If there were a prize for the worst cybersecurity policy idea that just won’t die, it would have to go to “hacking back,” or making it legal for people to attack the computers that are attacking them. This idea has been around for years, which means that for years, people have been warning that this is a very bad idea—it’s not the first time I’ve written about this topic myself. But it’s a strangely persistent piece of policy, regardless of the fact that it’s been condemned by just about everyone, including law enforcement, and openly endorsed by almost no one.
Just last week Reps. Tom Graves, R-Georgia, and Kyrsten Sinema, D-Arizona, introduced a revised version of the Active Cyber Defense Certainty Act (an update of a bill discussion draft that Graves proposed back in March). It’s nice to see some bipartisan teamwork on an issue in these highly partisan times, but a pity to see it wasted on such a foolhardy endeavor.
The ACDC Act (please, go ahead and eye-roll that initialism) attempts to carve out some exceptions to the Computer Fraud and Abuse Act, the U.S. anti-hacking statute, which essentially makes it illegal to access computers that don’t belong to you without permission (or “authorization”). The bill would roll back that restriction to allow companies to access computers that don’t belong to them in the name of self-defense or, as the bill calls it, “active defense.” (Active defense, for those not familiar with cybersecurity euphemisms, is the polite term for offense. It’s meant to convey that you’re just protecting yourself, not attacking anyone, even though, of course, you are attacking someone—that’s what makes it so “active.”)
Most people have interpreted the CFAA to mean that companies (and individuals) are allowed to protect their computers and data only by taking measures confined within the boundaries of their own network. So it’s fine to monitor unusual traffic patterns, or encrypt data, or implement strong authentication systems—those are all things that only require accessing your own servers and data. But going outside the boundaries of the computers and data that you own to target people who have stolen your data, or are trying to steal your data, could be considered illegal hacking under the CFAA. Enter the ACDC Act.
The ACDC Act clarifies “the type of tools and techniques that defenders can use that exceed the boundaries of their own computer network.” In particular, it specifies that people facing criminal charges under the CFAA for illegal hacking can defend themselves by claiming that their activities were just “active cyber defense measures.” According to the bill’s text, the accused would have to show that they were the victims of a “persistent unauthorized intrusion” directed at their computers.
In short, if someone has compromised your computers and stolen some of your data or is bombarding your servers with a denial-of-service attack, the ACDC would make it legal for you to access their servers and delete the files that they stole from you, or bombard their servers to interrupt the ongoing attack.
There are also some limitations placed on what can be considered an “active cyber defense measure.” To be active defense, the measure has to either help establish attribution of the attack, disrupt an ongoing attack, or “monitor the behavior” of the attacker in order to help develop better defensive methods. Things that do not qualify as active defense include: creating a threat to public health or safety, recklessly causing physical injury or financial harm, deliberately accessing an intermediary’s computer, or destroying information that does not belong to the victim stored on the attackers’ computers. (This can get a little confusing to write about because the terms “victim” and “attacker” lose all meaning when we’re talking about hacking back. If A hacks B and then B hacks A back, then, according to the language of the ACDC Act, B is the victim and A is the attacker. But once the hacking back—I mean, the active defense—starts, then the reverse is also, of course, true.)
This might all seem reasonable at first glance, but it’s a highway to hell. I am thunderstruck by how terrible it is. At its heart it would just serve as an excuse to let anyone access anyone else’s computer systems with impunity. Want to go after a competitor? Stage an attack directed at yourself coming from their servers, and then hack back! Or plant some of your sensitive files on their computers and then go in and delete them and monitor their behavior while you’re at it (all in the name of building better defenses). Of course, once that company realizes what’s going on, it may decide to take matters into its own hands and indulge in a little active defense directed at you. What could go wrong?
But don’t worry, Congress has anticipated all these problems (maybe because people have been pointing them out, repeatedly, for the better part of a decade). The bill’s authors include this incredibly vague safeguard in its text: “Congress holds that active cyber defense techniques should only be used by qualified defenders with a high degree of confidence in attribution, and that extreme caution should be taken to avoid impacting intermediary computers or resulting in an escalatory cycle of cyber activity.” It’s unclear what constitutes a qualified defender in Congress’ view, much less a “high degree of confidence in attribution.” Attribution is really, really hard. Not to mention that part of the bill’s explicit purpose is legalizing hacking intended to help gather information about attribution. Why would anyone hack back to gather information about attack attribution if hacking back is only legal when victims are absolutely, 100 percent positive they know who the perpetrator is in the first place?
I could go on and talk about how legalizing this type of activity under U.S. law doesn’t mean that people who practice active defense won’t be breaking laws in other countries. (Don’t worry, Congress has thought of that too; the bill warns that defenders should “exercise extreme caution to avoid violating the law of any other nation.” That’ll fix it!) Or how this would make the work of law enforcement harder, not easier—a point the FBI has already made.
But what’s really incredible about the ACDC Act is not how terrible its proposals are, but that Congress is still taking them seriously after years of people pointing out how terrible they are and in the absence of any clear demand. The ACDC Act authors have clearly heard all these concerns, but their only response seems to have been inserting tepid language into the draft advising active defenders to exercise “extreme caution.” The rationale behind hacking back is supposed to be that the U.S. is full of highly sophisticated technical companies with the ability to do much more advanced and effective cybermaneuvers than the slow, bureaucratic law enforcement agencies. But if those sophisticated tech companies are eager to be doing active defense, they certainly haven’t been vocal about that desire or publicly endorsing proposals like the ACDC.
When I last wrote about hacking back legislation, I spoke with Greg Nojeim, the director of the Freedom, Security, and Technology Project at the Center for Democracy and Technology, and asked him who he thought was lobbying for this kind of regulation. Nojeim, who has been working on cybersecurity policy in Washington for years, told me: “I haven’t heard from particular companies that they want to have that activity authorized. I just have not heard the proponents of that position other than some academics, one or two think tanks, and Stewart Baker.” Baker is a lawyer and former homeland security assistant secretary under George W. Bush who is probably the most vocal supporter of hacking back.
No one wants this law. Or, at the very least, almost no one, except Stewart Baker, is willing to admit they want this law, which is pretty damning in itself.
And yet, even though the companies that would presumably be hacking back, were it legal, have not publicly expressed any need for such a statute, it turns out to be the rare issue that Congress members from both parties can rally around right now. In fairness to Graves and Sinema, there are some reasonable things in the ACDC Act text: It still allows for civil suits against active defenders, and it permits “beaconing” tools that help defenders locate their stolen data, after it has been stolen. Though it’s not at all clear that attaching “beacon” code to your sensitive data while it’s stored on your system was illegal in the first place.
But at its core, the ACDC Act is a bill that would open the door for much more misbehavior online and even greater obstacles to trying to charge the offenders and hold them responsible. Hells bells. It’s hard to fathom why, in 2017, Congress is taking up this idea, unless members are so completely out of ideas for cybersecurity that they’re stuck recycling the worst ones over and over again.