Congressional Rep Pushes His 'Hack Back' Bill By Claiming It Would Have Prevented The WannaCry Ransomware Attack

from the yeah-probably-not dept

Legislator Tom Graves is pushing his cyber defense bill again. So far, his bill -- which we covered here in March -- is still in the drafting stages and has yet to be introduced. It has a unmemorable name (Active Cyber Defense Certainty Act) [but a much better acronym (ACDC)] and a handful of ideas that are questionable at best.

The bill would amend the CFAA to give companies the ability to "hack back" to shut down attacks and identify the attackers. It would not allow them to go on the offense proactively and it doesn't actually grant companies new statutory permissions. Instead, it provides them with an affirmative defense against CFAA-related charges, should someone decide to take them to court.

The good news about the bill's slow crawl is it's being rewritten before being introduced. According to the Financial Times, Graves and his team are consulting with cybersecurity experts to craft a better bill.

The Active Cyber Defense Certainty bill, co-sponsored with Arizona Democrat Kyrsten Sinema, is in its early stages. After consulting with cyber security executives at an event at the Georgia Institute of Technology, the bill is being redrafted to include safeguards such as the requirement for companies to notify law enforcement if they are using such techniques, so they can examine that they are being used responsibly.

However, Graves' consultation process seems to begin and end here. There are many more security experts out there who believe this bill will do more harm than good and there doesn't appear to have been much consultation with those who disagree with Graves' beliefs.

The other questionable aspect of this renewed push for hack-back legislation is Graves' belief this bill would have prevented something it likely wouldn't have: the WannaCry ransomware attack.

Mr Graves said he believed the WannaCry ransomware, that hit the UK’s National Health Service and US companies including FedEx, may have been prevented if his bill had already been passed. “I do believe it would have had a positive impact potentially preventing the spread to individuals throughout the US,” he said. “Our proposal is to empower individuals and companies to fight back basically and defend themselves during a cyber attack.”

First off, nothing prevented companies and individuals from defending themselves from these attacks. Well, something did prevent them from defending themselves adequately, but the two entities most at fault were the NSA and Microsoft, with the former's exploit making prodigious use of the latter's security holes. There are other intermediate defensive steps that might have been taken just in general, but Microsoft is the dominant force in business software and the NSA itself was concerned this exploit might be too powerful and result in too much collateral damage.

Second, hacking back wouldn't have halted the attack. What killed the attack wasn't an attempt to track down the ransomware purveyors but rather by examining the exploit itself. A security researcher accidentally found a kill switch for the malware: an unregistered domain name which he purchased to hopefully track the attack. It turns out it also stopped the attack. There was no legal change that is needed to enable that to happen. Even if Graves' bill were law, it would have had nothing to do with ending the WannaCry attack. Certainly this won't be the case in every attack, but the lessons learned from the WannaCry attack have almost nothing to do with the actions this legislator wants to make legal.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: hack back, hackback, hacking back, tom graves, vulnerabilities, wannacry


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    Anonymous Anonymous Coward (profile), 24 May 2017 @ 9:36am

    Right

    All we need are more 'crypto's' pushing supposed 'reverse malware' into the ecosystem, where unintended consequences occur with alarming regularity.

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 24 May 2017 @ 9:46am

    Allowing business to hack-back is really dumb regardless of what ever assurances they give that will soon be revised, revoked and or ignored.

    Remember that congress critter that proposed business be allowed to blow up computers used by pirates? What a moron. So, these computers would have an explosive device pre installed that no one would be able to remove, disable or circumvent ... lol, what a moron.

    These tech illiterates should not be placed in positions of authority or any decision making on tech issues, not sure what is so difficult to understand about this - must have something to do with money as that is all they seem to be concerned with.

    link to this | view in thread ]

  3. icon
    hij (profile), 24 May 2017 @ 9:55am

    Reverse DDOS

    That sounds like a great attack vector. Hijack a few machines owned by someone you do not like and have them launch an attack on someone else you are not fond of. Then site back and watch the fireworks. Mutually assured destruction only works when there are only two sides.

    link to this | view in thread ]

  4. icon
    Berenerd (profile), 24 May 2017 @ 10:00am

    Lets forget about the fact that it was the government's plan to hack people that caused this issue (WannaCry) in the first place.

    link to this | view in thread ]

  5. icon
    Roger Strong (profile), 24 May 2017 @ 10:03am

    Does this legislation strictly define the "cyber attacks" that let companies go on the offensive?

    Otherwise no doubt they'll adopt whatever definition suits them. Anything from perceived IP misuse to online criticism will no doubt be cited for "hacking back", just like it's routinely cited for DMCA takedown fraud and other unethical responses.

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 24 May 2017 @ 10:06am

    what a fucking tool!

    let the hacking begin!

    Boss: So which one hacked us to today?
    ITsec Toad: It looks like it was sourced from "St Judes" boss.
    Boss: We need to get them back for this travesty!
    IT Drone: Uh hey, I doubt that they really did the hacking maybe it was...
    Boss: Bullshit, it's just a cover, St Jude is obviously now a terrorist organization working under the cover of kids cancer research, the bastards!
    ITsec Toad: Shall we start the DDOS boss or are we going for an infiltration?
    Boss: Does not matter, do what you can to get any evidence we need to sue their asses off!

    News Anchor: In tonight's news the CEO of "Twinkle Tots Toys" has been arrested along with several others for ordering a back hack of St Jude's that went deadly wrong after a toddlers medical equipment malfunctioned in cross fire. The family of the toddler is distraught after they had just received word the day before that treatments were working well and doctors believed the toddler was going to make a great if not full recovery.

    Yep... and we will still vote this dumb fucking politician back in I bet!

    link to this | view in thread ]

  7. icon
    NeghVar (profile), 24 May 2017 @ 10:21am

    Dangerous ammendment

    How can you tell between the attacker and a zombie system? Say a bank's system has been compromised and is acting as a zombie for this DDoS attack. If the attacked company then hacks back, they may end up hacking the bank's system. When the bank investigates, they find IP addresses from the company that hacked back. Now the bank want's to prosecute the company and there is plenty of log evidence to support the bank. Good luck company that hacked back

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 24 May 2017 @ 10:37am

    We are the GCHQ, we hack who we want, when we want, for any reason we want, or for no reason at all.

    link to this | view in thread ]

  9. icon
    Roger Strong (profile), 24 May 2017 @ 10:58am

    Re: Right

    It certainly raises some interesting questions.

    Once legal, it's a lot easier to monetize "reverse malware" and hacking tools. Especially highly automated tools for small and medium companies who don't have hackers on staff.

    So... Would Microsoft roll their "hack back" tools into Windows Defender ("The best defense is a good offense!"), or do they monetize them as a new component in Office 365?

    /s

    link to this | view in thread ]

  10. icon
    Anonymous Anonymous Coward (profile), 24 May 2017 @ 11:32am

    Re: Re: Right

    I was under the impression that Office 365 was already malware. Oh, you mean make Office 365 offensive.

    Definition of offensive

    1 a: making attack : aggressive The bear made offensive movements.

    b: of, relating to, or designed for attack offensive weapons

    c: of or relating to an attempt to score in a game or contest offensive maneuvers; also : of or relating to a team in possession of the ball or puck offensive linemen

    2: giving painful or unpleasant sensations : nauseous, obnoxious an offensive odor

    3: causing displeasure or resentment offensive remarks

    BTW, did you mean definition 1a or 2?

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 24 May 2017 @ 11:35am

    errr, how about the NSA don't create then misplace the malware in the first place. Think that would have solved wannacry faster.

    link to this | view in thread ]

  12. identicon
    Anonymous Coward, 24 May 2017 @ 11:35am

    if only people like him pushed as hard when trying to get something that is helpful and truthful into play rather than only when trying to remove privacy, remove freedom and instill even more surveillance than already in place! and as for preventing wannacry, that could easily have never happened had it not been for it's inception by the NSA, along with other virus and loggers and trackers, all of which have never been wanted but have caused total havoc from the get go!!

    link to this | view in thread ]

  13. identicon
    ryuugami, 24 May 2017 @ 11:55am

    Re: Re: Right

    So... Would Microsoft roll their "hack back" tools into Windows Defender ("The best defense is a good offense!"), or do they monetize them as a new component in Office 365?

    Windows Offender

    link to this | view in thread ]

  14. identicon
    Anonymous Coward, 24 May 2017 @ 2:09pm

    NSA does nothing to improve security. It should be renamed International Insecurity Agency.

    link to this | view in thread ]

  15. icon
    orbitalinsertion (profile), 24 May 2017 @ 3:48pm

    Law enforcement will check to see any techniques are being used responsibly?

    *head explodes*

    link to this | view in thread ]

  16. icon
    orbitalinsertion (profile), 24 May 2017 @ 3:51pm

    Re:

    Maybe "Service" rather than "Agency".

    link to this | view in thread ]

  17. identicon
    Anonymous Coward, 24 May 2017 @ 4:36pm

    Did you know its actually illegsl to have a tar pit to trap malicious bots and attackers?

    It is equally illegal to reflect ddos attacks back to their source.

    link to this | view in thread ]

  18. identicon
    Anonymous Coward, 24 May 2017 @ 7:40pm

    Re:

    Law enforcement will check to see if any new techniques have been developed that they can also use.

    link to this | view in thread ]

  19. identicon
    Lawrence D’Oliveiro, 24 May 2017 @ 9:44pm

    Re: Did you know its actually illeg[a]l to have a tar pit to trap malicious bots and attackers?

    What, you mean my iptables rule

        iptables -A INPUT -i ${outside} -p tcp --dport 22 -j DROP

    is illegal?

    link to this | view in thread ]

  20. icon
    Aaron Walkhouse (profile), 25 May 2017 @ 1:04am

    Hmmm…

    "It has a unmemorable name (Active Cyber Defense Certainty Act) [but a much better acronym (ACDC)]"

    Okay then…

    Henceforth [until it is scrapped] we call it the "Dirty Deeds" bill! ‌ ‌ ;]

    link to this | view in thread ]

  21. icon
    Wyrm (profile), 25 May 2017 @ 10:01am

    Would that law mean people and corporations will be allowed to"hack back" the NSA? If so, it's a bad law, but that could provide some entertainment.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.