An amendment to Title 18 of the United States Code has been proposed by Congressman Tom Graves of Georgia. If passed, the bill will give permission to companies and individuals to try and identify the computer or location of a cyber-attack against them.
A revised draft was published on 25th May 2017 that allows for use of beaconing technology and creates a mandatory reporting requirement and additional attempts to limit collateral damage.
The purpose of this bill is to help law enforcement with information gathering in the event of a hacking and to disrupt any continued unauthorized access or activity from the hacker.
On the surface, this bill allows a victim to identify the attacker, work with law enforcement to stop further intrusion and retrieve any stolen data – essentially meaning you can ‘hack back’. But isn’t this just fighting fire with fire? What can be achieved from this in the long term?
Why Hacking Back Might Be a Bad Idea After All…
The cybersecurity community got very vocal over this draft bill and together came up with many compelling reasons why hacking back might not be the best idea. I am summarizing these below.
Compromising Forensic Evidence
Whether the victim is an inexperienced individual or a highly technical enterprise, the potential for compromising forensic evidence has to be addressed. This draft bill is supposed to help victims work together with law enforcement, but if the evidence is tampered with in a way that makes it inaccessible to a court when charging a cyber-criminal, what use will this bill really have?
Difficulty to Accurately Target Hackers
Often, a hacker will launch an attack from a server that does not belong to them. Thus, a hack back would result in the intrusion of an innocent victim’s server.
This becomes more difficult in the wold of IoT where many unwilling parts of a botnet are used to create a cyber-attack, much like the Mirai malware. The owners of these devices are as much victims as anyone else and hacking them back could cause them harm.
Difficulty Determining Foul Play and Appropriate Action
If the “hack back” law is accepted, companies and individuals could use this as their de facto response instead of considering their other potential options.
This is a scary thought, especially when there are a number of security researchers, hackathons and white hat hackers searching for vulnerabilities and conducting exploits. Since their aim is to find a vulnerability and report it, it may not be necessary to “hack back”, but companies might not give themselves any time to figure this out before responding.
Wasting Precious Time and Resources
In the example of companies who hack back, it has been argued that internal resources will be significantly wasted. If you have already lost your valuable data and probably had some downtime as a result, how will hacking back achieve anything positive for your business?
Resources and time should be spent on incident response, disaster recovery and ensuring your customers are notified and minimum impact is made to your products/services.
In the example of individuals and small businesses, the lack of knowledge, tools and resources could result in further damage and make them more vulnerable to attack as hackers will be more likely to target those with fewer resources to find them. Your time is probably best spent on preventing the hacks in the first place.
Potentially Breaking the Law in Other Nations
If you live in, or your business operates in the United States, who’s to say that your hacker isn’t in the Netherlands? Hack back techniques could be crossing a legal boundary in another state or nation and therefore lead to you breaking the law. That is to say, just because the hack back law is allowed in the United States, does not mean your actions would not be illegal in another region.
Terminology of Bill Not Clear
The draft bill defines a ‘victim’ as:
An entity that is a victim of a persistent unauthorized intrusion of the individual entity’s computer.
It could be argued that the term ‘intrusion’ does not apply to the use of botnets or DDoS attacks but that has not been made clear. Nor has the term ‘persistent’…does this mean you need to identify several attempts to get into your system before you hack back?
The Risks Outweigh the Benefits
A short risk assessment will clearly show that “hack back” campaigns, especially from organizations (but also by individuals) could actually hinder investigation of the criminal and cost you time, money and resources that you won’t get back.
Instead of revenge hacking, let’s focus efforts on better security and better processes which will minimize impact to your company and customers.
What are your thoughts about this hack back bill? Please let me know in the comments or on Twitter @globalsign and let's start a discussion!