One of the authors of a controversial “hack back” bill in Congress believes the legislation can launch a new industry around “active defense” that allows companies to strike back against hackers who steal data.
Rep. Tom Graves, R-Ga., predicts the private sector will develop new tools that will add a new layer of deterrence. Graves, who strenuously objects to the “hack back” terminology for the bill, spoke with CyberScoop earlier this month about the legislation.
“You currently have a 1.5 percent conviction rate in cyberattacks,” Graves said. “I think you’ll see that rate go up because attribution will go up, but also because I think you’ll see the number of attacks reduced. And then you’ll see information sharing occurring prior to successful attacks, which will protect additional systems and networks as information being shared about attacks taking place or attempted attacks and the process they’re going about.”
The ACDC would amend the Computer Fraud and Abuse Act, the broad U.S. law that makes it illegal to access computers without expressed permission. Under ACDC, companies and individuals would be able to use “active defense” to identify, disrupt and even destroy their stolen data.
The bill has attracted spirited criticism in the tech world while gaining growing support on Capitol Hill. Few know exactly which companies or individuals outside of Congress are pushing the legislation, but there’s a growing population advocating for the bill’s passage.
Graves said financial technology firms and industry groups will soon offer public support because “they’re under tremendous attacks all the time and they know the government isn’t providing the protection necessary.”
Some lawmakers are lining up to oppose the bill, including Rep. Jim Himes, D-Conn., chairman of the House Intelligence Committee’s NSA and Cybersecurity Subcommittee. He warns that non-state actors attempting to carry out active defense measures will only make the domain messier.
Graves contrasts his vision of the “active defense” future with how he sees the present.
“We live in a very passive environment now with antivirus and firewalls,” Graves said. “That sector has already been developed and matured. There is an opportunity for tools to be developed, for individuals or industries, to allow this defense to take defense on the outside, the more active side.”
However, Graves sees the law, if enacted, as a tool wielded by businesses more than everyday users of the internet.
“I don’t see that your everyday computer user personally employing active defense,” he said. “I see it as every-day industry employing qualified individuals who work with the FBI Joint Task Force on Cybersecurity and who have developed tools that are safe and effective. That’s where I see there’s an opportunity for a new industry to be developed.”