By: Sonny Santistevan, Columnist
Photo Credit: Slate (via TASS)
Cybersecurity breaches are an all too common theme in headlines across the United States. 2017 alone has seen an inordinate amount of cybersecurity breakdowns, including state-sponsored ransomware, leaks of spy tools from intelligence agencies, electoral campaign hacking, and a myriad of public and private sector breaches, leaving millions of Americans with their personally identifiable information compromised.[i] The frustration brought on by these breaches has some legislators ready to support their constituents by advocating for the ability to “hack back” when companies fall victim to a cyber attack. The cases for and against hacking back are nearly as old as the internet itself and, despite warnings from cybersecurity experts of the disastrous consequences of industries personally countering adversaries in the cybersphere, the idea of “hacking back” is alive and well. Congressman Tom Graves (R-GA) recently introduced H.R. 4036, the Active Cyber Defense Act (ACDC), with bipartisan co-sponsorship. The bill is intended to amend the Computer Fraud and Abuse Act of 1986 (CFAA) so that companies are permitted to “hack back,” or as the bill more delicately terms it, engage in “active defense.” Legalizing active defense would allow companies that are victims of cybercrimes to legally conduct cyber operations to establish attribution of the attack, disrupt related unauthorized cyber activity, and monitor the behavior of their attacker.[ii] This cybersecurity conundrum certainly makes the temptation to hack back understandable, but what is misunderstood about hacking back is its technical difficulty and the potential for disastrous unintended consequences.[iii]
This hacking back option often gains political salience when companies suffer major cyber breaches and, in legal parlance, are unable to be made whole from the resulting damages. Typical cyber defense mechanisms—ranging from encryption and firewalls to anti-virus software intrusion-detection systems—are passive and often cannot remedy a breach once the damage is done. As a result, measurements of how well companies are prepared to mitigate cyber intrusions are based on how effective their damage control mechanisms are and how quickly the company can become operational again. Cyber and information technology systems are becoming more and more integral to society, but as long as cyber defense mechanisms remain in a state of passive defense, cyber adversaries will continue to have the operational advantage.
At a May 2017 House Armed Services Emerging Threats and Capabilities Subcommittee hearing, head of the National Security Agency Admiral Michael Rogers illustrated the potential unintended consequences of hacking back. In responding to a question on whether or not active defense should be legal, Rogers stated, “While there is certainly historic precedent for this—nation states have often gone to the private sector when we lacked government capacity or capability…my concern is, [I would] be leery of putting more gunfighters out on the street in the wild west.”[iv] To continue with Roger’s analogy, most politicians advocating the legalization of hacking back do not understand that these would-be corporate gunfighters may not have the firepower necessary to remedy their situation, let alone know where to point their guns. Attributing attacks in the cyber domain and the potential consequences of active defense measures are core concerns for those advocating against hacking back.
Attribution is problematic for even the most technically savvy cyber warriors. In this instance, attribution is the method of tracking, identifying, and laying blame on the perpetrator of a cyberattack or other hacking exploit. Compounding the natural difficulty of this endeavor is cyber adversaries’ ability to cover their digital footprints, making attribution an inexact task. The technical aspect of attribution goes even deeper: cyber adversaries with high capability cannot only hide their digital footprints but also leave bits of false intelligence, otherwise known as false flags, to deliberately lead their victims astray.[v] Even if companies could legally hack back, it begs the question: what happens when a private company accidentally misattributes an attack and engages in an active defense operation?
The consequences of the hack back option are potentially catastrophic and enable victims to engage in operations that may be far beyond their scope of cyber expertise. However, the ACDC does attempt to guarantee this sort of vigilante justice is checked by requiring companies to notify law enforcement of their intentions before hacking back.[vi] However, even if companies have the capability and “go ahead” to hack back, what then? There is no mechanism built-in to ensure that companies’ active defense measures are targeting the correct information or adversary.
It is understandable that legislators are trying to help constituents find a remedy to cyber breaches, but the hacking back option is not the answer. The entire process is entrenched in legal and operational ambiguity. The last thing the United States national security apparatus needs to contend with is private entities having the legal authority to launch active defense operations throughout the world and to have to answer for their mistakes. While passive defensive measures may be inadequate to prevent all cyber breaches, active defense under the provisions of the ACDC will have unmanageable consequences and surely do more harm than good.
[i] Newman, Lily Hay, “The Biggest Cybersecurity Disasters of 2017 So Far,” Wired, June 30, 2017, accessed December 08, 2017. https://www.wired.com/story/2017-biggest-hacks-so-far/.
[ii] “Rep. Tom Graves Proposes Cyber Self Defense Bill,” Congressman Tom Graves, Representing the 14th District of Georgia, Accessed December 03, 2017.
[iii] Penn-Hall, Luke, “Strengthening U.S. Cyber Defenses,” The Cipher Brief, November 06, 2017, accessed December 06, 2017. https://www.thecipherbrief.com/article/cyber/strengthening-u-s-cyber-defenses.
[iv] Sean D. Carberry May, “Congressman files new ‘hack back’ bill,” FCW, accessed December 06, 2017. https://fcw.com/articles/2017/05/26/graves-hack-back-bill.aspx.
[v] Brian Bartholomew, Juan Andrés Guerrero-Saade on October 6, 2016. 8:58 am, “Wave your false flags!” Securelist – Information about Viruses, Hackers and Spam, October 06, 2016, accessed December 08, 2017. https://securelist.com/wave-your-false-flags/76273/.
[vi] Uchill, Joe, “New bill would allow hacking victims to ‘hack back,'” The Hill, October 13, 2017, accessed December 06, 2017. http://thehill.com/policy/cybersecurity/355305-hack-back-bill-hits-house.