Pages

Sunday, January 28, 2018

Active Cyber Defense Certainty Act: Should we 'hack back'?

Recently, a bill was proposed by Georgia Congressman Tom Graves named the Active Cyber Defense Certainty Act, which has now gone on to be called the hack back bill by individuals in the cyber community. This bill is being touted as a cyberdefense act that will enable those who have been hacked to defend themselves in an offensive manner. It's essentially attempting to try and fill the holes the antiquated Computer Fraud and Abuse Act has left wide open.

I'm a big fan of evolving our laws to bring them into a modern state when it comes to cybersecurity, but I feel this law will cause more harm than good. Allowing others to hack back without the proper oversight -- which I feel is extremely lacking in the proposed bill -- will create cyber vigilantes more than anything else. I also feel that this law can be abused by criminals, and it doesn't leave us in any better state than we're in now.

First, the jurisdiction of the Active Cyber Defense Certainty Act only applies to the U.S. If someone notices an attack coming from a country outside the U.S., or if stolen data is being stored outside the boundaries of our borders, then they won't be able to hack back.

This already severely limits the effectiveness of this bill, as it can easily be bypassed by attackers who can avoid consequences by launching an attack with a foreign IP. It can also enable pranksters or attackers to start problems for Americans by purposefully launching attacks from within compromised systems in the U.S. to other IPs inside the country. This would give the victims the legal right to hack back against the mischievous IPs, while the spoofed organizations remained unaware of what happened, and started the process of attacking them back.

In theory, this would create a hacking loop within the U.S. and would end up causing disarray, giving an advantage to the hackers. Not only can systems be hacked by a malicious entity, but they can be legally hacked by Americans following the initial attack; hackers would essentially be starting a dispute between two innocent organizations.

On that note, if attackers launch attacks from the U.S. against other systems within the U.S., it's possible for them to attack the systems that regulate our safety. And what if they attack the systems of our healthcare providers, critical infrastructure or economy? Do we really want someone who might not be trained well enough to defend against attacks poking at these systems? This isn't safe, and it borders on being negligent on the part of those who were compromised.

The mention of 'qualified defenders with a high degree of confidence of attribution,' really leaves the door open to what someone can do within the Active Cyber Defense Certainty Act.
The mention of "qualified defenders with a high degree of confidence of attribution," really leaves the door open to what someone can do within the Active Cyber Defense Certainty Act. First, what makes someone a "qualified defender," and how are they determining a "high confidence of attribution"? Is there a license or certification that someone must have in order to request the ability to hack back? Even if they did receive something similar, they still won't know the architecture or systems they're looking to compromise in order to defend themselves. What tools are they able to use and what level of diligence must be shown for attribution? This is a recipe for disaster, and it's also very possible that emotions could get in the way when determining what to delete or how far to go.

The Active Cyber Defense Certainty Act also mentions contacting the FBI in order to review the requests coming into the system before companies are given the right to hack back. This could lead to an overwhelming number of requests for an already stretched cyber department within the FBI.

If anything, I feel that the bill should leave these requests to the Department of Homeland Security instead of the FBI, as an entirely new team would need to be created just to handle these requests. This team should be the one acting as the liaison to the victim organizations.

For example, if we knew someone stole a physical piece of property, and we knew where they were storing it, we'd most likely call the local authorities and let them know what occurred. In the case of cybercrime, they're giving us the ability to alert the authorities, and then go after our stolen goods ourselves. This is a mistake that could lead to disaster.

Lastly, there are technical issues that might make this a lot more difficult than people think. What if a system is being attacked by the public Port Address Translation/Network Address Translation address of an organization? Are they going to start looking for ways into that network even though they can't access anything public-facing?

Also, what will happen if cloud systems are being used as the source of an attack? How do you track systems that might be moving or destroyed before someone notices? In that case, you could end up attacking the wrong organization. I personally don't trust someone attacking back and making changes to a system that they don't manage, since it leaves the door open for errors and issues later on that we're not even considering now.

Data theft today is a massive concern, but the privacy implications and overzealous vigilantism of this bill could make a bad situation much worse. The Active Cyber Defense Certainty Act should be removed from consideration, and the focus should be put on how Americans can work toward creating a better threat intelligence and cybersecurity organization that can act as a governing body when attacks like these occur. Leaving such matters in the hands of those affected will never produce positive results.
Posted by at

17 comments:

  1. viswanathAugust 16, 2018 at 2:08 AM

    AWS Training in Bangalore - Live Online & Classroom
    myTectra Amazon Web Services (AWS) certification training helps you to gain real time hands on experience on AWS. myTectra offers AWS training in Bangalore using classroom and AWS Online Training globally. AWS Training at myTectra delivered by the experienced professional who has atleast 4 years of relavent AWS experince and overall 8-15 years of IT experience. myTectra Offers AWS Training since 2013 and retained the positions of Top AWS Training Company in Bangalore and India.


    IOT Training in Bangalore - Live Online & Classroom
    IOT Training course observes iot as the platform for networking of different devices on the internet and their inter related communication. Reading data through the sensors and processing it with applications sitting in the cloud and thereafter passing the processed data to generate different kind of output is the motive of the complete curricula. Students are made to understand the type of input devices and communications among the devices in a wireless media.

    ReplyDelete
    Replies
    1. mary BrownNovember 12, 2019 at 2:19 PM

      I am glad that I saw this post. It is informative blog for us and we need this type of blog thanks for share this blog, Keep posting such instructional blogs and I am looking forward for your future posts.
      Cyber Security Projects for Final Year

      JavaScript Training in Chennai

      Project Centers in Chennai

      JavaScript Training in Chennai

      Delete
  2. PeterApril 25, 2019 at 6:28 AM

    Also, whenever you enter a private office, the office has nearly unlimited authority specialist to look out for everything you might do. data privacy

    ReplyDelete
  3. UnknownMay 31, 2019 at 6:02 AM

    We porvide you quality item which you buy on a single click in Auckland New Zealand. Treasurebox nz is one of the most rising store which provide their customers all the items at low rates.

    ReplyDelete
  4. MartinJune 8, 2019 at 5:06 AM


    we are Providing Pure Leather Jackets at very Affordable Price..
    Thanks alot!!!

    ReplyDelete
  5. MartinJune 10, 2019 at 7:30 AM

    very nice and Quality of the Leather Jackets are Avalible at very Affordable rates with
    Nice and Comfortable touch and Quality..

    Thanks Alot.

    ReplyDelete
  6. RipleyJuly 15, 2019 at 1:58 AM

    cybersecure
    Cybersecurity, computer security or IT security, whichever is suitable for you, protected my computer system and reduced the risk for hardware, software or electronic data to get breached. So, thumbs up for the excellent

    ReplyDelete
  7. Venkatesh CSAugust 13, 2019 at 11:05 PM

    Excellent Blog. Thank you so much for sharing.
    best react js training in chennai
    react js training in Chennai
    react js workshop in Chennai

    ReplyDelete
  8. digitaltucrOctober 29, 2019 at 11:06 AM

    Attend The Data Science Training in Bangalore From ExcelR. Practical Data Science Training in Bangalore Sessions With Assured Placement Support From Experienced Faculty. ExcelR Offers The Data Science Courses in Bangalore.
    ExcelR business analytics course

    ReplyDelete
  9. PriyankaNovember 19, 2019 at 6:07 AM

    Attend The Data Analytics Course in Bangalore with Placement From ExcelR. Practical Data Analytics Course in Bangalore with Placement Sessions With Assured Placement Support From Experienced Faculty. ExcelR Offers The Data Analytics Course in Bangalore with Placement.
    ExcelR Data Analytics Course in Bangalore with Placement

    ReplyDelete
  10. Data Science Courses In MumbaiNovember 19, 2019 at 7:39 AM

    Awesome blog. I enjoyed reading your articles. This is truly a great read for me. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work!
    ExcelR data science course in mumbai

    ReplyDelete
  11. Philip PierceNovember 25, 2019 at 10:08 AM

    This is such a great resource that you are providing and you give it away for free. I love seeing blog that understand the value of providing a quality resource for free. should i buy facebook reviews

    ReplyDelete
  12. datasciencecourseDecember 11, 2019 at 2:24 AM

    Awesome blog. I enjoyed reading your articles. This is truly a great read for me. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work!
    data analytics course mumbai

    ReplyDelete
  13. mubeen shahjahanDecember 18, 2019 at 12:53 AM

    When your website or blog goes live for the first time, it is exciting. That is until you realize no one but you and your. how to hack imessage account

    ReplyDelete
  14. Bhanu sriFebruary 28, 2020 at 5:04 AM

    nice blog.
    AWS training in hyderabad
    https://360digitmg.com/amazon-web-services-aws-training-in-hyderabad
    AWS training will give the students obtain expertise in the theories of AMI Creation, EBS Persistent Storage, Amazon Storage Services S3, Route 53, AWS EC2 and AWS S3 Instances & further high-level concepts.

    ReplyDelete
  15. Data Science CourseMarch 9, 2020 at 2:11 PM

    Really awesome blog!!! I finally found a great post here.I really enjoyed reading this article. Nice article on data science . Thanks for sharing your innovative ideas to our vision. Your writing style is simply awesome with useful information. Very informative, Excellent work! I will get back here.
    Data Science Course
    Data Science Course in Marathahalli

    ReplyDelete
  16. Subway Surfers Mod ApkMarch 10, 2020 at 1:04 PM

    In the World of Digital Technology, Android Game is one of the Best OS in Mobiles World. Subway Surfers MOD APK is now the best game. About 95% of the World use Smart Phones. They try their best that they solved all their problems on Smart Phones. So, the developers introduced the APK File. Thousands of Games and Apps are being added and launched for android every day, considering the number of users to solve their problems or to give them happiness and joy.Subway SurfersMODApks

    ReplyDelete

Subscribe to: Post Comments (Atom)