Sometimes when tech policymakers try to solve a problem, their proposed cure would only make matters much worse. That’s certainly the case with draft US legislation that would give victims of cyberattacks the chance to hunt their suspected attackers down.
Known as the Active Cyber Defense Certainty Act, or ACDC for short, the bill aims to let victims try to track down attackers by entering the systems of organizations they suspect the hackers have used to mount assaults. Often, these organizations may be other companies that are unaware their computers have been compromised. An existing US law forbids this kind of pursuit, which is known as “hacking back.” Only a few government agencies, like the FBI, have the authority to hunt down suspected hackers in this way.
Supporters of the bill, which was recently introduced in the US Congress, say the FBI and other government agencies are already overwhelmed by an onslaught of cyberattacks, including “ransomware” that has paralyzed computer systems in cities like Atlanta and Baltimore and massive data thefts at large companies like the Marriott hotel chain. In theory, giving businesses and individuals the right to do their own hunting would support the agencies' efforts.
The US government has signaled it’s taking a more proactive approach to deterring cyber threats. But the ACDC bill’s cosponsors, Republican congressman Tom Graves and Democrat Josh Gottheimer, argue that companies and other private-sector organizations need greater freedom to defend themselves. They also say some businesses are already engaged in some forms of digital vigilantism, and that their bill would clear up the legal gray area surrounding this.
The proposed legislation (whose full text can be found at the bottom of the story) would amend an existing US law, the Computer Fraud and Abuse Act (CFAA), to let firms and individuals hack back to locate persistent attackers. They would also be able to monitor the hackers’ systems and disrupt their operations.
The bill says the new powers should be used only by “qualified defenders” who have “a high degree of confidence” in their assailants’ identity. They must inform the FBI and seek guidance from it before hacking back—and do their best to avoid damaging third-party systems and triggering an escalation of hostilities.
This may all sound reasonable, but the ACDC Act is seriously flawed because:
1. Most companies lack the skills to take on sophisticated assailants
The bill doesn’t say what exactly qualifies a company or individual as a “qualified defender.” This vagueness could let all kinds of businesses hack back. But while, say, a Google almost certainly has the know-how to do so effectively, many others won’t.
Sean Weppner, a former US Department of Defense cyber officer who’s now at cybersecurity firm Nisos, believes hacking back is best left to governments. “Few people have the experience and expertise needed to do this in a nuanced and controlled fashion,” he says.
2. It’s really hard to know for sure who’s behind a cyberattack
Hackers are masters of obfuscation and typically cover their tracks by using things like spoof IP addresses and hacking tools developed by others. It’s also very difficult to be certain a computer that appears to be behind an attack hasn’t itself been hacked. That could easily cause the wrong systems to be targeted.
3. The bill provides no real protection when things go wrong
It’s very easy to cause unintentional harm to innocent parties’ computers. Even the most sophisticated hackers sometimes pump out code that has unintended consequences.
Anne Toomey McKenna, a professor at Penn State University, points out that even if the ACDC Act passed, it would still leave businesses liable to costly civil lawsuits at both the federal and state levels if they harmed other US businesses’ computers or data. And if they damaged systems in foreign countries, they could still be charged under domestic anti-hacking laws. “It opens a door for companies [to hack back],” she says, “but it’s not really protecting them.”
4. The bill would inevitably lead to damaging reprisals
The draft legislation says those who hack back should try hard not to escalate hostilities. But hackers aren’t going to take attacks on their own systems lightly. Having already found chinks in victims’ digital defenses, they might well exploit more of them if provoked.
5. Private companies could find themselves confronting nation-states
Countries like North Korea, Russia, and Iran are thought to be behind some of the biggest cyberthreats facing businesses today. It certainly would not be advisable for a single company to take them on.
Sandra Joyce of cybersecurity company FireEye worries that if the ACDC bill does get enacted, it could also set a precedent that encourages other countries to loosen their own anti-hacking laws. Some nations may be tempted to make it far easier for companies to hack back than it is in the US. “That would create an even higher risk of a cyber catastrophe,” warns Joyce.
A better approach would be for companies to focus on beefing up their defenses. Many breaches are still the result of basic security errors, such as poorly protected passwords and failures to update software regularly.
At the same time, the US needs to work harder with its allies to promote international norms that would help defuse tensions in cyberspace. Passing legislation like the ACDC Act would only create a legal highway to more hacking hell.