The ACDC Act Opens the Door to a Hack-Back Highway to Hell
This is the second of two pieces on BRINK about the Active Cyber Defense Certainty Act. The first piece can be read here.
Due to the nature of cyberspace and the vast number of malicious cyberattacks, law enforcement is ill-equipped and understaffed to respond to, disrupt and prosecute most cybercrime. To address this, in the United States, the proposed Active Cyber Defense Certainty Act of 2019, (the ACDC Act), introduced by Rep. Tom Graves (R-Ga.), would allow private entities in the U.S. to “hack back” when their systems are being attacked, provided certain conditions are met.
The idea sounds brilliant, but its initial sparkle hides some danger zones. As written, there are major problems with the act.
The ACDC Act’s Key Provisions
ACDC is designed to harness the power of the private sector to investigate, identify, defend and deter cyber hackers, although it requires companies who want to use ACDC’s provisions to legally hack back against attackers to notify the FBI Cyber Investigative Joint Task Force and receive acknowledgment of notification before hacking back.
According to Rep. Graves, ACDC’s key provisions would permit these “authorized” companies to “leave their network” (a euphemism for accessing an attacker’s systems without authorization) and:
- Establish attribution (identify the attacker)
- Disrupt or stop the cyberattack without damaging other computers along the way
- Retrieve the victims’ stolen files or destroy the files on the attacker’s system
- “Monitor the behavior of an attacker”
- Use beaconing technology
These actions are described as Active Cyber Defense Measures (ACDMs) — and make for a strong, proactive policy. But there are some major problems lurking in the language.
Not only is the language of the act vague and confusing, but it also creates dangerously murky areas around when and what cyber-defense activities are appropriate. This vagueness and murkiness will not work to the benefit of authorized companies. Instead, they can spell significant economic and legal exposure.
The congressional findings in ACDC admonish hacked businesses to: First, report the cybercrime to law enforcement and second, improve defensive measures. Many information security officers would reasonably disagree with that order of priority when their companies’ systems are under malicious cyberattack.
Who Can Hack Back, and When?
The act defines a “defender” as a person or entity who is a victim of a persistent unauthorized intrusion of the defender’s computer. One might reasonably ask: When is an intrusion persistent? Do two system access events without authorization qualify as persistent? Does persistent refer to how long an intruder remains within a defender’s systems, or how many times an intruder has breached a system? Unfortunately, the proposed legislation fails to define what constitutes a persistent intrusion. This creates a big gray area for companies and courts.
Moreover, only after notifying the FBI and receiving acknowledgment from the FBI of the notification does the act permit qualified defenders to use ACDMs. In sum, hacking back is permitted only when the FBI is onboard and when the victim/defender has a high degree of confidence about who the attacker is. To help with achieving a high degree of confidence in attribution, ACDC would legalize the use of beacon technology.
Beacons are programs, codes or commands embedded in files that signal back to the defender’s systems when a file embedded with the beacon is removed without authorization from the defender’s systems. This allows the defender to track down the path and location of the beacon (and hence the stolen file), providing potentially stronger evidence of attribution if the beacon is discovered in another entity’s systems.
This part of the act is very helpful, because some argue — incorrectly — that the use of beacon technology is unlawful, as it is unauthorized access into another system. The act provides clarification on this point, without which companies would be reluctant to use the technology.
What Can Be Done During a Hack Back?
The act permits qualified defenders to use ACDMs to combat cybercrime, but it defers to the Department of Justice on defining details about which ACDMs are lawful and appropriate. It charges the DOJ “to clarify the proper protocols for entities who are engaged in” ACDMs.
To its credit, the act does specify some things that can’t be done: It prohibits defenders from destroying data on the attacker’s computer system (unless it’s the defender’s own files), impairing the operation of the attacker’s computer systems, or creating a backdoor into the attacker’s systems. However, it also lacks any protocols or technical guidelines for what can be done.
ACDC, with its vague language, will create a sea of litigation and hack-back hell, all without any demonstrable benefit.
Liability for Hack Back
It is critical for companies to understand that although ACDC would modify existing U.S. computer crime legislation to decriminalize ACDMs, the act does not provide any protection whatsoever from civil lawsuits for defender activities under the act. It also potentially leaves open a swath of state computer crime laws that criminalize hack-back type activities.
Moreover, ACDC places the burden on the system defender to avoid violating laws of other nations. It should come as no surprise that many other nations besides the U.S. outlaw hacking back against an attacker. Under ACDC, companies are civilly liable for their actions, and that’s a costly proposition when there is such a lack of clarity in the proposed bill.
Too Many Questions Raised by Hacking Back
Section 5 of ACDC requires any defender to notify the FBI and to receive back from the FBI an acknowledgment of the notification before using an ACDM. This creates a legal quagmire. When a company acts at the direction of law enforcement to investigate a suspected criminal, they can become an agent of the government for Fourth Amendment purposes. The FBI would typically need a warrant to enter an alleged attacker’s systems and hang out in the system monitoring the behavior. Thus, ACDM arguably creates a sidestep to normal legal processes; this is fraught with peril for both law enforcement and the defender.
In addition, what if the attacker is a nation-state or an agent of a nation-state?
Is the ACDM permitting defender companies under FBI oversight to engage in acts of retribution under international norms and the laws of armed conflict? Think back to the Sony hack, allegedly perpetrated by North Korea. Hypothetically, if the FBI were to consent to and oversee Sony’s use of ACDMs against North Korea, what would the international implications be?
Making a Mess of Existing Legislation
In the U.S., our primary federal “hacking” law is the Computer Fraud and Abuse Act, (CFAA), which prohibits accessing any “protected computer” (defined as any computer attached to the internet) without authorization (this usually means an outside hacker) or in excess of authorization (usually an inside hacker).
The CFAA clearly makes hacking back unlawful — and in addition to its criminal penalties, the CFAA also permits individuals to bring a private cause of action against anyone who violates the CFAA’s prohibitions. The CFAA’s private cause of action generates a significant amount of civil litigation, and verdicts in CFAA cases can be substantial. The CFAA’s long litigation history and amendments over the years have created a strong law that is clearly understood by the private sector.
We all want and benefit from certainty in our laws and legal system. ACDC, with its vague language, lack of clear protocols and weakening of key CFAA provisions will create a sea of litigation and hack-back hell, all without any demonstrable benefit — except for the FBI potentially gaining more knowledge of vulnerabilities and oversight of hack backs.
Debate will continue to swirl around the passage of ACDC — as it should. Perhaps we should be grateful that at the moment, govtrack.us only gives the ACDC a 5% chance of being enacted into law.