Pages

Monday, October 16, 2017

Open Letter to Congressman Tom Graves on the “Active Cyber Defense Certainty Act”

To the Honorable Tom Graves:

In November of 2015 I was invited to the now retired Congressman Steve Israel’s Cyber Consortium to participate with other security professionals in the community to discuss cyber security related issues affecting both our organizations and communities. During this meeting you were invited to speak about your thoughts on cyber security, the issues you’re dealing with in Congress and your approval for the CISA bill. After listening to you describe your concerns over the OPM breach I noticed how seriously you took the issue of cyber security. I didn’t personally agree with some of the stances taken in the room, but you don’t have to agree on everything to initiate progress. I applaud your dedication and attention to cyber security and will continue to be interested in your thoughts; even if we might have differing opinions. With this being said, I have concerns with your latest bill being proposed to Congress: The “Active Cyber Defense Certainty Act”.

Each time I see someone propose reform to the “Computer Fraud and Abuse Act” it peaks my interest. Evolving our laws with the ever-changing cyber industry is both needed and incredibly difficult to accomplish and I appreciate your effort to modernize them. With that in mind, I’m concerned that the newly proposed ACDC bill crosses some boundaries I’d like to bring to your attention.

As you’re most likely aware many of the cyber incidents occurring are being launched from systems that criminals have already compromised and being using as a guise for their attacks. This essentially could end up being an attacker proxied through multiple systems throughout various countries with the face of the attack showing as an innocent bystander. By getting the approval to perform a “hack back” against this entity puts this unknowing victim in the middle of a complicated and intrusive scenario. Not only are they already compromised by a malicious entity, but they’re now being legally attacked by others that have assumed have done them harm. Congressmen Graves, these devices could end up being systems used to assist with our economies growth, hold personal records that could affect the privacy of our citizen’s data or may even be used with aiding our healthcare industry. The collateral damage that could occur from hack backs is unknown and risky. Essentially, if someone determines they were compromised by a system in the United States and they start the process of hacking back the system owners might notice the attack and start the process of hacking them back. This in turn could create a perpetual hacking battle that wasn’t even started by the actors involved. This method will in theory cause disarray all over the internet with a system being unknowingly used as a front by a criminal to start a hacking war between two innocent organizations.
 
To interrupt these systems without oversight is dangerous for us all. In reading through the bill I noticed that these cyber defense techniques should only be used by “qualified defenders with a high degree of confidence of attribution”. From this statement, what qualifications does a defender have to hold before they attempt to hack-back? Also, what constitutes a high level of attribution? Seeing this bill is only focused towards American jurisdiction I personally feel attackers will bypass this threat by using foreign fronts to launch their attacks to get around being “hacked back”. This somewhat limits the bills effectiveness as it’s currently written. By being able to track, launch code or use beaconing technology to assist with attribution of the attack is dangerous to our privacy. I agree that this is an issue, one that needs to be dealt with, but it should be dealt with via the hands of law enforcement directly, not the citizens themselves. I’ve read the requirements where the FBI’s National Cyber Investigative Joint Task Force will first review the incident before the “hack back” can occur and offers a certain level of oversight to the incident, but I don’t think there’s enough. I understand the resource requirements within the FBI are stretched, but leaving this in hands of those affected by the breach allows emotions to get involved. This is one reason why we call the police if there’s a dispute in our local communities. They’re trained, have a third party perspective and attempt not to make it personal. I feel that there will be carelessness on the part of those hacking back and this emotion could lead towards carelessness and neglect that will bring upon greater damage.

Lastly, the technology is always changing and being able to get confident attribution is incredibly difficult. If an attack was seen from a particular public IP address it’s possible that the NAT’d (Network Address Translation) source is shielding multiple other internal addresses. By attacking this address it will give no attribution as to where the data or attacks might actually be sourced. Also, with the fluid environment of cloud based systems a malicious actor can launch an attack from a public CSP (cloud service provider) that would quickly remove attribution as to where the source was occurring. I noticed the language within the bill referencing “types of tools and techniques that defenders can use” to assist with hacking back. Will there be an approved tool and technique listing that the active defenders be required to use that stay within the boundaries of this law? Or will active defenders be able to use the tools of their choice? Depending on the tools and how they’re used they could cause unexpected damage to these systems being “hacked back”. Lastly, there’s mention about removing the stolen data if found and I’m concerned defenders will not be as efficient with this data deletion and could cause major damage to systems hosting other applications or systems legitimately. Deleting this data at times could become an issue with investigations, forensics and might not solve the issue long term. This stolen data is digital and just because it’s deleted in one place doesn’t mean it’s been removed permanently.

Congressman Graves, I respect what you’re doing for our country, but I’m concerned with the methods in place to protect the privacy of the data and systems being actively hacked by defenders. I’m anxious about the overzealous vigilantism that might be implied by defenders looking to defend themselves, their systems or their stolen data. You’re an outside the box thinker and passionate about the protection of our country, I love that, but the methods in place could essentially cause more harm than good as the bill is currently written. I personally implore you to reconsider the actions of having a nation of defenders actively attempting to restore their data from sources that were most likely being used without their consent. The unintended privacy consequences, destruction of systems and even life are too important not to mention. If I could have advise in any way it would be to have our country start focusing on the fundamentals of cyber security before they start writing licenses to hack.
Thank you for your service and your continued efforts to protect our nation from future cyber events.

Sincerely,

Matthew Pascucci



14 comments:

  1. in modern time we all depend on intranet and technology , Bad and Good person everywhere in this world . to solve security problem in internet Cyber Defense Certainty Act is very important visit the site if want to know more about the writing of your academic papers, research papers and thesis editing.

    ReplyDelete
  2. What a fantastic open latter! Excellent combination of word, nice writing composition, and many more. Thank you for sharing this things i just learn many more. visit the site if want to know more about the writing of your academic papers, research papers and thesis editing.

    ReplyDelete
  3. our everyday life mostly depend on technology , so cyber security is essential for everyone to get safe cyber world . i totally agree with Mr Honorable Tom Graves about his open latter . after reading this learn something new about cyber security explore more to see the sample of quality writing services.

    ReplyDelete
  4. That's a wonderful blog post, a glorious combination of word, nice writing composition, and plenty of a lot of. Thanks for sharing this thing I simply learn more. Visit the read more if need to understand a lot of regarding the writing of your tutorial papers, analysis papers, and thesis redaction.

    ReplyDelete
  5. Hacking, decimating documents and information through spreading infection are the biggest number of offenses in the cyber world.Best Security Place

    ReplyDelete
  6. On the off chance that you move house, taking the framework with you is as simple as putting it up and it tends to be effectively adjusted to your next home, all since you needn't bother with wires. https://www.bestsecurityplace.com/

    ReplyDelete
  7. Hacking, decimating documents and statistics via spreading the infection is the biggest number of offenses inside the cyber globe. Our everyday life broadly speaking depend upon era, so cybersecurity is crucial for anybody to get secure cyber international. Cheap Essay Writing

    ReplyDelete
  8. You will learn the different techniques of getting data from different devices and analysing it. You will also learn how to store the data in different devices and in different forms. cyber security institute in hyderabad

    ReplyDelete
  9. Hey! Thanks for this. I advise you to visit the site and find the best forex signals here.

    ReplyDelete
  10. Excellent travail pour décomposer des idées complexes en portions digestibles, c'est comme couper un fruit juteux en bouchées. Plonger dans le monde du Rice Purity Test , c'est comme embrasser un phénomène culturel unique, où un simple test devient une toile pour explorer les divers chemins que nous avons tous parcourus.

    ReplyDelete