Rep. Tom Graves, R-Ga., is reintroducing his Active Cyber Defense Bill today. He first floated the idea in March 2017, and published an updated version in May 2017. It was then, and is now, being described as the 'hacking back' bill.
There is a technical difference between hacking back and active defense -- and in fairness, Graves never once uses the term 'hacking'.
SANS describes active defense as "The process of analysts monitoring for, responding to, and learning from adversaries internal to the network." Hacking back implies the offensive incursion and disruption of attackers' systems. Problems occur when active defense goes too far and becomes hacking back -- and most commentators believe this would become inevitable if active defense is legalized.
Problems then evolve into dangers if the '(over)active defenders' make mistakes -- and this is likely inevitable. Professional hackers are adept at hiding their cyber tracks, using innocent companies' systems, and planting false flags. Even professional security companies are slow to make direct attributions based on cyber clues alone.
"Notice that after any major cyber-attack, it usually takes weeks to determine who's responsible for it, and even those determinations are hedged with uncertainty," warns Hitesh Sheth, CEO of threat detection firm Vectra. "That's because no single point of origination is apparent."
In his own explanation (PDF) of the proposal, Graves paints a benign picture of the effect of his proposal.
"Most defenders would likely use active-defense techniques to perform "deep reconnaissance" of the hackers who originated the attack. For example, a defender using active-defense techniques could "follow the bread crumbs," back to the source of the attack. They could then attempt to attribute the source, "naming and shaming" the attacker, turn over relevant information to law enforcement, or simply learn the "vector" that the attacker took to execute the original malicious attack and avoid it."
Joseph Carson, chief security scientist at privileged access management firm Thycotic, told SecurityWeek that businesses can help law enforcement without hacking back. "Businesses can help law enforcement with attribution by assisting with digital forensics and evidence collection that helps determine both the motive and source of the cyberattack. However, any hack back should be contained by government officials. If hack back is made legal, businesses could accidentally attack another victim whose machine is simply a proxy to the real attackers. Put simply, hack back can be extremely dangerous if put in the hands of businesses and citizens."
Graves' view of what is likely to happen is exactly what the cybersecurity industry already does with expert analysts, time and resources -- and still has difficulty with accurate attribution. The idea that an organization under attack would have the ability to do the same and get it right is a difficult concept. Getting it wrong could harm individual privacy, innocent companies, and even cause international incidents.
"Cyber attackers hit us from multiple computers in multiple countries," continued Sheth. "These computers belong to private companies, governments (including those friendly to the U.S.) and innocent individuals who don't know their devices have been co-opted and who aren't in league with the attackers. If we hack back, the machines and data belonging to these people could be damaged. And the real attackers, hiding behind them, would be untouched."
Graves suggests that some companies are already engaged in active defense, are doing so without any guidelines and need guidance and protection, or immunity, from the Computer Fraud and Abuse Act. This argument is tantamount to suggesting that if laws are already being broken, they should be scrapped. Self-defense allows reasonable force for defense. This is particularly relevant to a home invader. However, it would not stretch to following the invader to his own home and using reasonable force there -- particularly, as would probably be the case, the 'self-defense' happens months after the original attack.
"There is absolutely no way that we could mount a counter-offensive, get past the multiple co-opted computers that have attacked us, find the point of origin and hit -- in whatever manner -- the true bad guys who launched the attack. We might be able to retaliate, weeks or months after being attacked, but we certainly could not hack back in time to stop an attack in progress."
Last year, the U.S. National Security Advisor John Bolton announced a more aggressive government stance on foreign hacking. "Our hands are not tied as they were in the Obama administration. For any nation that's taking cyber activity against the United States, they should expect... we will respond offensively, as well as defensively," he said.
This week, Bolton has re-iterated the stance. At a Wall Street Journal event this week, he announced, the broad goal is "to say to Russia or anybody else that's engaged in cyberoperations against us, you will pay a price. If we find that you're doing this, we will impose costs on you until you get the point that it's not worth your while to use cyber against us." It is a clear warning that if foreign countries cross the cyber line against the U.S., the U.S. will hit back even harder.
With Graves reintroducing his Active Cyber Defense Bill just two days later, it might be a calculated view that national opinion has changed and will be more receptive to companies taken measures into their own hands. But Carson is adamant. "Hacking back is a bad idea and should not be made legal as this could quickly cause major security incidents or even result in human casualties. It should only be conducted by government agencies where attribution is confirmed with high confidence."
Sheth has a similar viewpoint: "Hacking back seems like an excellent opportunity to shoot ourselves in the foot, multiple times. You can't legislate your way into a cyber strategy. Here's a much better idea: Drop the whole thing."