[BreachExchange] Proposed 'Hack Back' Bill Still in the Works, but Remains Contentious

Fri Jun 2 00:03:06 EDT 2017

http://www.eweek.com/security/proposed-hack-back-bill-still-in-the-works-but-remains-contentious

A Georgia congressman has made a second attempt to craft legislation that
carves out legal exemptions for companies that ‘hack back’ at attackers,
posting a revised draft on May 25 that allows for beaconing technology,
creates a mandatory reporting requirement and additional attempts to limit
collateral damage.

The draft of the legislation, known as the Active Cyber Defense Certainty
(ACDC) Act
<https://tomgraves.house.gov/uploadedfiles/discussion_draft_active_cyber_defense_certainty_act_2.0_rep._tom_graves_ga-14.pdf>,
aims to allow companies to identify and take steps against online
attackers. A variety of online actors—from cyber-criminals to nation-state
agents—usually launch attacks through compromised private servers to shield
their identity and activity, preventing prosecutors from pursuing charges
and companies from filing lawsuits.

The legislation, which has not yet been formally introduced in the U.S.
House of Representatives, would allow organizations to create software that
would ‘beacon out’ and identify the IP address of the potential location of
the attacker and would allow the destruction of stolen data on a
compromised system not actually owned by its operator.

The draft legislation “allow(s) the use of limited defensive measures that
exceed the boundaries of one’s network in an attempt to identify and stop
attackers,” according to a statement released by the office of Rep. Tom
Graves, R-GA, who is working on the bill.

“These changes reflect careful analysis and many thoughtful suggestions
from a broad spectrum of industries and viewpoints,” Rep. Tom Graves,
(R-GA), said in a statement referring to version 2 of the legislative
draft. “I look forward to continuing the conversation and formally
introducing ACDC in the next few weeks.”

Hacking back, however, has always sounded a note of caution for security
professionals, who worry that companies will not be able to limit the
impact of software running on a server that has been compromised by
cyber-attackers.

“How do you realistically apply oversight to whether a company is
sophisticated enough to take action on another’s system,” said Jen Ellis,
vice president of community and public affairs for Rapid7. “None of these
questions have been answered in any meaningful or realistic way.”

In addition, only certain companies—those with a high degree of technical
knowledge—will be able to take advantage of more active defenses. Some may
be able to hire a private firm to pursue attackers on their behalf, but the
creation of technical haves and have-nots will likely mean that attackers
will focus more efforts on the less tech-savvy companies, she said.

“Over time, the profit model will evolve, and the attackers will go for the
targets with less defenses, so you are increasing the vulnerability of the
most vulnerable organizations and you are widening the security-poverty
gap,” Ellis said.

Yet, the legislation taps into the frustration felt by many in business,
that attackers are getting away with disrupting systems and causing damage
without fear of punishment.

“I think the general goal is very worthy,” Robert Chesney, professor of law
and associate dean for academic affairs at the University of Texas School
of Law, wrote of the original March draft of the legislation.
<https://www.lawfareblog.com/legislative-hackback-notes-active-cyber-defense-certainty-act-discussion-draft>
“Yet the draft illustrates that it is really hard to frame the precise
language needed to obtain greater legal space for active defense while
still preserving reasonable — and reasonably clear — boundaries.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170601/b25ea890/attachment.html>