Rep. Tom GravesJohn (Tom) Thomas GravesGeorgia businesswoman launches primary challenge against Greene Lobbying world Greene's future on House committees in limbo after GOP meeting MORE (R-Ga.) has released the second discussion draft of legislation to legalize "hacking back," which would allow victims of cyber crimes to hack their adversaries.
Graves said he wanted to show that the legislation won't lead to a free-for-all online.
“I wanted people to have a chance to see that it wasn’t the Wild West,” he said of the Active Cyber Defense Certainty (ACDC) Act.
Hacking back is a touchy subject in cybersecurity circles. Many believe equipping even more people to go on the cyber offensive will lead to escalations of conflict and more collateral damage for only a negligible gain in security.
Graves has released two discussion drafts and held his own hearing on the issue at Georgia Tech, hoping to prove that “initial, reflexive response” is “not what we’re doing, whatsoever.”
The ACDC Act permits hacking back in limited circumstances. Victims cannot launch destructive attacks other than to delete their own files from other systems. And hacking is only permitted to locate the attacker by installing a tracking beacon or to cut off an attack.
Graves put out the second draft legislation on Thursday, two days after NSA Director Michael Rogers said he was skeptical of the first draft of the bill.
“My concern is, be leery of putting more gunfighters out in the street in the Wild West. As an individual tasked with protecting our networks, I’m thinking to myself — we’ve got enough cyber actors out there already,” said Rogers.
Graves is confident the bill will not turn networks into the O.K. Corral.
“To put a belt and suspender on it not being the Wild West, businesses must notify the [Department of Homeland Security] whenever they take action,” he said.
But experts have their doubts.
“A fundamentally bad idea isn’t a better idea just because you add protections,” said Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation.
“I don’t think sanctioning online vigilantism will work no matter what protections are put in place.”
Galperin referred to hacking back as “security theater” meant to appear to solve a problem rather than actually solve it and a “zombie idea” that keeps coming back despite industry consensus it needs to die. She, along with other critics of the idea, notes that there are limited scenarios where hacking back is technically appropriate, even to attribute an attack to a specific actor.
“I perform attributions all the time,” she said, “and I’ve never needed to install a tracking beacon to do it.”
Hackers often use one server they have hacked to launch attacks on another server. In those cases, hacking back could be damaging to another victim.
Mike Overly, a partner at the law firm Foley and Lardner with a bevy of information security certifications, says he believes the bill might be useful to large companies that are already security savvy. But in most cases — including anyone who was a victim of the Wanna Cry ransomware attack — companies will get more mileage out of investing in basic cybersecurity practices.
“The biggest problem is that businesses might take their eyes off the ball. A better strategy is to take basic security precautions,” he said.
All victims of Wanna Cry had failed to update Windows to a version that could repel the attack.
And, he notes, hacking back is mostly useful in fending off or identifying single attackers, something not always the case in attacks that are commonly led by criminal enterprises or even nations.
“Against a distributed group of people, you might shut down a single person, but not the whole network,” he said.
Graves acknowledged that hacking back would neither be the first line of defense nor the most appropriate strategy for every scenario. But he still feels there is still a worthy role for techniques that may be appropriate for some attacks, even if they are not appropriate for all attacks.
“This is just another tool in the toolbox,” he said. “But the No. 1 protective measure is good cyber hygiene.”