Monday, October 16, 2017

Open Letter to Congressman Tom Graves on the “Active Cyber Defense Certainty Act”

To the Honorable Tom Graves:

In November of 2015 I was invited to the now retired Congressman Steve Israel’s Cyber Consortium to participate with other security professionals in the community to discuss cyber security related issues affecting both our organizations and communities. During this meeting you were invited to speak about your thoughts on cyber security, the issues you’re dealing with in Congress and your approval for the CISA bill. After listening to you describe your concerns over the OPM breach I noticed how seriously you took the issue of cyber security. I didn’t personally agree with some of the stances taken in the room, but you don’t have to agree on everything to initiate progress. I applaud your dedication and attention to cyber security and will continue to be interested in your thoughts; even if we might have differing opinions. With this being said, I have concerns with your latest bill being proposed to Congress: The “Active Cyber Defense Certainty Act”.

Each time I see someone propose reform to the “Computer Fraud and Abuse Act” it peaks my interest. Evolving our laws with the ever-changing cyber industry is both needed and incredibly difficult to accomplish and I appreciate your effort to modernize them. With that in mind, I’m concerned that the newly proposed ACDC bill crosses some boundaries I’d like to bring to your attention.

As you’re most likely aware many of the cyber incidents occurring are being launched from systems that criminals have already compromised and being using as a guise for their attacks. This essentially could end up being an attacker proxied through multiple systems throughout various countries with the face of the attack showing as an innocent bystander. By getting the approval to perform a “hack back” against this entity puts this unknowing victim in the middle of a complicated and intrusive scenario. Not only are they already compromised by a malicious entity, but they’re now being legally attacked by others that have assumed have done them harm. Congressmen Graves, these devices could end up being systems used to assist with our economies growth, hold personal records that could affect the privacy of our citizen’s data or may even be used with aiding our healthcare industry. The collateral damage that could occur from hack backs is unknown and risky. Essentially, if someone determines they were compromised by a system in the United States and they start the process of hacking back the system owners might notice the attack and start the process of hacking them back. This in turn could create a perpetual hacking battle that wasn’t even started by the actors involved. This method will in theory cause disarray all over the internet with a system being unknowingly used as a front by a criminal to start a hacking war between two innocent organizations.
 
To interrupt these systems without oversight is dangerous for us all. In reading through the bill I noticed that these cyber defense techniques should only be used by “qualified defenders with a high degree of confidence of attribution”. From this statement, what qualifications does a defender have to hold before they attempt to hack-back? Also, what constitutes a high level of attribution? Seeing this bill is only focused towards American jurisdiction I personally feel attackers will bypass this threat by using foreign fronts to launch their attacks to get around being “hacked back”. This somewhat limits the bills effectiveness as it’s currently written. By being able to track, launch code or use beaconing technology to assist with attribution of the attack is dangerous to our privacy. I agree that this is an issue, one that needs to be dealt with, but it should be dealt with via the hands of law enforcement directly, not the citizens themselves. I’ve read the requirements where the FBI’s National Cyber Investigative Joint Task Force will first review the incident before the “hack back” can occur and offers a certain level of oversight to the incident, but I don’t think there’s enough. I understand the resource requirements within the FBI are stretched, but leaving this in hands of those affected by the breach allows emotions to get involved. This is one reason why we call the police if there’s a dispute in our local communities. They’re trained, have a third party perspective and attempt not to make it personal. I feel that there will be carelessness on the part of those hacking back and this emotion could lead towards carelessness and neglect that will bring upon greater damage.

Lastly, the technology is always changing and being able to get confident attribution is incredibly difficult. If an attack was seen from a particular public IP address it’s possible that the NAT’d (Network Address Translation) source is shielding multiple other internal addresses. By attacking this address it will give no attribution as to where the data or attacks might actually be sourced. Also, with the fluid environment of cloud based systems a malicious actor can launch an attack from a public CSP (cloud service provider) that would quickly remove attribution as to where the source was occurring. I noticed the language within the bill referencing “types of tools and techniques that defenders can use” to assist with hacking back. Will there be an approved tool and technique listing that the active defenders be required to use that stay within the boundaries of this law? Or will active defenders be able to use the tools of their choice? Depending on the tools and how they’re used they could cause unexpected damage to these systems being “hacked back”. Lastly, there’s mention about removing the stolen data if found and I’m concerned defenders will not be as efficient with this data deletion and could cause major damage to systems hosting other applications or systems legitimately. Deleting this data at times could become an issue with investigations, forensics and might not solve the issue long term. This stolen data is digital and just because it’s deleted in one place doesn’t mean it’s been removed permanently.

Congressman Graves, I respect what you’re doing for our country, but I’m concerned with the methods in place to protect the privacy of the data and systems being actively hacked by defenders. I’m anxious about the overzealous vigilantism that might be implied by defenders looking to defend themselves, their systems or their stolen data. You’re an outside the box thinker and passionate about the protection of our country, I love that, but the methods in place could essentially cause more harm than good as the bill is currently written. I personally implore you to reconsider the actions of having a nation of defenders actively attempting to restore their data from sources that were most likely being used without their consent. The unintended privacy consequences, destruction of systems and even life are too important not to mention. If I could have advise in any way it would be to have our country start focusing on the fundamentals of cyber security before they start writing licenses to hack.
Thank you for your service and your continued efforts to protect our nation from future cyber events.

Sincerely,

Matthew Pascucci