Should We Legalize Cyber Self-Defense?
The last few years have been awash with headlines of data breaches and hacks. Banks, food chains, tech firms, everyone is now a target for cybercrime. Georgia Representative Tom Graves (R) has proposed an amendment to the Computer Fraud and Abuse Act (CFAA). The amendment would allow victims of a cyber attack to fight back.
The Computer Fraud and Abuse Act was written in 1986, and is both vague and outdated. Its vague wording allows prosecutors to seek severe punishment for many everyday activities. Fun fact: deleting your internet history is a felony.
“Fun fact: deleting your internet history is a felony.”
Cyber legislation is difficult to write, as there are many nuances and specifics to web technologies. Despite our shrinking level of privacy, politicians are eager to make new rules for the Internet. In 2015, the Cybersecurity Information Sharing Act (CISA) raised privacy concerns, but still passed. In December, President Obama signed an act allowing a single judge to let the FBI hack into botnets containing millions of computers.
Graves’ draft for the “Active Cyber Defense Certainty Act” (ACDC) has been gaining bipartisan support. The bill will change some of the rules and language in the CFAA, which is filled with problems. The ability to hack back after a breach is a much desired tool, but there are several arguments against it to consider.
The bill will allow victims to hack back in the event of a “persistent unauthorized intrusion” of a computer. A victim can collect information about the attacker to share with law enforcement. They may also “disrupt continued unauthorized activity against the victim’s own network”. The bill would not allow destroying information on another computer, causing physical injury or threatening public health or safety.
“Persistent” may be too broad a word for a hacking bill. An intrusion can last anywhere from seconds to years, so there is quite a sliding scale right now. Multiple intrusions and whether information is copied or destroyed are key in sentencing, but aren’t mentioned. The word “intrusion” will protect victims after unauthorized access, but not denial of service.
The bill also overlooks the very real chance of misattribution. Botnets and other web technologies make it difficult to pin down a smart hacker. There is a high chance that your attacker is a victim themselves, completely unaware of their part in the attack. Government intrusions are also exempt from hacking back, but it is difficult to know whether a cyber attack is from the government or not.
“The bill also overlooks the very real chance of misattribution.”
Jurisdiction is the next big problem, as many hackers lie outside of the United States. Hacking an attacker in another country could run afoul of international law, as hacking back is not allowed in many countries. Even worse if it happens to be a government entity.
There is also the issue of whether a victim has the skills to hack their attacker. Anyone can search for “hacking tools”, download something suspicious and wind up in worse shape than before. The victim could also alert the attacker, giving them the chance to cover their tracks. Trying to hack the hacker may lead to retaliation much worse than the first attack.
There are even concerns that the bill may become an affirmative defense for hackers. A hacker could claim that they were helping law enforcement or assisting victims as some sort of cyber vigilante. So long as they can convince the jury who shot first, they may be protected under the amended CFAA.
“A hacker could claim that they were helping law enforcement or assisting victims as some sort of cyber vigilante.”
The Active Cyber Defense Certainty Act is currently in a phase of public discussion. Anyone interested can provide feedback and recommendations. After initial critiques, Representative Graves still believes the bill is a good idea, and he will be submit in a few months. The bill is currently far from perfect, but it has a lot of potential for discussion. The bill’s draft can be found here.