A new proposed bill could make it legal for companies to retaliate against hackers.
Dubbed the “hack back” bill, it was introduced last week to allow businesses to hack the hackers who’ve infiltrated their computer networks.
Called the Active Cyber Defense Certainty (ACDC) Act, it amends the Computer Fraud and Abuse Act anti-hacking law so a company can take active defensive measures to access an attacker’s computer or network to identify the hackers, as well as find and destroy stolen information. It was introduced by two U.S. Representatives, Tom Graves, a Georgia Republican, and Kyrsten Sinema, an Arizona Democrat.
“I’ve heard folks say this is like the Wild West what we might be proposing, but in fact it’s not,” Graves told CNN Tech’s Samuel Burke in an interview. “We are already dealing with the Wild West and there’s a lot of outlaws out there but we don’t have a sheriff, we don’t have a deputy and all we were asking for is a neighborhood watch.”
But security experts warn the legislation could have serious consequences if passed.
According to digital forensics expert Lesley Carhart, the fundamental problem with the idea is that a majority of organizations who would want to hack back aren’t qualified to do so responsibly. It often takes a long time to correctly identify who was responsible for a hack.
“In cybercrime and in nation state attacks, there are often lots of attempts to mislead and confuse researchers analyzing the attack timeline or malware,” Carhart said. “A savvy bad guy could fairly easily emulate an innocent third party, and draw down the wrath of unskilled analysts on them.”
One way researchers place blame on a person or group for a hack is by looking at the evidence left in code. For example, researchers found similarities between the WannaCry code and malware created by Lazarus group, a hacking operation that has been linked to North Korea, earlier this year. Intelligence agencies later connected the country to the massive ransomware attack.
But it’s not uncommon for hackers to spoof that evidence and try and trick analysts into thinking it came from somewhere else, such as putting code from known hacking groups, or innocent third-parties, into their malware.
The bill says active defense measures could only be taken inside the U.S., which means it would have limited benefit. A majority of attacks are based outside the country or route their attacks through servers overseas so it looks like they’re coming from overseas, said Amanda Berlin, author of the Defensive Security Handbook.
Companies would also be required to alert the National Cyber Investigative Joint Task Force, an organization led by the FBI, before trying to hack their hackers. The agency could also review active defensive measures before they’re taken.
The FBI and other law enforcement agencies are already involved in investigating and prosecuting cybercrime. They work closely with major security firms and companies impacted by breaches. However, a relatively low number of businesses in the private sector report ransomware, a common and lucrative cyberattack.
Carhart says poking around in a hacker’s network could impede law enforcement investigations and court proceedings by potentially contaminating evidence.
The FBI defense review also introduces some thorny foreign retaliation issues. Kristen Eichensehr, assistant professor at UCLA School of Law, explained in Just Security, a national security publication.
“The FBI’s participation in the review process may trigger the U.S. government’s international legal responsibility for actions of private actors,” she wrote.
However, some firms already engage in hacking back, despite the illegality. Graves said the bill could put some parameters on that behavior.
“Word on the street is many companies are already doing some of these things,” Graves told Burke in an interview. “They know, you know, and I know that they are doing is illegal. What we would be doing is bringing clarity to what some might already be doing and what tools might be successful.”
He also said he hopes additional tools will be developed by the security community that can protect people from hackers.
Some experts believe resources may be better spent elsewhere than through retaliation.According to Berlin, companies should invest in their existing infrastructure to prevent hacks in the first place.
“So many corporations get the basics wrong, or skip steps to spend money on some fancy blinky box that’s supposed to protect them from everything,” Berlin said.
This year’s most serious hack was not sophisticated. Equifax failed to patch a software hole despite a fix existing for months before hackers compromised data on 145.5 million people.
To keep systems secure, Berlin advised companies to remove non-essential machines from direct internet access, and patch early and often to prevent hackers from exploiting known holes. If something can’t be updated or fixed, it should be separated from other networks.
Experts warn that hacking back could also hurt innocent third-parties.
Consider Mirai, a massive botnet that turned connected home devices into an army of zombie computers controlled by one attacker. If a company was attacked by a botnet like Mirai and tried to hack back, they could be hitting an innocent family’s network connected to a security camera, instead of the real person behind the attack.
“I’m afraid it will take us back to ancient Babylon and Hammurabi code which called for an eye for an eye and a tooth for a tooth,” said Bassel Ojjeh, cofounder and CEO of security firm LigaData. “And everyone at this rate will go blind.”