Congressman Introduces Bill That Would Allow People And Companies To 'Hack Back' After Attacks
from the a-limited-offensive-weapon-that-can-only-be-raised-as-a-defense dept
Probably not the best idea, but it’s something some legislators and private companies have been looking to do for years: hack back. Now there’s very, very, very nascent federal legislation in the works that would give hacking victims a chance to jab a stick in the hornet’s nest or work on their attribution theories or whatever.
A new bill intended to update the Computer Fraud and Abuse Act would allow victims of computer attacks to engage in active defense measures to identify the attacker and disrupt the attack.
Proposed by Rep. Tom Graves (R-Ga.), the bill would grant victims of computer intrusions unprecedented rights. Known as the Active Cyber Defense Certainty Act, the legislation seeks to amend the CFAA, the much-maligned 1986 law that is used in most computer crime prosecutions.
The CFAA amendment [PDF] would (sort of) authorize very limited “hack back” permissions. The powers can only be used for good, so to speak. The attacked can turn the tables slightly by invading the attacker’s domain solely for the purpose of determining the person/group behind the attack.
What it won’t allow is retribution and revenge, which may come as a disappointment to those who have been brutally breached.
(ii) does not include conduct that—
(I) destroys the information stored on a computers of another;
(II) causes physical injury to another person; or
(III) creates a threat to the public health or safety
That may temper the enthusiasm of supporters, but it’s best the victims don’t stoop to the level of their attackers, if only because the CFAA is already a hideously out-of-date mess that would be helped NOT AT ALL by endorsing the same behavior it criminalizes elsewhere.
The bill is only a “discussion draft” at this point, so by the time it reaches a vote, it may bear little to no resemblance to this embryo of an idea.
While it may be tempting to give private companies the power to hack attackers, there’s always the chance mission creep will turn these permissions into violations. A few years ago, the IP Commission suggested it might be a good idea to allow software companies to “hack” computers owned by those suspected of infringement in order to uncover their identities and the location of the purloined software. The commission suggested the deployment of malware — something more aligned with the FBI’s child porn investigation tactics (which themselves have been found to be of dubious legality) than with what’s being suggested here.
But this is only a suggestion. There’s still a lot of legislative meat to be put on these bones and it’s unlikely the same companies who thought it would be a fine idea to deploy malware against suspected pirates have changed their opinion over the last four years.
Rep. Tom Graves is the person behind the bill and had this to say about it — part of which is pretty much dead on.
“This bill is about empowering individuals to defend themselves online, just as they have the legal authority to do during a physical assault,” said Graves. “While the bill doesn’t solve every problem, it’s an important first step. I hope my bill helps individuals defend themselves against cybercriminals while igniting a conversation that leads to more ideas and solutions that address this growing threat.”
“Empowering individuals” through federal law can go sideways in a flash. The second half of Graves’ statement is better. A conversation does need to take place about responses to security breaches and attacks. But that conversation shouldn’t start until those wishing to speak up start doing a much better job locking down their digital valuables. Offense is more fun to play than defense, but defense is where it all should start.
It also should be pointed out this bill is not open season on hackers. It doesn’t give companies or individuals explicit permission to hack back, but rather provides them with a defense should they happen to be sued or prosecuted for engaging in this behavior. An affirmative defense is rarely as useful as explicit permission, as anyone who’s argued fair use in court can attest. The DOJ has engaged in some very creative readings of the CFAA over the years, and an affirmative defense is only going to go so far in preventing bogus prosecutions.
Filed Under: attribution, cfaa, congress, hack back, hacking, tom graves
Comments on “Congressman Introduces Bill That Would Allow People And Companies To 'Hack Back' After Attacks”
Sounds good - until...
This sounds good, sort of like “Black ICE” in Neuromancer. However, one cannot know if the counter hack is against something that would endanger the public health or safety.
For instance, a while back a dam control system was being used as a anonymous proxy to launch penetration attacks against other systems. There was no rDNS to give a clue as to who this was, and the ARIN allocation was for a telecom with no suballocation.
Now, imagine the fun that would happen with a counter hack should they accidentally do something like, oh, command the floodgates to open past the point where the pinions could engage the rack on the mechanics of the gates, thus making it impossible to close them until all the water has been released.
This would first cause uncontrolled flooding, destroying property down stream. Next, since dams are usually there for water impoundment, no drinking or irrigation water, usually for 2 years (average impoundment reserve).
One of the things I pass time with is just passive network inspection in data centers. I don’t probe, just listen to what is present on my own network port. Some of the things you see (generally broadcasts since switches are not promiscuous – or at least, shouldn’t be) is kinda eye opening. For instance, you can tell a lot about what is around you network wise just by the ARP broadcasts and the MAC.
It sounds good to be able to “hit back”, but target selection is not guaranteed to be safe, thus making it impossible to know if you are causing more damage than the system trying to hack you.
Re: Sounds good - until...
The post below brought to you by Michael Masnick, Inventor of Techdirt, The Place Good Ideas Go To Get Buried, Anonymously and Shamefully
Re: Re: Sounds good - until...
The post below brought to you by Michael Masnick, Inventor of Techdirt, The Place Good Ideas Go To Get Buried, Anonymously and Shamefully
Now that we have the argumentum ad hominem out of the way, did you wish to make a point using logic, facts, and examples? Because that’s why I come here. I’m perfectly willing to listen to conservative talking points if you are prepared to defend and argue them using some semblance of common courtesy and intelligence.
That’s what grown ups do. Children just yell "neener! neener! neener!" and run away. So the question is: "Are you a adult, or a child?"
Re: Re: Re: Sounds good - until...
Don’t insult the children. Or the adults. Suggestion for future reference:
– Are you an amoeba or a fungus?
Re: Re: Re:2 Sounds good - until...
I am a meat popsicle.
Hack CIA and NSA
Cool can hack back CIA and NSA, FSA, and Mi5, etc, really cool idea.
Apparently doxing, leaking trade secrets, destroying an entity financially and physically damaging hardware that doesn’t store information is fine. This has so many holes that I am wondering if the proposed ‘law’ is a joke.
This bill is about empowering individuals to defend themselves online, just as they have the legal authority to do during a physical assault”
Given that these botnets are composed of innocent computers it’s more like defending yourself against Brian Douglas Wells.
Re: Re:
It could actually be worse than that.
If you are unaware your computer’s spare CPU cycles are being co-opted by a botnet, the first sign of trouble could be what looks like a hack attack on your system.
So, under the hack-back law, you take down the computers of the people hacking your computers. So they hack you back, and so on.
It could wind up like a peculiarly digital version of the Hatfields & McCoys.
Re: Re: Re:
Theoretically, that should be prevented by the “only hacking to identify the people responsible for hacking you” clause(s), which would make any given hack-back much less likely to be noticed than an “original” (and not-permitted-by-this-law) hacking attempt would be.
There’s considerable difference between theory and practice, however.
Bad idea!
If the attack is a DDoS, then the counter-attack will likely be targeting a compromised zombie system and not the ones responsible for orchestrating the attack. Thus your counter-attack could be against a legitimate business and now they have you logged as attempting a cyber-attack on them.
Re: Bad idea!
Exactly, It’s it’s not like it hasn’t happened before:
http://dyn.com/blog/backconnects-suspicious-bgp-hijacks/
So here we have a DDoS protection service hijacking IP space from other providers. In the meantime, legitimate traffic is being redirected to an unknown location. Imagine this is your service provider being hijacked, so all your information to being forwarded to them to save flows and possibly data. Hell, a few high speed links and DAC cards aren’t that expensive when you are talking about commercial espionage. Once you have the data you can spend as much time on it as required, so it’s not a loss. Sadly, RPKI should help, but it’s still tied down, and hell I haven’t even implemented it.
Sounds like this will lay the framework for the next generation of porno or copyright trolls…
They could claim they were hacked, and “hack back” to install ransomware on the the target computers. Eliminates the need for those pesky collection/settlement calls and letters.
HI america
id like to tell you that one time long ago someone attacked me
they didnt stop and your nation ( which was where i was hosting did shit)
I TOOK care not only of said problem without any need of law i took the entire offending nation off the internet….
FOR A WEEK.
Signed DONT FUCK AROUND THIS KINDA SHIT WILL LEAD TO MORE JERKS ATTACKING PEOPLE AND THEN CLAIMING THEY WERE ATTACKED FIRST…..
THIS IS YOUR ONLY WARNING ON THIS SUBJECT …pass along to the people that need too.
signed ..
THE WORLD
oh and does this mean hollywood will attack everyone downloading a music tune cause they think that copying there music is an attack?
WILL THEY DOS ME FOR SUCH and do you think this will lead anywhere healthy
I can’t wait to sit and watch the shit storm that some hacker would create with this law.
Step 1: Break into Apple’s silly UFO
Step 2: Do nice sloppy hack of Microsoft making sure to leave a good trail that is easy to find, but not too obvious.
Step 3: Sit back and watch as two giants start trading blows.
And if an individual is hacked by a government agent?
I wonder how he’d feel about an individual defending him/her self then…
Re: Re:
You say that like there’s any doubt most of us haven’t already been snooped by the government.
Yeah, Graves might want to watch his words. I suspect he doesn’t actually want citizens to be allowed to hack the government in retaliation.
Pinkerton Network Security
******** — Now Available — ********
Pinkerton Network Security Solutions
Just tell us your objectives, we will take care of the rest!
Plus, Join now and get 1/2 out intrusion detection software.
Discretion is for the Week! Call Us Now!!!
Not ONLY for purposes of identification.
It also says “or to disrupt continued unauthorized access”.
So DoS attacks are fine as long as you don’t actually delete any files on their machine or create a threat to public safety.
The whole “hacking back” concept is idiotic, anyway. You’re giving your enemy control over your targeting. If this happens, Joe jobs will become even more popular than they are now.
“What it won’t allow is retribution and revenge…”
So, no hurling nukes in the direction of the bad actors?
Where’s the fun in that?
So, spend years learning that vigilantism and personal revenge is bad. Trust the justice system.
Then, learn that all the moral lessons you’ve learned about real life don’t apply on the Internet, because… reasons?
Re: Re:
Self defense is not vigilantism or personal revenge, any more than taking an aspirin for a headache is practicing medicine without a license.
They will have to specify what kinds of attacks are allowed. When I was in high school, in the 80s, one kid who broke into a computer literally got some shocking results. The owners of the computer he broke into sent a high voltage current down the phone line and fried his computer, and also killed every phone in the house, and tripped a few circuit breakers in the phone company exchange