In spite of the billions of dollars companies collectively spend each year on cyberdefenses, hackers keep defeating them. This week Clarkson, the world’s largest shipbroker, said it had been the target of a cyberattack. Uber, meanwhile, has come under fire from regulators and others for covering up a massive hack for over a year (see “Uber Paid Off Hackers to Hide Massive Data Breach”). Law enforcement agencies investigating digital crimes are overwhelmed. All this has sparked renewed interest in “hacking back”—or allowing the victims of breaches to pursue attackers through cyberspace themselves.
Today, such vigilantes would be breaking the Computer Fraud and Abuse Act (CFAA), a law that makes it illegal to access third-party computers without prior authorization. Draft legislation currently making its way through the House of Representatives aims to change that. The Active Cyber Defense Certainty (ACDC) Act would let victims access computers that aren’t theirs in order to track down digital assailants and stolen data. The act, which has been through several revisions, was introduced by Tom Graves, a Republican, and is cosponsored by Kyrsten Sinema, a Democrat. It’s recently picked up additional supporters on both sides of the political spectrum.
Past efforts to promote hacking back have foundered, in part because of concerns about collateral damage. Hackers typically cover their tracks by routing attacks through other people’s machines—in some cases, many thousands of them—without the owners’ knowledge. Companies chasing digital intruders need to get access quickly to the same devices, which could be anything from baby cams to home routers and sensitive medical equipment. But in their rush to get even, they could easily knock these offline or worse.
Garrett Hawkins, a spokesman for Graves, says the ACDC Act has multiple “guardrails” designed to prevent such problems. The draft legislation would give immunity under the CFAA only to what it calls “qualified defenders” who are very confident they know the identity of their attackers. It also says that in pursuing hackers, the victims can’t use any technique that “recklessly causes physical injury or financial loss.” Nor can they use any tactic to access third-party computers that “intentionally exceeds” what’s needed to help them conduct reconnaissance on intruders.
Elsewhere, the bill stipulates that defenders must notify the FBI of their plans to hack back. But they don’t need to wait for a green light from the Feds to delete stolen files or target hackers’ servers to disrupt an ongoing attack.
Hawkins says that in crafting the draft legislation, Graves’s team reached out to a number of business leaders and policy experts. Asked if any of those business leaders would go on the record to support the bill, he says that because hacking back is a legal gray area right now, “lots of companies won’t be vocal about it.”
Another explanation for their silence is that they don’t want to be associated with a bill that would make things far worse rather than better if it became law. The legislation is so vaguely worded—for instance, it doesn’t define what constitutes a “qualified defender”—that it would give pretty much anyone suspecting a hack an excuse to access other people’s devices. Those who caused damage while doing so could always claim it was an accident rather than a deliberately reckless act.
There are plenty of other reasons why legalizing hacking back would backfire. Robert Chesney, a professor at the University of Texas School of Law, points out that sophisticated hackers are bound to lay all kinds of traps for inexperienced pursuers. For example, victims could be tricked into deleting material that isn’t theirs. Hackers also often route attacks through multiple countries, so Americans pursuing them could fall afoul of other national laws that ban such activity.
Even assuming victims can identify their assailants, which is often incredibly hard to do, picking a fight with them may lead to a damaging escalation of hostilities. And if companies weren’t able to defend themselves in the first place, it’s unlikely they’re going to come off best in a digital firefight. “It’s like following a criminal back to their lair after they’ve broken into your home and stolen your property,” says Mark Weatherford, a former senior official at the Department of Homeland Security who is now at vArmour, a cloud security firm. “You simply don’t know what kind of enemy you’re going to face and how well they’ll be armed.”
Weatherford, like many other cybersecurity experts, thinks the job of pursuing hackers should be left to government agencies with the relevant technical expertise and diplomatic tools. There have even been calls for an international agreement to try to coordinate such efforts (see “Do We Need a Digital Geneva Convention?”).
The challenge is to make sure the FBI and other agencies have sufficient resources to cope with a tsunami of hacking activity. Among the provisions of the ACDC Act is a section that would require the Department of Justice to produce an annual report highlighting, among other things, the total number of investigations opened into computer fraud crimes by agencies charged with policing them, and the number of law enforcement personnel assigned to investigate and prosecute cybercrimes. This push for greater transparency is the only bit of an otherwise deeply flawed bill that’s actually worth supporting.