Destruction, loss of data, intellectual property theft, fraud, embezzlement, disruption to business, restoration—globally, the costs of dealing with hacking, which were estimated at $3 trillion in 2015, are projected to double to $6 trillion annually by 2021.1 Yet under US law, it’s illegal to attack the hackers back.
Way back in February, a Georgia Republican introduced a bill to Congress to give legal protection to hacking victims who “hack back” at attackers. The law is continuing to wend its way through the legislative process and might just end up (in some form) as a real a law.
That’s right: you could hit the bad guys back—and hard.
The Active Cyber Defense Certainty (ACDC) Act2 would amend section 1030 of the Computer Fraud and Abuse Act of 1986 that bars accessing a system that does not belong to you, or distributing code designed to enable unauthorized access to anyone’s system. If the bill passes, it will be legal to do both.
“This bill is about empowering individuals to defend themselves online, just as they have the legal authority to do during a physical assault,” said Rep. Graves in a press release dated March 3, 2017.
ACDC would allow victims of cybercrime to gain unauthorized access to their attackers’ systems legally as long as their actions are only meant to identify the attacker or disrupt the attack. The bill doesn’t allow retaliation that destroys the attacker’s data, causes physical injury, or “creates a threat to the public health or safety.”
Though the bill may never become law in this form, it’s certainly opening discussions around “hacking back,” and raising awareness of the difficulty in stopping criminal cyber activity.
Attackers work anonymously and, largely, with impunity. Billions of dollars are stolen each year, with little to none of it recovered, and the criminals are rarely caught. Even when they are, it’s difficult to prosecute them—it can take years to track them down, build a case, indict and convict them. Moreover, some countries or regions tolerate—or even profit from—cybercriminals’ activities, and offer little help to or even thwart international law enforcement efforts.
If the incentives are good, and the risks low, powerful cybercrime syndicates will continue. And as things currently stand, the law limits CISOs’ options. The hope among leading CISOs is that shifting to offense will change the game. After all, the adversary remains ahead if you simply react to every problem defensively.
First there’s the issue of “attribution.” How do you correctly identify your attacker? It’s not as easy as it sounds.
What if an attack comes from a botnet? Not one computer, but thousands or millions spread over the globe. Owners of botnet computers may not know they’re contributing to an attack. If your attacker is somewhere in the cloud, good luck finding her. Are you going to strike back against your cloud provider? They’re potentially innocent middlemen.
Second, ACDC wouldn’t allow striking back against distributed denial-of-service (DDoS) attacks, for example, a common attack. DDoS attacks don’t involve unauthorized access. And who are you going to blame? Typical DDoS attacks come from devices that are part of the Internet of Things (IoT). Say Grandma’s digital picture frame routed requests in a DDoS attack—are you going to hack back against Grandma?
Third, what if your attacker is not on US soil? You will not be legally protected if you’re retaliating in another country with different laws. In fact, you could find yourself being the one carted off by the police or buried in lawsuits.
If the problem is large, those with resources—primarily large IT vendors—will work with law enforcement to stop attackers. When your actions are sanctified by the authorities, it isn’t vigilantism. It helps if you’re a large company with a good legal team. In fact, many large IT vendors hire ex-DOJ prosecutors and investigators as company liaisons with law enforcement.
For example, Microsoft security researchers aided international law enforcement agencies3 to disrupt one of the most widely distributed malware families, “Dorkbot,” estimated to have infected more than one million PCs in more than 190 countries. In another instance, a collaboration4 between Trend Micro, INTERPOL, Microsoft, Kaspersky Lab, and the Cyber Defense Institute resulted in the destruction of the notorious SIMDA botnet.
Hack backs can take several forms that you can take advantage of without the additional legal protection of the proposed ACDC law.
A less legally risky defense is to set up “honeypots,” or fake servers and services to lure attackers in. Once attackers have entered your network, you can sinkhole their traffic, feed them fake data, and confuse them with false systems. Studies have shown deceptive defenses do deter attacks. Best of all, deceptive defense would meet the goals of the ACDC, since you are simultaneously disrupting the attack and gathering information about the attacker.
Moreover, it’s passive, not active. With deceptive defense, you don’t go to them, the bad guys come to you. The disruption and spying happens on your equipment, on your premises, where you have a legal right to be—and the hacker doesn’t.
You can even put up warning banners: Warning—this system is the property of XYZ bank. Unauthorized users consent to being recorded and allowing XYZ to take measures to disable unauthorized access to the extent necessary to stop the illegal activity and support law enforcement investigations. An alert like this should get you off the legal hook for any defensive moves you make.
If it happens, the ACDC debate is going to be interesting to watch. Though the bill is unlikely to pass as it is, if it comes up for debate, it’s certain to spark discussions. In the meantime, CISOs have other options, such as deceptive defenses.
MODIFIED: Dec 19, 2017