Often, when new regulations are introduced in an industry, they can bear unintended consequences for the future.
Since this past summer, legislatures have been contemplating a law relating to cyber defense called the Active Cyber Defense Certainty Act, or ACDC. The bill is intended to limit the negative consequences for parties that engage in computer fraud and abuse when responding to or defending themselves against cyber intrusions.
It may seem like a straight-forward act of protection at first appearance, but the bill has evoked a lot of big questions as it’s worked its way through the government—especially from the business vantage point.
Cyber cons/cyber pros
And with good reason. If or when the act becomes law, one concern is that boards and executives will be asked to make decisions on “hacking back”—meaning using a protocol of active cyber defense—when they really are not in the best position to do so.
Given the way cyber attacks operate, i.e. off-grid in the unregulated dark web, any counter action, even by a government entity, runs the risk of being founded on incomplete and/or misleading information in the first place.
These decisions could potentially have disastrous consequences not just for companies, but for the global economy as a whole.
Proponents of the ACDC bill argue that defenders would benefit from tools and rights, as long as they observe a version of the following protocol:
1. Establish attribution of an attack.
2. Disrupt the cyberattack without damaging another party’s computers or other property.
3. Retrieve and destroy stolen or compromised files.
4. Monitor the behavior of an attacker.
5. Utilize beaconing technology
The justification we’ve heard most loudly from legislatures is that a very small number of cybercrimes are prosecuted, leaving criminals to face no consequences for their illegal behavior. And that hacking back guidelines, listed above, can provide that deterrence.
But let’s examine what we see as perhaps the biggest reason why prosecution of cybercrimes is so rare: Attribution is difficult. Nearly impossible, in many cases. The anonymity that the internet provides, and the ability to be located almost anywhere in the world, contributes to this challenge. That it is easy for bad actors to falsify evidence and make an attack look like it originated from someone or somewhere when it didn’t makes matters all the more complicated.
An example of a so-called “false flag” operation was the hacking of the French TV network TV5Monde. The attack was made to look like it was perpetrated by an ISIS-affiliated group. But as it turned out, the attackers were in fact tied to the Russian government.
The reality is that even governments and agencies with ample enough resources to invest in a defensive strategy struggle with attribution. How then can we expect private enterprises with more meager intelligence resources to accomplish this effectively and with minimal errors?
What happens if a well-intentioned defender truly believes they’ve identified the source of a cyber crime, and even has evidence that points to a specific actor—but it turns out they were wrong? Would the company and the individual be prosecuted? Do they have safe harbor protection?
As written, the ACDC bill is murky in this regard at best. It appears to offer a defense strategy that someone indicted under the original Computer Fraud and Abuse Act could use. By saying that they were engaging in hack-back efforts, even a malicious party could theoretically get off the hook and avoid persecution using the ACDC Act.
Even the first objective of the bill—“Establish attribution of an attack”—presents a chicken-and-egg problem. How do you establish attribution without the active defense? And how do you engage in active defense if you don’t have attribution?
If an organization were attacked, for example, the bill suggests an objective of the hack-back activities is for the victim to understand where the attack originated. But if they don’t already know that, who are they actually hacking back in the first place?
Most cyber criminals worth their salt will not use their own systems to launch an attack.
For executives and corporate officers especially, this fact will almost inevitably cause significant collateral damage.
Multiple layers of obfuscation and indirection are standard in this criminal realm. Often, perpetrators will look to Internet of Things systems because they allow them to use the devices of unsuspecting individuals and even resources running on cloud service providers like Amazon, Microsoft, or Google.
Do you really want to face the blowback from launching an offensive at the likes of Amazon or Facebook because someone used their platforms for a cybercrime—especially if they are not the ultimate target? This is what occurred with the Mirai botnet event, in which a group of adolescent hackers wreaked havoc on the web by taking advantage of such IoT systems technologies.
Ultimately, this illustrates how for the most part hacking back leads is a slew of unintended harmful consequences for whoever owns a system or company proactively trying to protect itself from a cyber crime.
Who bears the burden
With the ACDC bill, corporations are burdened with deciding whether or not to act in their own self interest, and whether or not to risk doing damage to an unsuspecting victim—quite possibly a manufacturing company with a bunch of compromised IoT devices.
There are literally millions of bots out there. When it comes to the largest botnets—the networks that connect bots and help spread pernicious cyber viruses, attacks, and the like—who is the actual target of an active defense strategy?
In many cases, we just don’t know.
In other cases, it could be several groups or individuals, or even nation states. In still others, it could be an unsuspecting victim being taken advantage of by bad actors.
Other likely victims of collateral damage are the organizations involved, whether directly or indirectly. Depending on the severity of a cybercrime, a government or public body may force a company into a public reporting cycle, unintentionally triggering class actions and derivative lawsuits as well as damage to an organization’s public reputation.
The problem with upholding the law on the internet
Apparently both the current and former heads of the FBI think active defense is a bad idea. As FBI director Christopher Wray commented, “We don’t think it’s a good idea for private industry to take it upon themselves to retaliate by hacking back at somebody who hacked them.” Which, to be clear, is precisely what the ACDC mandates.
Former FBI director James Comey also expressed concern that any kind of active defense strategy could impede the FBI’s own law enforcement efforts. This is especially true now as cybercrime and geopolitics become more and more intertwined.
How do you ensure the nation state on the other end of an attack doesn’t consider this an act of war? And, what if those nations pass their own hacking back laws and use that as pretext to hack into our own corporations? What if during the active defense you unintentionally interfere with, destroy, or somehow affect data or resources that belongs to a third country, one where hacking is illegal?
If the ACDC does ultimately becomes law, one saving grace is that companies have to notify the FBI and the US Department of Justice before engaging in active defense. Perhaps those departments and agencies, as the implementors of the law, can police the process. But that feels like a risk in and of itself, and threatens to place an undue burden on security and defense agencies whose resources could be used elsewhere.
The next big cybercrime frontier
Regardless of whether the government passes this legislation, hacking back is not a viable security defense strategy. There is no precedent to show this kind of strategy is effective with any kind of criminal activity, let alone with cybercrime, where the dynamics are inherently so complicated and opaque.
On one hand, government efforts would be better spent defining rules of engagement, like the ones we have in the Geneva Convention.
In the likely event that it will pass, companies and their boards of directors should think long and hard before going the hack-back route, given the many unpredictable and unintended side effects that we’ve so far seen do more damage than good.
Our energy would be better spent building effective detection strategies, before we think about hitting back. Especially in today’s 24/7 news cycle, companies will be judged not on whether they hacked back, but on how effectively they detected a breach and how conscientiously they chose to respond, with the minimal amount of damage and fallout for all parties involved.
As with all processes, boards should ask management to review the current security strategy. If the hack-back option is part of that strategy, it’s probably worth adding to the agenda of your next board meeting.
There’s too much at stake to be surprised by a well-intended chief information security officer who doesn’t consider the fine print—including all the potential consequences.