hackback – Techdirt (original) (raw)

Congressional Rep Pushes His 'Hack Back' Bill By Claiming It Would Have Prevented The WannaCry Ransomware Attack

from the yeah-probably-not dept

Legislator Tom Graves is pushing his cyber defense bill again. So far, his bill — which we covered here in March — is still in the drafting stages and has yet to be introduced. It has a unmemorable name (Active Cyber Defense Certainty Act) [but a much better acronym (ACDC)] and a handful of ideas that are questionable at best.

The bill would amend the CFAA to give companies the ability to “hack back” to shut down attacks and identify the attackers. It would not allow them to go on the offense proactively and it doesn’t actually grant companies new statutory permissions. Instead, it provides them with an affirmative defense against CFAA-related charges, should someone decide to take them to court.

The good news about the bill’s slow crawl is it’s being rewritten before being introduced. According to the Financial Times, Graves and his team are consulting with cybersecurity experts to craft a better bill.

The Active Cyber Defense Certainty bill, co-sponsored with Arizona Democrat Kyrsten Sinema, is in its early stages. After consulting with cyber security executives at an event at the Georgia Institute of Technology, the bill is being redrafted to include safeguards such as the requirement for companies to notify law enforcement if they are using such techniques, so they can examine that they are being used responsibly.

However, Graves’ consultation process seems to begin and end here. There are many more security experts out there who believe this bill will do more harm than good and there doesn’t appear to have been much consultation with those who disagree with Graves’ beliefs.

The other questionable aspect of this renewed push for hack-back legislation is Graves’ belief this bill would have prevented something it likely wouldn’t have: the WannaCry ransomware attack.

Mr Graves said he believed the WannaCry ransomware, that hit the UK’s National Health Service and US companies including FedEx, may have been prevented if his bill had already been passed. “I do believe it would have had a positive impact potentially preventing the spread to individuals throughout the US,” he said. “Our proposal is to empower individuals and companies to fight back basically and defend themselves during a cyber attack.”

First off, nothing prevented companies and individuals from defending themselves from these attacks. Well, something did prevent them from defending themselves adequately, but the two entities most at fault were the NSA and Microsoft, with the former’s exploit making prodigious use of the latter’s security holes. There are other intermediate defensive steps that might have been taken just in general, but Microsoft is the dominant force in business software and the NSA itself was concerned this exploit might be too powerful and result in too much collateral damage.

Second, hacking back wouldn’t have halted the attack. What killed the attack wasn’t an attempt to track down the ransomware purveyors but rather by examining the exploit itself. A security researcher accidentally found a kill switch for the malware: an unregistered domain name which he purchased to hopefully track the attack. It turns out it also stopped the attack. There was no legal change that is needed to enable that to happen. Even if Graves’ bill were law, it would have had nothing to do with ending the WannaCry attack. Certainly this won’t be the case in every attack, but the lessons learned from the WannaCry attack have almost nothing to do with the actions this legislator wants to make legal.

Filed Under: hack back, hackback, hacking back, tom graves, vulnerabilities, wannacry

FBI Waking Up To The Fact That Companies With Itchy Trigger Fingers Want To Hack Back Hacking Attacks

from the dangerous-ideas dept

It’s no secret that some in the computer security world like the idea of being able to “hack back” against online attacks. The simplest form of this idea is that if you’re a company under a denial-of-service attack, should you be able to “hack” a computer that is coordinating those attacks to stop them? More than two years ago, an LA Times article noted that some cybersecurity startups were marketing such services. Related to this, when the terrible CISPA legislation was being debated, one concern was that it would legalize such “hack backs” because, among other things, CISPA would grant immunity to companies “for decisions made based on cyber threat information.” Some interpreted that to mean that companies would have immunity if they decided to hack back against an attacker.

A new article from Bloomberg suggests that companies are still quite eager to get involved in hacking back, and the FBI (which supported CISPA) is investigating some such cases where it may have happened. However, companies like JP Morgan still love the idea:

In February 2013, U.S officials met with bank executives in New York. There, a JPMorgan official proposed that the banks hit back from offshore locations, disabling the servers from which the attacks were being launched, according to a person familiar with the conversation, who asked not to be identified because the discussions were confidential.

The article notes, of course, that such attacks likely violate the CFAA (Computer Fraud and Abuse Act) (which is why some want immunity for hack backs). But, it’s a bad idea not just because it likely breaks the law, but because it’s stupid and dangerous. First, accurately determining who is behind a hack is quite difficult — as we’re seeing lately with all the recent skepticism about the FBI’s claim that North Korea was responsible for the Sony Hack. Launching a counterattack against the wrong party can have serious consequences — even more so when those counterattacks might target actual nation states, rather than just a group of script kiddies.

On top of that, the article notes, the hack back attempt could make the situation even worse:

Efforts to retaliate can make things worse, [Kevin Mandia] said, because attackers who aren?t purged from the network could escalate the assault or ramp up attacks on other companies targeted by the same group.

And, of course, the very real possibility that the wrong party is targeted in the hack back can create all sorts of collateral damage. Remember when Microsoft took down many thousands of sites by mistargeting a court order? Imagine that without any court even being involved.

Finally, think through the obvious consequences of this. If you’re a malicious hacker, it suddenly becomes a great opportunity. Pick two separate targets you want to harm — then attack one and make it appear like the attack is coming from the other. Then sit back and watch the two of them duke it out while you laugh away.

Hacking back is a vigilante Hollywood movie-style idea that pays no attention to the realities of the technology or the consequences of the actions. Hopefully companies are smart enough not to follow through — and lawmakers prevent it from being protected by law.

Filed Under: cybersecurity, fbi, hack back, hackback, vigilantes
Companies: jp morgan