Congressional Rep Pushes His 'Hack Back' Bill By Claiming It Would Have Prevented The WannaCry Ransomware Attack

from the yeah-probably-not dept

Legislator Tom Graves is pushing his cyber defense bill again. So far, his bill -- which we covered here in March -- is still in the drafting stages and has yet to be introduced. It has a unmemorable name (Active Cyber Defense Certainty Act) [but a much better acronym (ACDC)] and a handful of ideas that are questionable at best.

The bill would amend the CFAA to give companies the ability to "hack back" to shut down attacks and identify the attackers. It would not allow them to go on the offense proactively and it doesn't actually grant companies new statutory permissions. Instead, it provides them with an affirmative defense against CFAA-related charges, should someone decide to take them to court.

The good news about the bill's slow crawl is it's being rewritten before being introduced. According to the Financial Times, Graves and his team are consulting with cybersecurity experts to craft a better bill.

The Active Cyber Defense Certainty bill, co-sponsored with Arizona Democrat Kyrsten Sinema, is in its early stages. After consulting with cyber security executives at an event at the Georgia Institute of Technology, the bill is being redrafted to include safeguards such as the requirement for companies to notify law enforcement if they are using such techniques, so they can examine that they are being used responsibly.

However, Graves' consultation process seems to begin and end here. There are many more security experts out there who believe this bill will do more harm than good and there doesn't appear to have been much consultation with those who disagree with Graves' beliefs.

The other questionable aspect of this renewed push for hack-back legislation is Graves' belief this bill would have prevented something it likely wouldn't have: the WannaCry ransomware attack.

Mr Graves said he believed the WannaCry ransomware, that hit the UK’s National Health Service and US companies including FedEx, may have been prevented if his bill had already been passed. “I do believe it would have had a positive impact potentially preventing the spread to individuals throughout the US,” he said. “Our proposal is to empower individuals and companies to fight back basically and defend themselves during a cyber attack.”

First off, nothing prevented companies and individuals from defending themselves from these attacks. Well, something did prevent them from defending themselves adequately, but the two entities most at fault were the NSA and Microsoft, with the former's exploit making prodigious use of the latter's security holes. There are other intermediate defensive steps that might have been taken just in general, but Microsoft is the dominant force in business software and the NSA itself was concerned this exploit might be too powerful and result in too much collateral damage.

Second, hacking back wouldn't have halted the attack. What killed the attack wasn't an attempt to track down the ransomware purveyors but rather by examining the exploit itself. A security researcher accidentally found a kill switch for the malware: an unregistered domain name which he purchased to hopefully track the attack. It turns out it also stopped the attack. There was no legal change that is needed to enable that to happen. Even if Graves' bill were law, it would have had nothing to do with ending the WannaCry attack. Certainly this won't be the case in every attack, but the lessons learned from the WannaCry attack have almost nothing to do with the actions this legislator wants to make legal.

Filed Under: hack back, hackback, hacking back, tom graves, vulnerabilities, wannacry

Congressman Introduces Bill That Would Allow People And Companies To 'Hack Back' After Attacks

from the a-limited-offensive-weapon-that-can-only-be-raised-as-a-defense dept

Probably not the best idea, but it's something some legislators and private companies have been looking to do for years: hack back. Now there's very, very, very nascent federal legislation in the works that would give hacking victims a chance to jab a stick in the hornet's nest or work on their attribution theories or whatever.

A new bill intended to update the Computer Fraud and Abuse Act would allow victims of computer attacks to engage in active defense measures to identify the attacker and disrupt the attack.

Proposed by Rep. Tom Graves (R-Ga.), the bill would grant victims of computer intrusions unprecedented rights. Known as the Active Cyber Defense Certainty Act, the legislation seeks to amend the CFAA, the much-maligned 1986 law that is used in most computer crime prosecutions.

The CFAA amendment [PDF] would (sort of) authorize very limited "hack back" permissions. The powers can only be used for good, so to speak. The attacked can turn the tables slightly by invading the attacker's domain solely for the purpose of determining the person/group behind the attack.

What it won't allow is retribution and revenge, which may come as a disappointment to those who have been brutally breached.

(ii) does not include conduct that—

(I) destroys the information stored on a computers of another;

(II) causes physical injury to another person; or

(III) creates a threat to the public health or safety

That may temper the enthusiasm of supporters, but it's best the victims don't stoop to the level of their attackers, if only because the CFAA is already a hideously out-of-date mess that would be helped NOT AT ALL by endorsing the same behavior it criminalizes elsewhere.

The bill is only a "discussion draft" at this point, so by the time it reaches a vote, it may bear little to no resemblance to this embryo of an idea.

While it may be tempting to give private companies the power to hack attackers, there's always the chance mission creep will turn these permissions into violations. A few years ago, the IP Commission suggested it might be a good idea to allow software companies to "hack" computers owned by those suspected of infringement in order to uncover their identities and the location of the purloined software. The commission suggested the deployment of malware -- something more aligned with the FBI's child porn investigation tactics (which themselves have been found to be of dubious legality) than with what's being suggested here.

But this is only a suggestion. There's still a lot of legislative meat to be put on these bones and it's unlikely the same companies who thought it would be a fine idea to deploy malware against suspected pirates have changed their opinion over the last four years.

Rep. Tom Graves is the person behind the bill and had this to say about it -- part of which is pretty much dead on.

“This bill is about empowering individuals to defend themselves online, just as they have the legal authority to do during a physical assault,” said Graves. “While the bill doesn’t solve every problem, it’s an important first step. I hope my bill helps individuals defend themselves against cybercriminals while igniting a conversation that leads to more ideas and solutions that address this growing threat.”

"Empowering individuals" through federal law can go sideways in a flash. The second half of Graves' statement is better. A conversation does need to take place about responses to security breaches and attacks. But that conversation shouldn't start until those wishing to speak up start doing a much better job locking down their digital valuables. Offense is more fun to play than defense, but defense is where it all should start.

It also should be pointed out this bill is not open season on hackers. It doesn't give companies or individuals explicit permission to hack back, but rather provides them with a defense should they happen to be sued or prosecuted for engaging in this behavior. An affirmative defense is rarely as useful as explicit permission, as anyone who's argued fair use in court can attest. The DOJ has engaged in some very creative readings of the CFAA over the years, and an affirmative defense is only going to go so far in preventing bogus prosecutions.

Filed Under: attribution, cfaa, congress, hack back, hacking, tom graves

Shameful: House Panel Votes Down Plan To Make Public Domain Congressional Research Public

from the a-total-failure dept

For many, many years, we've complained about the fact that research reports from the Congressional Research Service (CRS) are kept secret. CRS is basically a really good, non-partisan research organization that tends to do very useful and credible research, when tasked to do so by members of Congress. The results, as works created by the federal government, are in the public domain. But the public never gets access to most of them. The reports are available to members of Congress, of course, but then it's up to the members who have access to them to actually release them to the public... or not. And most don't. Back in 2009, Wikileaks made news by releasing almost 7,000 CRS reports that had previously been secret. Since at least 2011, we've been writing about attempts to release these reports publicly, and nothing has happened.

In fact, Congress seems quite fearful of the public getting its hands on timely, credible, non-partisan and useful research paid for by taxpayers. Because it undermines the partisan fighting and tribalism around certain policy platforms that are built on myths, rather than evidence. For years, Congress has refused to adequately fund the CRS, and has tried to turn the useful researchers within CRS into free lackeys, rather than having them work on useful research.

In 2012, an effort was made to make CRS research available to the public and it went nowhere. And it looks like the same thing has just happened again. The House Appropriations Committee has voted down the bill by a large margin:

At a time when highly informed voters might seem like a good thing, the Appropriations Committee voted down, 18-32, an amendment from Reps. Mike Quigely (D-Ill.) and Scott Rigell (R-Va.) that would have made it easier for the public to access Congressional Research Service reports.

For what it's worth, CRS itself has historically opposed this, out of fear that it will put more pressure on its research team, and perhaps even lead them to being more fearful of writing something that is totally accurate, but politically unwelcome. And, some in Congress argue that such fears might bubble up to Congress as well:

But the chairman of the Legislative Branch Appropriations Subcommittee, Rep. Tom Graves (R-Ga.), argued that members needed to be "really, really careful with this." He noted that CRS was an arm of Congress, and he didn't want members to be afraid to ask CRS to prepare reports on controversial issues for fear that their requests would become public.

But, that's meaningless in the context of this bill, which wouldn't apply to the smaller reports done in direct response to questions from Congressional members. It would only apply to the larger reports that CRS creates for every member of Congress.

Rep. Debbie Wasserman Schultz similarly made completely bogus claims about this bill, saying that it would slow down the research that CRS does:

"I have serious concerns about changing the role that the Congressional Research Service plays," Wasserman Schulz said, arguing that it would not help members to have CRS go through a "long and arduous approval process."

This is bullshit for a bunch of reasons starting with the fact that the work is paid for by taxpayers and is in the public domain. Wasserman Schulz is showing pretty blatant contempt for the public with this claim. But, also, her claims are not true. Since any CRS document already has the chance of being released to the public, CRS already goes through a careful review process. Dan Schuman from Demand Progress has the details:

In fact, CRS already puts reports through an arduous, multi-stage review process because they know the reports will become publicly available. Thus, equal public access would not change the process at all. She also argued that releasing the reports would change the role of CRS in providing advice to members of Congress at the discretion of the Member. In fact, the general distribution reports that are the focus of the bill have nothing to do with confidential advice to Members.

So, again, it makes you wonder, why is Congress so intent on hiding this taxpayer funded research -- which has a history of being credible, factual and useful -- from the public? Could it be that an informed public is considered a bad thing to many members of Congress?

Filed Under: appropriations committee, congress, congressional research service, copyright, debbie wasserman schultz, public domain, research, tom graves