Congressman Introduces Bill That Would Allow People And Companies To 'Hack Back' After Attacks
from the a-limited-offensive-weapon-that-can-only-be-raised-as-a-defense dept
Probably not the best idea, but it's something some legislators and private companies have been looking to do for years: hack back. Now there's very, very, very nascent federal legislation in the works that would give hacking victims a chance to jab a stick in the hornet's nest or work on their attribution theories or whatever.
A new bill intended to update the Computer Fraud and Abuse Act would allow victims of computer attacks to engage in active defense measures to identify the attacker and disrupt the attack.
Proposed by Rep. Tom Graves (R-Ga.), the bill would grant victims of computer intrusions unprecedented rights. Known as the Active Cyber Defense Certainty Act, the legislation seeks to amend the CFAA, the much-maligned 1986 law that is used in most computer crime prosecutions.
The CFAA amendment [PDF] would (sort of) authorize very limited "hack back" permissions. The powers can only be used for good, so to speak. The attacked can turn the tables slightly by invading the attacker's domain solely for the purpose of determining the person/group behind the attack.
What it won't allow is retribution and revenge, which may come as a disappointment to those who have been brutally breached.
(ii) does not include conduct that—
(I) destroys the information stored on a computers of another;
(II) causes physical injury to another person; or
(III) creates a threat to the public health or safety
That may temper the enthusiasm of supporters, but it's best the victims don't stoop to the level of their attackers, if only because the CFAA is already a hideously out-of-date mess that would be helped NOT AT ALL by endorsing the same behavior it criminalizes elsewhere.
The bill is only a "discussion draft" at this point, so by the time it reaches a vote, it may bear little to no resemblance to this embryo of an idea.
While it may be tempting to give private companies the power to hack attackers, there's always the chance mission creep will turn these permissions into violations. A few years ago, the IP Commission suggested it might be a good idea to allow software companies to "hack" computers owned by those suspected of infringement in order to uncover their identities and the location of the purloined software. The commission suggested the deployment of malware -- something more aligned with the FBI's child porn investigation tactics (which themselves have been found to be of dubious legality) than with what's being suggested here.
But this is only a suggestion. There's still a lot of legislative meat to be put on these bones and it's unlikely the same companies who thought it would be a fine idea to deploy malware against suspected pirates have changed their opinion over the last four years.
Rep. Tom Graves is the person behind the bill and had this to say about it -- part of which is pretty much dead on.
“This bill is about empowering individuals to defend themselves online, just as they have the legal authority to do during a physical assault,” said Graves. “While the bill doesn’t solve every problem, it’s an important first step. I hope my bill helps individuals defend themselves against cybercriminals while igniting a conversation that leads to more ideas and solutions that address this growing threat.”
"Empowering individuals" through federal law can go sideways in a flash. The second half of Graves' statement is better. A conversation does need to take place about responses to security breaches and attacks. But that conversation shouldn't start until those wishing to speak up start doing a much better job locking down their digital valuables. Offense is more fun to play than defense, but defense is where it all should start.
It also should be pointed out this bill is not open season on hackers. It doesn't give companies or individuals explicit permission to hack back, but rather provides them with a defense should they happen to be sued or prosecuted for engaging in this behavior. An affirmative defense is rarely as useful as explicit permission, as anyone who's argued fair use in court can attest. The DOJ has engaged in some very creative readings of the CFAA over the years, and an affirmative defense is only going to go so far in preventing bogus prosecutions.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: attribution, cfaa, congress, hack back, hacking, tom graves
Reader Comments
Subscribe: RSS
View by: Time | Thread
Sounds good - until...
For instance, a while back a dam control system was being used as a anonymous proxy to launch penetration attacks against other systems. There was no rDNS to give a clue as to who this was, and the ARIN allocation was for a telecom with no suballocation.
Now, imagine the fun that would happen with a counter hack should they accidentally do something like, oh, command the floodgates to open past the point where the pinions could engage the rack on the mechanics of the gates, thus making it impossible to close them until all the water has been released.
This would first cause uncontrolled flooding, destroying property down stream. Next, since dams are usually there for water impoundment, no drinking or irrigation water, usually for 2 years (average impoundment reserve).
One of the things I pass time with is just passive network inspection in data centers. I don't probe, just listen to what is present on my own network port. Some of the things you see (generally broadcasts since switches are not promiscuous - or at least, shouldn't be) is kinda eye opening. For instance, you can tell a lot about what is around you network wise just by the ARP broadcasts and the MAC.
It sounds good to be able to "hit back", but target selection is not guaranteed to be safe, thus making it impossible to know if you are causing more damage than the system trying to hack you.
[ link to this | view in chronology ]
Re: Sounds good - until...
[ link to this | view in chronology ]
Re: Re: Sounds good - until...
The post below brought to you by Michael Masnick, Inventor of Techdirt, The Place Good Ideas Go To Get Buried, Anonymously and Shamefully
Now that we have the argumentum ad hominem out of the way, did you wish to make a point using logic, facts, and examples? Because that's why I come here. I'm perfectly willing to listen to conservative talking points if you are prepared to defend and argue them using some semblance of common courtesy and intelligence.
That's what grown ups do. Children just yell "neener! neener! neener!" and run away. So the question is: "Are you a adult, or a child?"
[ link to this | view in chronology ]
Re: Re: Re: Sounds good - until...
- Are you an amoeba or a fungus?
[ link to this | view in chronology ]
Re: Re: Re: Re: Sounds good - until...
[ link to this | view in chronology ]
Hack CIA and NSA
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Given that these botnets are composed of innocent computers it's more like defending yourself against Brian Douglas Wells.
[ link to this | view in chronology ]
Re:
If you are unaware your computer's spare CPU cycles are being co-opted by a botnet, the first sign of trouble could be what looks like a hack attack on your system.
So, under the hack-back law, you take down the computers of the people hacking your computers. So they hack you back, and so on.
It could wind up like a peculiarly digital version of the Hatfields & McCoys.
[ link to this | view in chronology ]
Re: Re:
There's considerable difference between theory and practice, however.
[ link to this | view in chronology ]
Bad idea!
[ link to this | view in chronology ]
Re: Bad idea!
http://dyn.com/blog/backconnects-suspicious-bgp-hijacks/
So here we have a DDoS protection service hijacking IP space from other providers. In the meantime, legitimate traffic is being redirected to an unknown location. Imagine this is your service provider being hijacked, so all your information to being forwarded to them to save flows and possibly data. Hell, a few high speed links and DAC cards aren't that expensive when you are talking about commercial espionage. Once you have the data you can spend as much time on it as required, so it's not a loss. Sadly, RPKI should help, but it's still tied down, and hell I haven't even implemented it.
[ link to this | view in chronology ]
They could claim they were hacked, and "hack back" to install ransomware on the the target computers. Eliminates the need for those pesky collection/settlement calls and letters.
[ link to this | view in chronology ]
HI america
they didnt stop and your nation ( which was where i was hosting did shit)
I TOOK care not only of said problem without any need of law i took the entire offending nation off the internet....
FOR A WEEK.
Signed DONT FUCK AROUND THIS KINDA SHIT WILL LEAD TO MORE JERKS ATTACKING PEOPLE AND THEN CLAIMING THEY WERE ATTACKED FIRST.....
THIS IS YOUR ONLY WARNING ON THIS SUBJECT ...pass along to the people that need too.
signed ..
THE WORLD
oh and does this mean hollywood will attack everyone downloading a music tune cause they think that copying there music is an attack?
WILL THEY DOS ME FOR SUCH and do you think this will lead anywhere healthy
[ link to this | view in chronology ]
Step 1: Break into Apple's silly UFO
Step 2: Do nice sloppy hack of Microsoft making sure to leave a good trail that is easy to find, but not too obvious.
Step 3: Sit back and watch as two giants start trading blows.
[ link to this | view in chronology ]
And if an individual is hacked by a government agent?
I wonder how he'd feel about an individual defending him/her self then...
[ link to this | view in chronology ]
Re:
Yeah, Graves might want to watch his words. I suspect he doesn't actually want citizens to be allowed to hack the government in retaliation.
[ link to this | view in chronology ]
Pinkerton Network Security
Pinkerton Network Security Solutions
Just tell us your objectives, we will take care of the rest!
Plus, Join now and get 1/2 out intrusion detection software.
Discretion is for the Week! Call Us Now!!!
[ link to this | view in chronology ]
Not ONLY for purposes of identification.
So DoS attacks are fine as long as you don't actually delete any files on their machine or create a threat to public safety.
The whole "hacking back" concept is idiotic, anyway. You're giving your enemy control over your targeting. If this happens, Joe jobs will become even more popular than they are now.
[ link to this | view in chronology ]
So, no hurling nukes in the direction of the bad actors?
Where's the fun in that?
[ link to this | view in chronology ]
Then, learn that all the moral lessons you've learned about real life don't apply on the Internet, because... reasons?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]