To the Honorable Tom Graves:
In November of 2015 I was invited to the now retired
Congressman Steve Israel’s Cyber Consortium to participate with other security
professionals in the community to discuss cyber security related issues
affecting both our organizations and communities. During this meeting you were invited
to speak about your thoughts on cyber security, the issues you’re dealing with
in Congress and your approval for the CISA bill. After listening to you
describe your concerns over the OPM breach I noticed how seriously you took the
issue of cyber security. I didn’t personally agree with some of the stances taken
in the room, but you don’t have to agree on everything to initiate progress. I
applaud your dedication and attention to cyber security and will continue to be
interested in your thoughts; even if we might have differing opinions. With
this being said, I have concerns with your latest bill being proposed to
Congress: The “Active Cyber Defense
Certainty Act”.
Each time I see someone propose reform to the “Computer
Fraud and Abuse Act” it peaks my interest. Evolving our laws with the
ever-changing cyber industry is both needed and incredibly difficult to
accomplish and I appreciate your effort to modernize them. With that in mind,
I’m concerned that the newly proposed ACDC bill crosses some boundaries I’d
like to bring to your attention.
As you’re most likely aware many of the cyber incidents
occurring are being launched from systems that criminals have already
compromised and being using as a guise for their attacks. This essentially
could end up being an attacker proxied through multiple systems throughout
various countries with the face of the attack showing as an innocent bystander.
By getting the approval to perform a “hack back” against this entity puts this
unknowing victim in the middle of a complicated and intrusive scenario. Not
only are they already compromised by a malicious entity, but they’re now being legally
attacked by others that have assumed have done them harm. Congressmen Graves,
these devices could end up being systems used to assist with our economies
growth, hold personal records that could affect the privacy of our citizen’s
data or may even be used with aiding our healthcare industry. The collateral
damage that could occur from hack backs is unknown and risky. Essentially, if
someone determines they were compromised by a system in the United States and
they start the process of hacking back the system owners might notice the
attack and start the process of hacking them back. This in turn could create a perpetual
hacking battle that wasn’t even started by the actors involved. This method will
in theory cause disarray all over the internet with a system being unknowingly
used as a front by a criminal to start a hacking war between two innocent
organizations.
To interrupt these systems without oversight is dangerous
for us all. In reading through the bill I noticed that these cyber defense
techniques should only be used by “qualified
defenders with a high degree of confidence of attribution”. From this
statement, what qualifications does a defender have to hold before they attempt
to hack-back? Also, what constitutes a high level of attribution? Seeing this
bill is only focused towards American jurisdiction I personally feel attackers
will bypass this threat by using foreign fronts to launch their attacks to get
around being “hacked back”. This somewhat limits the bills effectiveness as
it’s currently written. By being able to track, launch code or use beaconing
technology to assist with attribution of the attack is dangerous to our
privacy. I agree that this is an issue, one that needs to be dealt with, but it
should be dealt with via the hands of law enforcement directly, not the
citizens themselves. I’ve read the requirements where the FBI’s National Cyber
Investigative Joint Task Force will first review the incident before the “hack
back” can occur and offers a certain level of oversight to the incident, but I
don’t think there’s enough. I understand the resource requirements within the
FBI are stretched, but leaving this in hands of those affected by the breach
allows emotions to get involved. This is one reason why we call the police if
there’s a dispute in our local communities. They’re trained, have a third party
perspective and attempt not to make it personal. I feel that there will be
carelessness on the part of those hacking back and this emotion could lead
towards carelessness and neglect that will bring upon greater damage.
Lastly, the technology is always changing and being able to
get confident attribution is incredibly difficult. If an attack was seen from a
particular public IP address it’s possible that the NAT’d (Network Address
Translation) source is shielding multiple other internal addresses. By
attacking this address it will give no attribution as to where the data or
attacks might actually be sourced. Also, with the fluid environment of cloud
based systems a malicious actor can launch an attack from a public CSP (cloud
service provider) that would quickly remove attribution as to where the source
was occurring. I noticed the language within the bill referencing “types of tools and techniques that defenders
can use” to assist with hacking back. Will there be an approved tool and
technique listing that the active defenders be required to use that stay within
the boundaries of this law? Or will active defenders be able to use the tools
of their choice? Depending on the tools and how they’re used they could cause
unexpected damage to these systems being “hacked back”. Lastly, there’s mention
about removing the stolen data if found and I’m concerned defenders will not be
as efficient with this data deletion and could cause major damage to systems
hosting other applications or systems legitimately. Deleting this data at times
could become an issue with investigations, forensics and might not solve the
issue long term. This stolen data is digital and just because it’s deleted in
one place doesn’t mean it’s been removed permanently.
Congressman Graves, I respect what you’re doing for our
country, but I’m concerned with the methods in place to protect the privacy of
the data and systems being actively hacked by defenders. I’m anxious about the
overzealous vigilantism that might be implied by defenders looking to defend
themselves, their systems or their stolen data. You’re an outside the box
thinker and passionate about the protection of our country, I love that, but
the methods in place could essentially cause more harm than good as the bill is
currently written. I personally implore you to reconsider the actions of having
a nation of defenders actively attempting to restore their data from sources
that were most likely being used without their consent. The unintended privacy
consequences, destruction of systems and even life are too important not to
mention. If I could have advise in any way it would be to have our country start
focusing on the fundamentals of cyber security before they start writing
licenses to hack.
Thank you for your service and your continued efforts to
protect our nation from future cyber events.
Sincerely,
Matthew Pascucci