A bill recently proposed by Rep. Tom Graves, R-Ga., that would allow companies victimized by hackers to take “active cyber defense measures,” is now gaining bipartisan support, according to the congressman.
Graves told CyberScoop he has received “positive feedback for the concept from both Republican and Democrat members” and “significant interest from the public, business community and academic researchers.”
Interest in the bill, Graves explained, reflects a “growing recognition that current federal law doesn’t provide an adequate deterrence for criminal hacking.”
“With less than 1 percent of criminal hackers being prosecuted, there is a growing consensus that we need to determine a better way to impose costs to deter their behavior. Self-defense is one method of imposing a higher cost,” Graves said.
The proposed bill, named the “Active Cyber Defense Certainty Act,” is currently a discussion draft. Graves’ office continues to receive feedback from industry, think tanks, academia and other members of Congress about the bill, which he plans to formally introduce for vote in the House of Representatives in the “next few months.”
Graves’ office declined to discuss which entities were providing advice.
“The conversations were private, so Rep. Graves doesn’t want to name names at this point,” a spokesperson said.
In practice, the bill would effectively edit rules and language used in the Computer Fraud and Abuse Act — a controversial law introduced in 1984 that defines criminal computer activity — enabling private sector organizations to hack back after being breached. Hacking back, in this case, allows victims to collect information about hackers.
There are limitations in the current version of bill for who can engage in this “active defense,” restricting action only to “victims” of a “persistent unauthorized intrusion of the individual entity’s computer.”
In this context, a distributed denial-of-service attack would more than likely not be categorized as an “intrusion.” DDoS attacks, as they are called, typically leverage a network of infected computers to flood a specific target with web traffic to the point that it becomes inaccessible for authentic visitors.
“The word ‘persistent’ seems to be intended to prevent invocation of [the bill] by someone who has experienced only a fleeting intrusion, presumably on the theory that fleeting equals insignificant,” Bobby Chesney, an Associate Dean for Academic Affairs at the University of Texas School of Law, wrote in a Lawfare blog post Tuesday. “It’s hard to say how tightly this element ought to be calibrated … The uncertainty — and the difficulty of resolving it — is enough to raise the question whether it is worth the candle to screen out insignificant intrusions in this manner.”
Under privileges granted by the bill, victims will hack back only to “gather information in order to establish attribution of criminal activity to share with law enforcement” or “to disrupt continued unauthorized activity against the victim’s own network,” the bill reads.
Comey: The risks are too great
FBI Director James Comey discouraged hacking back earlier this week during the Boston Conference on Cyber Security, noting that the practice remains illegal and has the potential to disrupt the FBI’s own law enforcement efforts.
“It runs a risk of tremendous confusion in a crowded space,” Comey said. “Maybe someday our country will change the law, but the hacking back could cause all kinds of complications for things we’re trying to do to protect you.”
While there’s relatively few publicly known cases of companies having engaged in hack backs, a 2015 Financial Times article found that a Malaysian bank had asked several security researchers to breach the computer network of an aggressor. Those researchers reportedly declined the request.
Bloomberg also reported in 2014 that the FBI had investigated whether a U.S. financial institution hired hackers to take servers offline once used by Iranian hackers to DDoS several major American banks. The outcome of that investigation was never made public.