groups isn’t uncommon, but it’s rare that private companies admit to such activity. Last month London-based plastic surgery clinic London Bridge Plastic Surgery reportedly attempted to hack back against the hacker group The Dark Overlord, though the group claims the attempts were unsuccessful.

It’s no secret organizations often don’t know what data they have where and struggle to spot breaches until long after they’ve occurred. Asking them to correctly identify the culprit, find out where the stolen data is, and then only delete that data seems a tall order.

Security spending will reach $96 Billion in 2018 according to Gartner, up 8% on 2017. But given the already stretched nature of IT budgets – plus more pressing compliance issues in the shape of GDPR – it would be a surprise if many companies want to invest in offensive capabilities (sometimes called ‘Active Defense’).

One company selling offensive cyber capabilities is Cardiff-based Pervade Software, which reportedly offers DDoS and SQL injection capabilities as well as port and vulnerability scans.

Also available is deception technology; as well as classic honeypots, deception technology includes decoy networks and endpoints to capture and analyze attacks. The market is predicted to reach $1.33 billion by 2020.

There’s little doubt, however, that it would probably be cheaper to simply buy the same off-the-shelf hacking tools from dark web marketplaces as the hackers themselves are using.

“In some instances, a tracking image/cookie/code blob makes a lot of sense, but outright use of exploits or breaking in to purported attacker systems risks too much collateral damage,” says James Lyne, Head of Research and Development at SANS Institute.

Dr. Walter Bohmayr, Global Leader of the Boston Consulting Group’s Cybersecurity practice said that while the ACDC bill would provide clarity for how deception tools could be deployed outside of a given organization’s network, the bill could have “minimal practical impact.”

“Organizations usually do not have the budget or inclination to engage in active defense, and those that do are typically already very hardened targets for would-be intruders. The overwhelming proportion of organizations are focused on developing and maintaining much more fundamental capabilities given persistent budget pressures and talent constraints.”

The dangers and difficulties of hacking back

It took over seven months for the US government to officially point to the North Korea-linked Lazarus Group as the architects of the WannaCry attacks. Many cyber-experts at the time of the attack hinted it may well be from that group, but the official confirmation took so long because working out who architects such attacks is no small task.

“When shooting back, there’s the fundamental question of who to shoot,” says Hitesh Sheth, CEO at Vectra Networks. “Notice that after any major cyber-attack, it usually takes weeks to determine who’s responsible for it, and even those determinations are hedged with uncertainty because no single point of origination is apparent.”

“If we shoot back, the machines and data belonging to these innocent organizations could be damaged and the real attackers, operating in the shadows, may escape unscathed. If we hack back, collateral damage is guaranteed.”

Organizations trying to investigate an attack to identify the culprit also risk damaging the evidence. One expert likened companies doing their own cyber forensics to “the cyber equivalent of trampling all over a crime scene” and therefore making attribution even harder.

The problem of attribution goes beyond just the difficulty of finding evidence. Hackers can attempt to spoof their identity, leaving breadcrumbs that point to innocent third parties, or simply use previously hijacked infrastructure from which to launch attacks.

“Any US corporation using an automated hackback system exposes themselves to a form of internet fraud,” says Phillip Hallam-Baker, principal scientist and VP at Comodo. “An attacker can engineer an attack so that it causes collateral damage. So, they launch an attack from platform A against a US party with deep pockets, which causes it to hackback against entity B which sues for damages in the local jurisdiction.”

Aside from the massive damage counter-hacking innocent third parties could be to those people or businesses – several experts warn of compromised hospitals potentially being used as a hacking proxy and then suffering a retaliatory strike – it also opens up the organizations to legal repercussions. The ACDC bill purposefully does not protect organizations from civil lawsuits in the event of such hacking as a way of ensuring companies think before they act.

“Attribution is a genuinely hard problem. Even when there’s a lot of evidence, it tends to be circumstantial,” says Terence Goggin, Global Cyber Risk Services (GCRS) group at professional services provider Alvarez & Marsal “I just can’t see any major organization willing to assume the risks. It’s much safer to observe what you can from your own infrastructure, and involve industry groups or law enforcement as appropriate.”

Much of the bill is focused on the use of beacons; software that can ‘phone home’ from an attacker’s computer back to the organization and provide information. But would these beacons really be useful?

“While the data provided by such beacons may be attractive to some, the practical value of the data is far from clear and we do not believe it would be useful to the broader cybersecurity threat intelligence community at this time,” says Jen Ellis, Vice President of Community and Public Affairs, Rapid7.

And while being hacked once is bad enough, what if engaging hackers at their own game just becomes an invitation to attack the company again? “Hackers like the rush to their ego of knowing they can pick a fight and get a reaction,” says Carl Herberger, Vice President of Security Solutions at Radware. “Retaliation after the event is just a costly distraction to the business and it seems silly to feed it and risk company and customer data.”

International repercussions of hacking back

Given the international and borderless nature of the internet, this bill could well have repercussions beyond the US.

Given the difficulties in certain attribution of the attacker, it’s very possible that perpetrators are residing outside the US. And as this bill has no power beyond US borders, companies that ‘hack back’ and only later discover their target isn’t on US soil could well find themselves breaking the law other countries.

“Obviously, Congress only has the ability to change US law so defenders could face penalties if they go guns blazing into another country,” Congressman Grave’s representative said when about the international effect this bill could have. “But many foreign hackers maintain command and control infrastructure in the US to launch attacks so the tools enabled by the bill are helpful. In addition, many countries harbor hackers; consequently, the bill may force a much-needed conversation on whether changes should be made to mutual legal assistance treaties. “

However, many of the experts we spoke to predicted dangerous consequences if such laws were allowed.

“’Hacking back’ laws are a recipe for major international disputes, even if they are only authorized within a country,” says Christine Runnegar, Senior Director, Internet Trust for the Internet Society. “It’s practically impossible to effectively restrict the effects of “hacking back” to national borders, and there’s the risk that a private entity could be inadvertently hacking a foreign nation’s networks or systems, an act that could be regarded as an attack against the nation, its interests or its citizens.”

“It is very appealing to ‘strike back’ at offenders, but most developed nations have stopped allowing vigilantism a long time ago,” says Ofer Maor, Director of operations at Synopsys. “Other countries that have different stances on the ‘hack back’ concept might not appreciate the ‘wild west’ approach permitted by the US, and passing a bill like this in the US will stir international controversy when hack back activities cross borders and clash with other nations’ laws.”

If such laws were passed, some predicted that other countries – especially ones with already strained relations with the US – would look to create their own version of ‘hack back’ laws for their citizens and businesses.

“Not only will other countries follow suit,” warns Ross Rustici, Senior Director of Intelligence Services at Cybereason, “they will use this as justification for further internet controls and the ‘Balkanization of the internet’ that is supported by Russia, China, and Iran. If US corporations have the green light to hack the world, it is only natural that countries need to protect themselves. This will result in a rash of new regulations, UN discussions, and likely retaliatory measures.”

“Companies with subsidiaries and significant business interests in those countries will also likely see retaliation through economics and market access. This type of law only serves to reduce the interwoven nature of the global economy.”

Legitimizing cyberwarfare

The proliferation of off-the-shelf, easy to deploy hacking toolsets has seen a sharp rise in cybercrime. Nation-states are continually expanding their cyber capabilities. And allowing organizations to legally enter the fray only reinforces the dystopian image of a ‘permanent cyber war’ put forward by the director of France’s National Cybersecurity Agency earlier this year.

We could already be at the start of such a change. Germany’s Interior Minister, Thomas de Maizière, recently put forward proposals which include hacking back capabilities for law enforcement. NATO is looking to add cyber-offensive capabilities into its peace-keeping efforts.

Microsoft’s Chief Legal Officer, Brad Smith, has called for a Digital Geneva Convention to govern the rules on online war and protect civilians. He even updated it to include the idea of a ‘cyber Red Cross’ to clean up the mess.

Additional thoughts from cyber-experts:

“Organizations deploying Active Defence would probably centralize and elevate decision-making on its use to the highest levels of the security, risk, and legal leadership. Consequently, taking into account legal, reputational and retaliatory risk, I think there will be significant incentives for organizations to stringently police their own use.” – Dr. Walter Bohmayr, Boston Consulting Group

“I support the movement to clarify what is and is not allowed, and believe some active defense techniques would help even up the playing field, but ultimately remain concerned about collateral damage and casual violation of other laws to support hacking back in the broadest sense.” – James Lyne, Head of Research and Development at SANS Institute

“What happens if a hacker infiltrates a hospital network and puts a traffic tunneller on a network-connected medical device to launch an attack on a bank. When the unaware target of the attack attempts to hack back, they might take down the medical device, potentially killing a patient connected to it.” – Ofer Maor, Director of operations at synopsys

“When will someone take on the whole problem, and actually update the CFAA? This would both allow companies to “actively defend” themselves, but also, finally clarify what is legal and what isn’t.” – Lisa Wiswell, HackerOne Advisor

“Most organizations are still struggling with detection and response. I would urge them to spend their time there. Attribution, even for the experts, is difficult and most organizations are not skilled in real offensive measures. Very few will gain value from this bill – it’s mostly window–dressing.” – Stephen Moore, Chief Security Strategist at Exabeam:

“Mark my words. If passed, this bill will pave the way for an-eye-for-an-eye vigilantism that will have courts backed up for decades.” – Rob Holmes, CEO, IPCybercrime.com

“Many organizations are simply too risk-averse to consider something along these lines. It’ s much safer to observe what you can from your own infrastructure, and involve industry groups or law enforcement as appropriate.” – Terence Goggin, Global Cyber Risk Services group, Alvarez & Marsal

“Policy makers need to understand that we are in the midst of a cyberwar and granting permissions to individuals and companies could have far reaching effects.” – Michael Magrath, VASCO, director, Standards & Regulations

“No other country would ever dream of passing such a law. It is illegal and dangerous and the international community should let their opposition be strongly known.” – Oliver Wessling, Founder, NOS Microsystems

“What happens if less-scrupulous organizations decide to use the rules as a cover for attacking competitors? It certainly seems within the realm of possibility that organizations with little respect for things like intellectual property and copyright laws may attack in the hopes of virtually ‘taking out’ a competitor operationally.” – Richard Henderson, global security strategist, Absolute

“This proposal was surely written with the US Constitution’s Second Amendment, or the right to keep and bear arms, in mind, but as with traditional weaponry, it would lead to a higher number of casualties on the cyber battlefield.” – Kenneth Geers, senior research scientist at Comodo and NATO Cyber Centre Ambassador