Over two years ago, two U.S. Representatives first introduced the Active Cyber Defense Certainty Act (ACDC), also known as the ‘hack back’ bill. In short, the proposed bill would provide a defense to companies that are victims of fraud, allowing them to take an aggressive defensive action beyond the traditional "detect and report" mode we operate in today where self-defense is ‘clearly justified.’ The bill is still in discussion and if passed, it would amend the Computer Fraud and Abuse Act.
Companies must be aware of the full implications of this complicated bill and understand that having the right security policies, programs and tools in place to properly protect data is still the best line of defense. If any ambiguity remains in this bill, companies may end up throwing gasoline on their own fire by unknowingly overstepping their legal bounds and as a result, find themselves facing issues of fraud or even a lawsuit.
Drink from the Firehose
As we have seen with the implementation of GDPR, interpretation, case law and industry adoption takes time. There is often vagueness in the language of new bills, especially when they are still in draft form.
In Representative Graves’ (who reintroduced the bill to the U.S. Congress) own words: “Legal defense for such access in cases where self-defense is clearly justified.” This brings up the moral debate if you are allowed to shoot the robber because they are committing a crime and you are afraid or do you have to wait for the robber to first shoot you to take action?
The concept of standing your ground is different in every state, and as such, every company might have a different understanding of what “self-defense” means.
As the legal boundaries are not yet defined in case law, early adopters will need to protect themselves through legal interpretation ahead of time, strong rules of engagement, and embrace vertical best practices if something were to go wrong. When these uncertainties exist, a rapid adoption of active defense could land their company in the middle of the legal battle of disambiguating.
While hacking back allows companies to actively defend themselves, this will likely also be accompanied with the responsibility to appropriately report to law enforcement. It is easily conceivable that companies will learn extremely valuable information about the way in which cyber-criminals are targeting U.S. organizations, or about the identity of these cyber-criminals, and it is critical that information be shared with the appropriate channels. If not, companies could purposefully withhold information about the way in which criminals are targeting a specific sector in hopes their competitors fall under attack.
Any company that chooses to take on hacking back should be required to report all findings. Additionally, a training or certification program should be required for all companies that decide to hack back to ensure the correct parties are in the know.
Fire risk assessment
If the bill passes, companies that fall under attack will need to weigh their options to hack back carefully. Below are some considerations companies should keep in mind:
- What do you hope to achieve by active defense? This can be an extremely expensive and risky undertaking, so companies must have a clear, specific objective especially because the money put towards hacking back could instead be put towards putting in place stronger security controls to thwart future attacks. Attackers are well versed in their attack methods, so figuring out who is really behind the keyboard and computer screen is almost impossible. Your active defense response could harm an innocent pass through victim being unknowingly used as a pawn.
- How reliable is this attribution, and are beacons fool-proof? Active defensive strategies will build on the expectation that the attribution is reliable, yet beacon infrastructure will inevitably come under attack by advanced adversaries as hackers can always find ways to disable or obfuscate from them.
- Is your company doing enough to protect their cyber hygiene? Most data breaches occur because of simple security mistakes such as asset management, patching, security testing and incident response. Your organization should be confident that all security controls are mature before investing in active defense. Hacking back is an extremely mature form of security and until you have the fundamentals in place, you are probably not well-equipped to take on the new beast.
The active defense bill affords companies new legal grounds to protect themselves, but there is still a lot to consider and preparations to be made. Before diverting funds towards hack back activity, organizations should think about safer ways to drive that maturity such as implementing an outsourced basic hygiene, using automation based adversarial emulation to grow confidence in their defenses, then shift to advanced defense capabilities like active defense and deception.
By continuously testing security controls, organizations can easily identify and remediate security issues before they become a serious problem.