Vigilante Cybersecurity Hacking Back Debate Heats Up

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

Companies facing cyberattacks may not have to resist the temptation to strike back to identify their adversaries if some businesses and federal lawmakers get their way. But some cybersecurity pros are concerned that loosing companies on their online enemies may be counterproductive.

As it stands now, a company can’t legally direct its internal cybersecurity teams to hack back by intruding into other computer networks to track down cybercriminals. The Computer Fraud and Abuse Act and analogous state laws prohibit such intrusions.

Whether to amend the laws to allow hacking back isn’t a new debate, but it has gained traction again due to large-scale cyberattacks, such as the WannaCry ransomware strike that affected over 300,000 computers in at least 153 countries.

David Leiter, president of public policy consulting company Plurus Strategies, told Bloomberg BNA that cybersecurity legislation is often “event-driven and can change on a dime due to external pressure.”

Leiter, who served as principal deputy assistant secretary at the Department of Energy under President Bill Clinton and as chief of staff to former Sen. John Kerry, said “it is important for companies to “get a seat at the table” and “maintain contact with policymakers, stakeholders, and federal agencies.” He didn’t direct his comments towards specific legislation.

Rep. Tom Graves (R-Ga.) is working on a bill, the Active Cyber Defense Certainty Act, to provide a legal defense under CFAA for companies that hack back in order to identify intruders. Based on “feedback from Congress, policymakers, and cybersecurity experts,” changes to a discussion draft of the legislation are underway, Graves told Bloomberg BNA. The bill should be finalized “in the next week or two,” he said. Graves said he expects the bill to get support from both sides of the aisle because cybersecurity “is not a partisan issue in any way.”

Not everyone, though, supports letting companies hack back.

When companies start looking for the source of a cyberattack, it’s similar to “walking into a bullfight with a big red flag saying ‘here I am'—It’s a very unsmart move,” Stu Sjouwerman, founder and CEO of cybersecurity training company KnowBe4 Inc. in Clearwater, Fla., told Bloomberg BNA.

Opposition to Hacking Back

In 2015, the Department of Justice’s cybersecurity unit issued cyberattack response guidance that said companies shouldn’t “hack back” or adopt counter-cybersecurity measures because doing so may violate state, federal, or international law.

Hacking back also recently drew a warning from Adm. Michael Rogers, National Security Agency director and head of U.S. Cyber Command, who told a House Armed Services subcommittee May 23 that he was concerned about companies taking cybersecurity countermeasures into their hands.

The U.S. shouldn’t put “more gunfighters out on the street in the Wild West,” and taking defensive actions against nation-states or foreign adversaries has been “a mission or a right of a sovereign state, not something the private sector does,” he said.

Graves said his proposed legislation would give companies a defense against CFAA prosecution only when “no damage is done and no information is destroyed.” Companies would have to “operate within the restrictions,” and if they “cause damage or entered the wrong system then they would be responsible” under the law, he said.

An FBI spokesman told Bloomberg BNA that the agency doesn’t “comment on proposed legislation.”

Puzzling Attribution Maze

The WannaCry ransomware attack has shown that attribution, even after a global hacking attack, is a tough task. Although Symantec Corp. and other cybersecurity researches have pointed to North Korea as the likely aggressor, others doubt that connection.

Sjouwerman told Bloomberg BNA that the internet is the “ultimate hall of smoke and mirrors,” and it is very hard to find “verifiable and correct attribution.”

Michael R. Overly, cybersecurity and intellectual property partner at Foley & Lardner LLP in Los Angeles, told Bloomberg BNA that Graves’ proposed legislation, if passed, might “result in harm to innocent systems” due to problems with attribution. Often times, hackers are able to hide their actual location, he said.

Having companies that might not be sophisticated enough to untangle the evasion techniques of cybercriminals look for the source of a cyberattack “is not the best way to proceed,” Overly said. Instead, before spending “dollar number 1 on hacking back,” companies should first invest in cybersecurity defensive basics, such as running up-to-date software, downloading security updates, creating a response plan, and training staff, he said.

International Concern

Overly said that many of the large-scale cyberattacks to date, such as WannaCry, started outside of the U.S. If Graves’ proposal became law, companies would have to be careful to not violate the laws of foreign countries or international treaties, he said.

Cybersecurity is a world-wide problem, and the U.S. would need to enact treaties and international deals so countries wouldn’t bring criminal charges against companies and their employees, Overly said. Companies could run into international pressures and potentially violate foreign laws—even if a hack back law is enacted in the U.S.

Sjouwerman said companies may ask themselves, “Now what?” even if they can successfully attribute a large-scale cyberattack to a specific country or set of actors. They may also find that they don’t want to deal with foreign nation-state adversaries such as Russia, he said.

What may start as a small intrusion to find attribution can turn into many “unintended consequences,” Sjouwerman said.

To contact the reporter on this story: Daniel R. Stoller in Washington at dStoller@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

For More Information

The discussion draft of the Graves legislation is available at http://src.bna.com/phr.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security