The concept of “hacking back” — which has often been referred to as “the worst idea in cybersecurity” — has resurfaced again in Washington.
Rep. Tom Graves, R-Ga., is reintroducing a bill Thursday that would allow companies to go outside of their own networks to identify their attackers and possibly disrupt their activities. While Graves has made previous attempts to legalize the practice, “hacking back” would currently be a violation of the Computer Fraud and Abuse Act. The CFAA, enacted in 1986, makes it illegal to access computers without authorization.
Graves told CyberScoop the bill is necessary in part because companies are left without recourse when they are attacked.
“Where do they turn — can they call 911? What do they do?” Graves said. “They have nowhere to turn.”
The incentive to pass this bill, Graves says, also stems in part from the fact that there are no guidelines right now for companies that he says are already hacking back.
“We know…this is already occurring and unfortunately it’s occurring in a gray area in which there aren’t guardrails in place and there’s not rules of the road,” Graves said. “What we’re attempting to do is make permissible … activities that can occur outside of one’s network, while at the same time having liability and privacy protections in place.”
The bipartisan bill, which has 15 cosponsors, would also allow companies to monitor attacker behavior. If passed into law, Graves hopes companies will gather info from their attackers and share it with the federal government. However, the bill does not mandate that action.
Since Graves last introduced the bill, the U.S. government’s approach to offensive cyber-operations has started to change.
U.S. Cyber Command has gained new authorities that allow it to conduct more offensive cyber-operations. Just this week, White House National Security Adviser John Bolton said the U.S. is expanding its focus of offensive cyber-operations beyond just electoral contexts and responding to economic cyberthreats offensively as well.
“You’re seeing a complete evolution of acceptance of this concept,” Graves said. “[Bolton] is in essence echoing the thoughts and the concepts of the act.”
Critics have long said that opening offensive cyber capabilities to private companies in addition to the work the government is already doing to defend networks could create unwanted chaos.
“If such legislation passes, we run the risk of a future of cyber crossfire – where businesses, organizations, and governments alike will suffer operational downtime inflicted by incorrect targeting,” Justin Fier, Darktrace’s director for cyber intelligence and analysis, told CyberScoop.
Fier added that hacking back is a dangerous idea because perpetrators behind cyberattacks go to great lengths to obfuscate their identities.
“The art of making an attack look like it is coming from someone else is fairly straightforward,” said Fier. “It is simple to run a false flag operation, and threat actors know to never attack from their own infrastructure, but instead use other peoples’ infrastructure, usually unwittingly, to further hide from detection.”
There have also been critics of the concept inside the federal government. FBI Director Christopher Wray has indicated the FBI is not supportive of hacking back.
“We don’t think it’s a good idea for private industry to take it upon themselves to retaliate by hacking back at somebody who hacked them,” Wray said during an April event hosted by the Council on Foreign Relations.
Alongside Wray, there is a cavalcade of cybersecurity researchers and government officials who think this kind of proposal should be dead on arrival, in part because they don’t trust companies to know who attacked them.
David Hogue, senior technical director at the National Security Agency’s Cybersecurity Threat Operations Center, told CyberScoop he is wary of hacking back because he finds attribution is still difficult to come by.
“Attribution is really hard and you have to be absolutely certain that you’re going after who you think it is,” said Hogue, who led the NSA’s attribution of the 2014 Sony attack.
The bill’s text says only those that are “qualified defenders with a high degree of confidence in attribution” should be hacking back. When asked if there are limits the government can impose on who hacks back based on their technical ability to know who hacked them, Graves said he had considered it but that the language isn’t in the bill text at the moment.
“We grappled with that a little bit and decided to leave that up to the legislative process whether or not a certification process was necessary,” Graves told CyberScoop.
Other critics point to better defenses, not hacking back, as the solution to deter adversaries.
“If you’re hacking back, first of all you didn’t do your job from a network defense perspective,” the NSA’s Hogue told CyberScoop.