New US legislation proposed by Representative Tom Graves, a Georgia Republican, would allow the victim of a cyber attack to take active countermeasures against the attacker’s computer without being guilty of a crime under the Computer Fraud and Abuse Act (CFAA). While hacking back might be might be an emotionally satisfying concept there are severe practical issues. Representative Graves has made it clear that this is a draft for discussion. Let’s take a look at what the legislation says, and what the negative implications might be.
The Active Cyber Defense Certainty (ACDC) Act (some acronyms are too good not to use) says that if you are a victim of a persistent intrusion in your systems, you can hack the attacker’s computer for the purposes of finding out who is doing it, and stopping them. There are limits to what you can do, though. You can’t destroy any data on the attacker’s computer and you can’t do anything that would cause anyone any physical harm. You could however, if you had the technical capability, take down the attackers’s network or render their computer unable to boot, so long as their data was still on the hard disk.
I think there are several major problems with this: the difficulty of attribution, the possibility of collateral damage, and the implications of nation state adversaries. Cloudmark regularly sees spammers using other people’s resources. A common technique is to hack into a web server running software without the latest patches, and use that to launch an attack elsewhere. Do the hacked computers then become the attackers computers under ACDC? If so would it be OK to launch a DDoS attack against them to disrupt the attacker? You would be attacking the websites of churches, schools, doctors, lawyers, therapists, cheerleaders, and even law enforcement. I don’t think that would be a good idea.
Most attackers are going to use one or more proxies that don’t belong to them to launch an attack, so going back to the original source could be very difficult. In the heat of trying to deal with a cyber attack it would be all to easy to lash out at some intermediary who is guilty only of failing to update their copy of Joomla. But even if you can exactly identify the attacker’s computer there is still the possibility of damaging other people in your counter attack. An attack may come from shared hosting or a cloud service with dozens of other users running on the same box. A counter attack on that IP address might deny services to many other users.
In fact, there is a long standing legal remedy for private enterprises that suffer from a nation state attacker, one that dates back to the fourteenth century, and is enshrined in the US Constitution. “The Congress shall have Power… To declare War, grant Letters of Marque and Reprisal…” Letters of Marque and Reprisal were normally issued to ship owners. It was a license for piracy, so long as the pirates only preyed on the enemies of the state issuing the license and kicked back a share of the booty to that state. That may sound terribly archaic, but it is almost exactly the terms that many Russian cybercriminals operate under. They are given free reign to prey on, say, American credit card companies, so long as they don’t harm any Russian businesses, kick back some roubles to the local law enforcement, and are available for some espionage on behalf of the state when asked.
The US could consider responding in kind. This would involve the threat of issuing Letters of Marque and Reprisal to Visa and MasterCard, giving them the right to hire hackers to prey on Russian banks and consumers for an amount similar to their losses through Russian credit card fraud. This might be enough to make Russia a little more proactive on shutting down their cybercriminal activities.
I think we should be thankful to Representative Graves for starting a discussion on this important matter. The legislation should be amended to make it clear that the “attacker’s computer” is one under the sole ownership and control of the hacker, and to allow hacking back for attribution only, and not to disrupt the attack. His legislation also does not really address the most serious threat, which is how the US companies should deal with nation state attackers.