Hack Back Bill Could Give Companies Vigilante Powers

Ed. Note: This article first appeared in Bloomberg

A House discussion draft bill that would give companies the power to hack back against cybercriminals needs further work to get broad support in Congress, a think tank technology policy specialist told Bloomberg BNA March 6.

Companies are often left guessing as to who to turn to in the wake of a cyberattack and have limited options for responding.

They may reach out to law enforcement authorities or share cybersecurity threat information with other government agencies but are not allowed to hack back against their attackers.

But, the draft proposes giving companies and other entities the ability to strike.

The Active Cyber Defense Certainty Act would amend the Computer Fraud and Abuse Act to give entities that are a “victim of a persistent unauthorized intrusion” against their “computers” the ability to infiltrate an alleged cybercriminal’s computer for attribution purposes or to disrupt a cyberattack.

It does not allow entities to destroy information stored on other computers, cause physical injury to others or create a public health or safety threat.

Rep. Tom Graves, who introduced the discussion draft, told Bloomberg BNA March 6 in a phone interview that the proposed bill is aimed at helping “business that are falling prey to cybercriminals.”

The draft comes after discussions with private-sector stakeholders who maintain that companies throughout the United States are “left with no rights to actively defend themselves” against costly cyberattacks, he said.

Concerns with the proposed bill may spark debate among stakeholders, policy advocates and members of Congress.

Denise Zheng, director and senior fellow of the technology policy program at the Center for Strategic & International Studies in Washington, told Bloomberg BNA March 6 that giving companies the ability to hack back against alleged cybercriminals may not be the best approach for active cybersecurity defense.

A better approach would involve a discussion between “law enforcement, various government agencies and critical infrastructure companies” to set up a “reasonable framework,” she said.

A bill that might have hope of passage in Congress would give only “very narrow” authority to certain critical infrastructure companies, which would work with law enforcement agencies to defend the cyberattacks, Zheng said.

Critical infrastructure companies include internet service providers, chemical companies and energy companies, among others, according to a Feb. 12, 2013 presidential policy directive.

Attribution at What Cost?

The proposed bill would give companies resources to place attribution on foreign cybercriminals.

Attribution is important because it can help law enforcement agencies track down the nefarious actor before they harm other companies.

However, without proper oversight, that power may be too immense for most, Zheng said.

Such concerns were highlighted March 2 by retired general Keith Alexander, former director of the National Security Agency, former chief of the Central Security service and former commander of U.S. Cyber Command.

Giving companies the ability to infiltrate computers of suspected hackers can be dangerous if a nation-state is on the receiving end, he said.

Alexander used the Sony Pictures Entertainment Inc. 2014 cyberattack as an illustrative example of the dangers behind such a measure.

If Sony had the power to hack into North Korean computers, the issue could have turned into a larger conflict, he said.

Responding to these concerns, Graves said that resources now available for companies struck by a cyberattack are “unacceptable.”

Under the proposed bill, companies such as Sony would have had “at least a shot” in disrupting the cyberattacks, he said.

Private sector companies “need not be reliant on the federal government for total defense,” and the proposed bill would help develop the policy to give them “rights in the cyber realm,” Graves said.

Posted by: The Trust Advisor


More Articles