THE KEY

A bipartisan bill being reintroduced this morning would allow hacked companies to turn the tables and hack back into their attackers’ computer networks.

The Active Cyber Defense Certainty Act, sponsored by Reps. Tom Graves (R-Ga.) and Josh Gottheimer (D-N.J.), would allow those hacked companies to only ferret out what happened to their stolen data and gather evidence for police, though — not to destroy anything on the attackers’ computer networks.  

The bill, which has 14 co-sponsors, was a flash point for conflict when Graves first floated it in 2017. And it’s set to launch a similar battle this time. It is, however, pretty unlikely the bill will actually pass and become law.

Nonetheless, it illustrates a fierce debate about how to respond to cyber threats and the potential unintended consequences of retaliating against a murky foe.

On one side are Graves and his co-sponsors. who argue that U.S. companies are getting pummeled in cyberspace by Russian and Chinese hackers and that no one in government has the time or resources to defend them.

Companies have told Graves they’ve been forced into this sort of active defense because of the volume of attacks they’re facing, he told me. This bill would merely give them legal cover, he said..

“It’s happening already today. What we’re trying to do is to clear up the legal gray areas, bringing better rules of the road into play,” he said.

On the other side of the debate are cyber experts and legal scholars who fret the bill will prompt hacking back by under-skilled tech staff at companies with scant cybersecurity expertise who will bungle their way into doing major damage.

Those newly deputized hackers might hit the wrong targets and violate innocent bystanders’ privacy, the experts say. Or they might hit the right targets but accidentally undermine an ongoing law enforcement operation or spark an international incident by hacking a foreign government.

And mistakes like that are especially likely in cyberspace because hackers often shield their identities by using the computers of innocent people they’ve compromised as a launchpad to hack other victims.

“I know a lot of security vendors who have a very high degree of confidence in their attribution [of an attacker] and they shouldn’t,” Jen Ellis, vice president of community and public affairs at the cybersecurity firm Rapid7, told me.

Graves responded to early concerns about the bill in 2017 by adding a requirement that companies must notify the FBI before hacking into adversaries’ networks so the FBI can alert them about any government operations they might disrupt.

The bill also protects companies only from criminal hacking charges — not civil lawsuits — which should make them extra careful about accidentally hacking the wrong person.

The latest version of the bill also comes as the Trump administration is ramping up its own retaliatory hacking operations to make adversaries rethink attacking U.S. targets. Graves told me that expanding companies’ ability to hack back could similarly deter hackers who target them.

“When we unleash [this] I think you’re going to see an entire new toolbox of opportunities for the private sector to use in a safe manner,” he said. “If they cause any physical harm there’s liability as there is now … But, at the end of the day, I think it’s going to be very good for our country.”

But Orin Kerr, a computer crimes specialist at the University of Southern California Law School, told me he’s concerned the bill’s language is too vague and could result in companies not knowing whether they have legal cover for what they’re doing.

“It only permits actions by ‘victims of a persistent unauthorized intrusion,’ without defining what ‘persistent’ is,” he said in an email. “It only applies to ‘the computer of the attacker’ without saying how you know whether a particular computer is ‘of’ the attacker or how you define that.”

And Herb Lin, a senior research scholar for cyber policy and security at Stanford University, told me he’d feel more comfortable with the bill if it described minimum cybersecurity standards firms had to meet before they hacked back or ensured that hacking back was a “last resort.”

“People are frustrated and they want to do something,” Lin told me. “But, I don’t trust just anybody to do this safely … Something that immunizes [companies] from prosecution for hacking back, even for forensic purposes, is … mighty risky business.”

Ellis also pointed out that most companies still aren't adequately defending themselves from digital attacks, which would likely cut down on hacking far more than striking back outside of the companies' own networks. 

“The vast majority of organizations aren’t even getting the basics right,” she said. “How about we focus on that instead.”

PINGED, PATCHED, PWNED

PINGED: President Trump seemed to flip-flop on an earlier pledge not to use hacked material about his Democratic opponents in the 2020 race during an interview with ABC News’s George Stephanopoulos Wednesday, saying he might want to check out the material before alerting the FBI.

“I think maybe you do both,” Trump told Stephanopoulos. “I think you might want to listen, there isn't anything wrong with listening. If somebody called from a country, Norway, [and said] ‘We have information on your opponent' — oh, I think I'd want to hear it.”

My colleague Jackie Alemany has more on the reaction from 2020 Democrats.

Trump said last month that he wouldn’t use dirt on opponents provided by foreign powers, claiming, “I don’t need it.” Nearly all of the Democratic field has pledged to not take hacked material about rivals -- though some have offered caveats, such as if the information's already been vetted and reported by media.

Trump also told Stephanopoulos that FBI Director Christopher Wray's suggestion that campaigns should report contact from a foreign entity to the FBI was “wrong, because frankly it doesn't happen like that in life.” He also defended a meeting between his son Donald Trump Jr. and Russian operatives in 2016, an event that was investigated by the Mueller team. “I'll tell you what, I've seen a lot of things over my life,” Trump said. “I don't think in my whole life I've ever called the FBI. In my whole life. You don't call the FBI. You throw somebody out of your office, you do whatever you do.”

Here's more on Trump's comments from my colleagues Colby Itkowitz and Tom Hamburger.

PATCHED: The United States needs to improve its digital defenses so “American companies don't have to keep giving away technology to China, or having it stolen,” former vice president Joe Biden said in a speech Tuesday, taking one of his campaign’s first swings at China’s massive theft of intellectual property from U.S. companies.

The move comes after Republicans criticized Biden for suggesting that China was “not competition” for the United States.

Biden also touted a 2015 no commercial hacking deal that President Barack Obama signed with Chinese leader Xi Jinping and that cybersecurity companies said caused a substantial — but brief — reduction in Chinese hackers stealing U.S. companies’ secrets.

“In the Obama-Biden administration, we got China to curb its cybertheft — it's gotten worse under Trump,” Biden said.

PWNED: Former U.S. government hackers who worked for the United Arab Emirates-based cybersecurity company DarkMatter now say the company asked them to target American citizens and companies, the Intercept’s Sam Biddle reports. Those potential targets included the Intercept itself, which was discussed as a target after the publication reported on DarkMatter's relationship with the UAE’s top security agency two years ago.

Although it's unclear whether operatives ever actually hacked the Intercept, an ex-DarkMatter employee Jonathan Cole told Biddle that “initiatives to target journalists were just one of the many ways in which Americans were hacked or surveilled by Project Raven,” the effort’s code name.  

“The hacking team source said that although they personally refused to help target U.S. individuals and organizations, that work ended up being done one way or another,” Biddle writes.

Jenna McLaughlin, who reported the Intercept’s original DarkMatter story and is now at Yahoo News, took the revelations in stride.

Suspicions that DarkMatter — which relied heavily on former American intelligence officers for expertise — had been spying on Americans were first raised in a Reuters report in January.

PUBLIC KEY

Cybersecurity news from the public sector:

The recent U.S. move to blacklist Huawei Technologies threatens to cut off its access to crucial phone components and software for devices used by millions of people world-wide.
Wall Street Journal
Grayshift, one of the government's favorite iPhone hackers, is planning to hack Androids too. But it'll master hacks of Apple products first, the CEO says.
Thomas Brewster
HARRISBURG, Pa. (AP) — Republican lawmakers are refusing to commit to the millions of dollars sought by Democratic Gov. Tom Wolf to back up his demand that Pennsylvania's counties buttress...
AP
The House Oversight and Reform Committee approved bipartisan legislation on Wednesday that would establish baseline cybersecurity standards for government-purchased internet-connected devices.
The Hill
PRIVATE KEY

Cybersecurity news from the private sector:

The chief executive of Telegram, a popular encrypted messaging app, said on Wedn...
Reuters
In a controversial move, the tech firm played both sides of an online argument in Russia with the aim of testing disinformation-for-hire services.
Wired
Anheuser-Busch InBev (AB InBev), the world's largest beer maker, said on Th...
Reuters
The security vendor’s market value exceeded $12 billion on its first day of trading on the NASDAQ under the ticker symbol “CRWD.”
CyberScoop
A former PLA hacker was inspired by Russians to start his own lucrative business stealing sensitive data from tourists, according to Kate Fazzini's new book, "Kingdom of Lies."
CNBC
The company's Project Galileo has helped organizations fend off DDoS and other attacks for the last five years.
Wired
THE NEW WILD WEST

Cybersecurity news from abroad:

Middle East
The Dutch counter-terrorism and security coordinator is warning that the country is vulnerable to cyber espionage and sabotage from countries including China Russia and Iran
Associated Press
CHAT ROOM

Were the outtake tracks from Radiohead’s 20-year-old OK Computer album that leaked online recently actually “hacked” and held for “ransom” as numerous outlets have reported this week?

As Scoop News Group News Editor Joe Warminsky has obsessively pointed out on Twitter, there’s no clear forensic evidence this was a malicious digital operation.

And one insider even speculates the leak was actually caused by an insider threat:

But, oh, the irony if it’s true, as E&E News’s Blake Sobczak notes:

After the leak, Radiohead released 18 hours of the tracks on the music site Bandcamp with proceeds benefiting a climate change charity. Here’s a play-by-play from Pitchfork’s Marc Hogan.  

ZERO DAYBOOK

Today:

  • The House Intelligence Committee on Thursday hosts a hearing on the “National Security Challenges of Artificial Intelligence, Manipulated Media, and Deepfakes.”