US politicians are drafting a bill that - if approved - could allow companies and individuals to “hack back”, allowing victims of a hack to “access without authorization the computer of the attacker… to gather information in order to establish attribution of criminal activity to share with law enforcement or to disrupt continued unauthorized activity against the victim’s own network.”
The Financial Times reports that US Congressman Tom Graves, a Republican from Georgia, who is drafting the Active Cyber Defense Certainty (ACDC) bill with Arizona democrat Kyrsten Sinema, believes that the recent WannaCry ransomware attack could have been prevented if victims had been able to hack their attackers:
“I do believe it would have had a positive impact potentially preventing the spread to individuals throughout the US. Our proposal is to empower individuals and companies to fight back basically and defend themselves during a cyber attack.”
Yes, the same companies who failed to install a critical Microsoft security patch released over a month before the WannaCry malware struck are being encouraged to hack other people’s computers… can anyone else see a problem here?
As the Financial Times reports, although the bill currently being proposed would give a green light for companies hit by internet attacks to access third-party computers used in the attack without authorisation for the purposes of disruption or gathering information to share with law enforcement, there are limits. For instance, they would not be allowed to destroy data on the remote system, cause physical injury or create a threat to public health or safety.
This would be my big concern. Often internet attackers hijack innocent computers to do their dirty work for them, meaning their owners’ simply aren’t aware that their systems are being abused as part of a larger criminal endeavour. If your counterattack disrupts or wipes data on someone else’s computer then how are you any better than the people who attacked you?
If you launched a denial-of-service attack against a computer that you believed was attacking yours, isn’t there a danger that you could be impacting other innocent companies that might be sharing the same server infrastructure? Isn’t there a risk that you’re having a financial impact on hosting companies and service providers in between you and the attackers?
Furthermore, blundering onto a server controlled by a hacker risks unintentionally disrupting efforts by law enforcement to gather evidence that could lead to the identification and successful prosecution of hackers.
Finally, can you ever be truly confident that your counterattack is being targeted against the right person? Reliable attribution of internet attacks is notoriously difficult.
Take-downs of criminal computer systems should be done by the authorities, not internet vigilantes.
If we allow ‘amateurs’ to launch counterattacks there is always the danger that an existing investigation is being compromised, preventing the collection of information required for a successful prosecution, or making it difficult to provide evidence has not been corrupted by those retaliating.
And I can’t see how a “vigilante hack” would have helped defend any organisation against WannaCry, anyway. The simplest way to defend your systems from the way that ransomware spread was to have the Microsoft patch in place. If you weren’t able to have that basic protection in place I question your ability to take down a hacker.