A House discussion draft bill that would give companies the power to hack back against cybercriminals needs further work to get broad support in Congress, a think tank technology policy specialist told Bloomberg BNA March 6.
Companies are often left guessing as to who to turn to in the wake of a cyberattack and have limited options for responding. They may reach out to law enforcement authorities or share cybersecurity threat information with other government agencies but are prohibited from hacking back against their attackers. But, the draft proposes giving companies and other entities the ability to strike back.
The Active Cyber Defense Certainty Act would amend the Computer Fraud and Abuse Act to give entities that are a “victim of a persistent unauthorized intrusion” against their “computers” the ability to infiltrate an alleged cybercriminal’s computer for attribution purposes or to disrupt a cyberattack. It doesn’t allow entities to destroy information stored on other computers, cause physical injury to others or create a public health or safety threat.
Rep. Tom Graves (R-Ga.), who introduced the discussion draft, told Bloomberg BNA March 6 in a phone interview that the proposed bill is aimed at helping “business that are falling prey to cybercriminals.” The draft comes after discussions with private-sector stakeholders who maintain that companies throughout the U.S. are “left with no rights to actively defend themselves” against costly cyberattacks, he said.
Concerns with the proposed bill may spark debate among stakeholders, policy advocates and members of Congress.
Denise Zheng, director and senior fellow of the technology policy program at the Center for Strategic & International Studies in Washington, told Bloomberg BNA March 6 that giving companies the ability to hack back against alleged cybercriminals may not be the best approach for active cybersecurity defense. A better approach would involve a discussion between “law enforcement, various government agencies and critical infrastructure companies” to set up a “reasonable framework,” she said.
A bill that might have hope of passage in Congress would give only “very narrow” authority to certain critical infrastructure companies, which would work with law enforcement agencies to stop the cyberattacks, Zheng said. Critical infrastructure companies include internet service providers, chemical companies and energy companies, among others, according to a Feb. 12, 2013 presidential policy directive.
The proposed bill would give companies resources to place attribution on foreign cybercriminals. Attribution is important because it can help law enforcement agencies track down the nefarious actor before they harm other companies. However, without proper oversight, that power may be too immense for most, Zheng said.
Such concerns were highlighted March 2 by retired general Keith Alexander, former director of the National Security Agency, former chief of the Central Security service and former commander of U.S. Cyber Command. Giving companies the ability to infiltrate computers of suspected hackers can be dangerous if a nation-state is on the receiving end, he said.
Alexander used the Sony Pictures Entertainment Inc. 2014 cyberattack as an illustrative example of the dangers behind such a measure. If Sony had the power to hack into North Korean computers, the issue could have turned into a larger conflict, he said.
Responding to these concerns, Graves said that resources now available for companies struck by a cyberattack are “unacceptable.” Under the proposed bill, companies such as Sony would have had “at least a shot” in disrupting the cyberattacks, he said. Private sector companies “need not be reliant on the federal government for total defense,” and the proposed bill would help develop the policy to give them “rights in the cyber realm,” Graves said.
To contact the reporter on this story: Daniel R. Stoller in Washington at dStoller@bna.com
To contact the editor responsible for this story: Donald Aplin at email@example.com
Text of the Active Cyber Defense Certainty Act discussion draft is available at http://src.bna.com/mJm.
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)