Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Companies facing cyberattacks may not have to resist the temptation to strike back to identify their adversaries if some businesses and federal lawmakers get their way. But some cybersecurity pros are concerned that loosing companies on their online enemies may be counterproductive.
As it stands now, a company can’t legally direct its internal cybersecurity teams to hack back by intruding into other computer networks to track down cybercriminals. The Computer Fraud and Abuse Act and analogous state laws prohibit such intrusions.
Whether to amend the laws to allow hacking back isn’t a new debate, but it has gained traction again due to large-scale cyberattacks, such as the WannaCry ransomware strike that affected over 300,000 computers in at least 153 countries.
David Leiter, president of public policy consulting company Plurus Strategies, told Bloomberg BNA that cybersecurity legislation is often “event-driven and can change on a dime due to external pressure.”
Leiter, who served as principal deputy assistant secretary at the Department of Energy under President Bill Clinton and as chief of staff to former Sen. John Kerry, said “it is important for companies to “get a seat at the table” and “maintain contact with policymakers, stakeholders, and federal agencies.” He didn’t direct his comments towards specific legislation.
Rep. Tom Graves (R-Ga.) is working on a bill, the Active Cyber Defense Certainty Act, to provide a legal defense under CFAA for companies that hack back in order to identify intruders. Based on “feedback from Congress, policymakers, and cybersecurity experts,” changes to a discussion draft of the legislation are underway, Graves told Bloomberg BNA. The bill should be finalized “in the next week or two,” he said. Graves said he expects the bill to get support from both sides of the aisle because cybersecurity “is not a partisan issue in any way.”
Not everyone, though, supports letting companies hack back.
When companies start looking for the source of a cyberattack, it’s similar to “walking into a bullfight with a big red flag saying ‘here I am'—It’s a very unsmart move,” Stu Sjouwerman, founder and CEO of cybersecurity training company KnowBe4 Inc. in Clearwater, Fla., told Bloomberg BNA.
In 2015, the Department of Justice’s cybersecurity unit issued cyberattack response guidance that said companies shouldn’t “hack back” or adopt counter-cybersecurity measures because doing so may violate state, federal, or international law.
Hacking back also recently drew a warning from Adm. Michael Rogers, National Security Agency director and head of U.S. Cyber Command, who told a House Armed Services subcommittee May 23 that he was concerned about companies taking cybersecurity countermeasures into their hands.
The U.S. shouldn’t put “more gunfighters out on the street in the Wild West,” and taking defensive actions against nation-states or foreign adversaries has been “a mission or a right of a sovereign state, not something the private sector does,” he said.
Graves said his proposed legislation would give companies a defense against CFAA prosecution only when “no damage is done and no information is destroyed.” Companies would have to “operate within the restrictions,” and if they “cause damage or entered the wrong system then they would be responsible” under the law, he said.
An FBI spokesman told Bloomberg BNA that the agency doesn’t “comment on proposed legislation.”
The WannaCry ransomware attack has shown that attribution, even after a global hacking attack, is a tough task. Although Symantec Corp. and other cybersecurity researches have pointed to North Korea as the likely aggressor, others doubt that connection.
Sjouwerman told Bloomberg BNA that the internet is the “ultimate hall of smoke and mirrors,” and it is very hard to find “verifiable and correct attribution.”
Michael R. Overly, cybersecurity and intellectual property partner at Foley & Lardner LLP in Los Angeles, told Bloomberg BNA that Graves’ proposed legislation, if passed, might “result in harm to innocent systems” due to problems with attribution. Often times, hackers are able to hide their actual location, he said.
Having companies that might not be sophisticated enough to untangle the evasion techniques of cybercriminals look for the source of a cyberattack “is not the best way to proceed,” Overly said. Instead, before spending “dollar number 1 on hacking back,” companies should first invest in cybersecurity defensive basics, such as running up-to-date software, downloading security updates, creating a response plan, and training staff, he said.
Overly said that many of the large-scale cyberattacks to date, such as WannaCry, started outside of the U.S. If Graves’ proposal became law, companies would have to be careful to not violate the laws of foreign countries or international treaties, he said.
Cybersecurity is a world-wide problem, and the U.S. would need to enact treaties and international deals so countries wouldn’t bring criminal charges against companies and their employees, Overly said. Companies could run into international pressures and potentially violate foreign laws—even if a hack back law is enacted in the U.S.
Sjouwerman said companies may ask themselves, “Now what?” even if they can successfully attribute a large-scale cyberattack to a specific country or set of actors. They may also find that they don’t want to deal with foreign nation-state adversaries such as Russia, he said.
What may start as a small intrusion to find attribution can turn into many “unintended consequences,” Sjouwerman said.
To contact the reporter on this story: Daniel R. Stoller in Washington at dStoller@bna.com
To contact the editor responsible for this story: Donald Aplin at email@example.com
The discussion draft of the Graves legislation is available at http://src.bna.com/phr.
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)