Legal hack-back – a colossally bad idea
By Mark Weatherford, November 18, 2017
Like Colin Clive screaming “It’s alive!” in the original 1931 Frankenstein movie, the Active Cyber Defense Certainty Act, (H.R 4036) continues to live. Reintroduced last month by Representatives Tom Graves (R-Ga.) and Kyrsten Sinema (D-Ariz.) and also called the ‘Hack-Back’ bill, this draft legislation amends Section 1030 of title 18, United States Code (which was previously amended by the 1986 Computer Fraud and Abuse Act) to “provide a defense to prosecution for fraud and related activity in connection with computers for persons defending against unauthorized intrusions into their computers, and for other purposes.”
While I’m sure Representatives Graves and Sinema have qualified advisors, I think they may be listening to the wrong technical security experts. People within the cybersecurity community regularly battle and argue about technologies, architectures and policies, but one thing that they agree on almost universally is that hacking back is a colossally bad idea.
There are a number of reasons but most importantly from my perspective, when you engage in cybersecurity retaliation, you no longer control the timeline or the reaction of the adversary who may in fact have a bigger army and more talented resources than you. Inexperienced boxers never survive in a fight with Mike Tyson.
As a guy with lots of operational cybersecurity experience, I get it, I really do. You feel helpless when a bad guy breaks in and steals your data and you want revenge, serious scorched earth revenge. It’s like someone breaking into your home and stealing all your valuables – you feel violated and want to track them down and take the law into your own hands. Unfortunately, and I acknowledge this is an unfair thing to say, if a company wasn’t defensively talented enough to keep the bad guys from stealing in the first place, why would they think they have the skills for an offensive campaign? The technology and skill level required to launch an attack is easy, almost absurdly easy. However, doing the appropriate reconnaissance, intelligence gathering and confirming attribution to make sure you have the right guys and understand what kind of response you may get falls into the VERY HARD category.
Most people - and most companies - simply do not have the talent, resources or time to comprehend all the possible implications and unintended consequences that come with cyber-retaliation. Attribution is a truly complicated business and the hazards of giving the wrong person (or wrong nation-state) a cyber-bloody nose can be disastrous and the possibility of escalation is very real. The bill requires “qualified defenders with a high degree of confidence in attribution” but who determines what qualified means? I know a number of cybersecurity experts – EXPERTS – who are really good at this kind of work and wouldn’t trust themselves to make 100% positive attribution. Jane Holl Lute, my former boss at DHS once said that, “a little information in the hands of the eager can be a dangerous thing.” How very true.
British Vice Admiral Horatio Nelson is quoted as saying that, “desperate affairs require desperate measures.” We live in a world of imperfect choices and law enforcement is obviously overwhelmed but one person’s cyber-missionary can be easily misinterpreted as another person’s cyber-terrorist and Congress shouldn’t be so desperate that they create a legal avenue for what can easily be discerned as vigilantism. H.R 4036 opens the door for profound unintended consequences and is an incredibly dangerous path for Congress to take.
Mark Weatherford is SVP & Chief Cybersecurity Strategist at vArmour. He is the former Deputy Under Secretary for Cybersecurity at the US Department of Homeland Security.
HACK-BACK? I kindly invite you to participate in a short survey about the Active Cyber Defense Certainty (ACDC) Act and counter-hacking in cyberspace. This survey is purely academic and anonymous, contains 23 questions and will take about 5-9 minutes to complete. https://lnkd.in/gGsdMuc
Experienced Technology Leader
7 年Fear uncertainty and doubt ? The bill has clearly defined parameters, focuses on attribution activities ( not punching back as others have implied - in fact it explicitly lists disruptive activities as unauthorized ) and requires acknowledgement from the FBI before any action can be taken. Why would beaconing code ( that you have to steel from me first ) be a bad idea ? I'm sure the bill will be refined, but I think it’s a step in the right direction in terms of attribution and prosecution.
Mark, This ‘Hack Back’ scenario is an extremely poor theory, that is extremely mentally deficient legislative practice, even in theory... The ‘glass house’ theory of religion, is no less pertinent. - If you don’t like living in a ‘glass house’, surrounded by rocks, why not teach your children to simply throw rocks! The problem is not that ‘rocks’ can break glass houses, but that the glass debris can also impact life and limb, when these rocks are thrown and land elsewhere... One can not play the Cyber Security game of mental challenge, by simply taking their personal bat home when they loose the game, nor can you play the game of baseball without a bat... Cyber Security is more like a game of chess, you have to think forward and multiple steps ahead of your opponent in order to win ‘this’ specific game. As with the Privacy Act of 1974, one can not expect a legislative solution within our lifetime.
Mark - well done and I heartily agree! Think of the anarchy and unintended consequences! Thanks for standing up for the community.