A bipartisan bill being reintroduced this morning would allow hacked companies to turn the tables and hack back into their attackers’ computer networks.
The Active Cyber Defense Certainty Act, sponsored by Reps. Tom Graves (R-Ga.) and Josh Gottheimer (D-N.J.), would allow those hacked companies to only ferret out what happened to their stolen data and gather evidence for police, though — not to destroy anything on the attackers’ computer networks.
The bill, which has 14 co-sponsors, was a flash point for conflict when Graves first floated it in 2017. And it’s set to launch a similar battle this time. It is, however, pretty unlikely the bill will actually pass and become law.
Nonetheless, it illustrates a fierce debate about how to respond to cyber threats and the potential unintended consequences of retaliating against a murky foe.
On one side are Graves and his co-sponsors. who argue that U.S. companies are getting pummeled in cyberspace by Russian and Chinese hackers and that no one in government has the time or resources to defend them.
Companies have told Graves they’ve been forced into this sort of active defense because of the volume of attacks they’re facing, he told me. This bill would merely give them legal cover, he said..
“It’s happening already today. What we’re trying to do is to clear up the legal gray areas, bringing better rules of the road into play,” he said.
On the other side of the debate are cyber experts and legal scholars who fret the bill will prompt hacking back by under-skilled tech staff at companies with scant cybersecurity expertise who will bungle their way into doing major damage.
Those newly deputized hackers might hit the wrong targets and violate innocent bystanders’ privacy, the experts say. Or they might hit the right targets but accidentally undermine an ongoing law enforcement operation or spark an international incident by hacking a foreign government.
And mistakes like that are especially likely in cyberspace because hackers often shield their identities by using the computers of innocent people they’ve compromised as a launchpad to hack other victims.
“I know a lot of security vendors who have a very high degree of confidence in their attribution [of an attacker] and they shouldn’t,” Jen Ellis, vice president of community and public affairs at the cybersecurity firm Rapid7, told me.
Graves responded to early concerns about the bill in 2017 by adding a requirement that companies must notify the FBI before hacking into adversaries’ networks so the FBI can alert them about any government operations they might disrupt.
The bill also protects companies only from criminal hacking charges — not civil lawsuits — which should make them extra careful about accidentally hacking the wrong person.
The latest version of the bill also comes as the Trump administration is ramping up its own retaliatory hacking operations to make adversaries rethink attacking U.S. targets. Graves told me that expanding companies’ ability to hack back could similarly deter hackers who target them.
“When we unleash [this] I think you’re going to see an entire new toolbox of opportunities for the private sector to use in a safe manner,” he said. “If they cause any physical harm there’s liability as there is now … But, at the end of the day, I think it’s going to be very good for our country.”
But Orin Kerr, a computer crimes specialist at the University of Southern California Law School, told me he’s concerned the bill’s language is too vague and could result in companies not knowing whether they have legal cover for what they’re doing.
“It only permits actions by ‘victims of a persistent unauthorized intrusion,’ without defining what ‘persistent’ is,” he said in an email. “It only applies to ‘the computer of the attacker’ without saying how you know whether a particular computer is ‘of’ the attacker or how you define that.”
And Herb Lin, a senior research scholar for cyber policy and security at Stanford University, told me he’d feel more comfortable with the bill if it described minimum cybersecurity standards firms had to meet before they hacked back or ensured that hacking back was a “last resort.”
“People are frustrated and they want to do something,” Lin told me. “But, I don’t trust just anybody to do this safely … Something that immunizes [companies] from prosecution for hacking back, even for forensic purposes, is … mighty risky business.”
Ellis also pointed out that most companies still aren't adequately defending themselves from digital attacks, which would likely cut down on hacking far more than striking back outside of the companies' own networks.
“The vast majority of organizations aren’t even getting the basics right,” she said. “How about we focus on that instead.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: President Trump seemed to flip-flop on an earlier pledge not to use hacked material about his Democratic opponents in the 2020 race during an interview with ABC News’s George Stephanopoulos Wednesday, saying he might want to check out the material before alerting the FBI.
“I think maybe you do both,” Trump told Stephanopoulos. “I think you might want to listen, there isn't anything wrong with listening. If somebody called from a country, Norway, [and said] ‘We have information on your opponent' — oh, I think I'd want to hear it.”
My colleague Jackie Alemany has more on the reaction from 2020 Democrats.
EXCLUSIVE: Pres. Trump tells @GStephanopoulos he wouldn't necessarily alert the FBI if approached by foreign figures with information on his 2020 opponent: "It’s not an interference. They have information. I think I’d take it." https://t.co/yWRxMOaFqW pic.twitter.com/qwLw53s5yc— ABC News (@ABC) June 12, 2019
Trump said last month that he wouldn’t use dirt on opponents provided by foreign powers, claiming, “I don’t need it.” Nearly all of the Democratic field has pledged to not take hacked material about rivals -- though some have offered caveats, such as if the information's already been vetted and reported by media.
Trump also told Stephanopoulos that FBI Director Christopher Wray's suggestion that campaigns should report contact from a foreign entity to the FBI was “wrong, because frankly it doesn't happen like that in life.” He also defended a meeting between his son Donald Trump Jr. and Russian operatives in 2016, an event that was investigated by the Mueller team. “I'll tell you what, I've seen a lot of things over my life,” Trump said. “I don't think in my whole life I've ever called the FBI. In my whole life. You don't call the FBI. You throw somebody out of your office, you do whatever you do.”
PATCHED: The United States needs to improve its digital defenses so “American companies don't have to keep giving away technology to China, or having it stolen,” former vice president Joe Biden said in a speech Tuesday, taking one of his campaign’s first swings at China’s massive theft of intellectual property from U.S. companies.
The move comes after Republicans criticized Biden for suggesting that China was “not competition” for the United States.
Biden also touted a 2015 no commercial hacking deal that President Barack Obama signed with Chinese leader Xi Jinping and that cybersecurity companies said caused a substantial — but brief — reduction in Chinese hackers stealing U.S. companies’ secrets.
“In the Obama-Biden administration, we got China to curb its cybertheft — it's gotten worse under Trump,” Biden said.
PWNED: Former U.S. government hackers who worked for the United Arab Emirates-based cybersecurity company DarkMatter now say the company asked them to target American citizens and companies, the Intercept’s Sam Biddle reports. Those potential targets included the Intercept itself, which was discussed as a target after the publication reported on DarkMatter's relationship with the UAE’s top security agency two years ago.
In 2016 @JennaMC_Laugh reported on DarkMatter, a little-known UAE cybersecurity firm recruiting ex-NSA hackers. Sources now tell us this team of American cyber mercenaries and Emirati intelligence discussed hacking The Intercept's staff in response https://t.co/Rn82752QXM— Sam Biddle (@samfbiddle) June 12, 2019
Although it's unclear whether operatives ever actually hacked the Intercept, an ex-DarkMatter employee Jonathan Cole told Biddle that “initiatives to target journalists were just one of the many ways in which Americans were hacked or surveilled by Project Raven,” the effort’s code name.
“The hacking team source said that although they personally refused to help target U.S. individuals and organizations, that work ended up being done one way or another,” Biddle writes.
Jenna McLaughlin, who reported the Intercept’s original DarkMatter story and is now at Yahoo News, took the revelations in stride.
This is highly disturbing but I can't stop thinking about how many bunny and cat photos the Emiratis would have to rifle through— Jenna McLaughlin (@JennaMC_Laugh) June 12, 2019
(Targeting journalists and their friends and families is bad) pic.twitter.com/3YVOZ8qZCo
Suspicions that DarkMatter — which relied heavily on former American intelligence officers for expertise — had been spying on Americans were first raised in a Reuters report in January.
Cybersecurity news from the public sector:
Cybersecurity news from the private sector:
Cybersecurity news from abroad:
Were the outtake tracks from Radiohead’s 20-year-old OK Computer album that leaked online recently actually “hacked” and held for “ransom” as numerous outlets have reported this week?
As Scoop News Group News Editor Joe Warminsky has obsessively pointed out on Twitter, there’s no clear forensic evidence this was a malicious digital operation.
Many of these news stories take Radiohead's weird little "hack" story at face value. pic.twitter.com/wCGgm4XYUo— Joe Warminsky (@jwarminsky) June 11, 2019
Was there really a hack or a ransom?— Joe Warminsky (@jwarminsky) June 12, 2019
This is at least the third major news outlet that seems to have taken the "hack" thing at face value. (It can still be a really fun/cool stunt even if the "hack" part is just a joke.) https://t.co/T1kSb8MsEz— Joe Warminsky (@jwarminsky) June 11, 2019
And one insider even speculates the leak was actually caused by an insider threat:
now *this* makes sense, in which case it's not a hack but just a theft pic.twitter.com/yzyQaHZK7J— Joe Warminsky (@jwarminsky) June 12, 2019
But, oh, the irony if it’s true, as E&E News’s Blake Sobczak notes:
It's tough to believe, too, because you'd think Radiohead would have a pretty OK Computer— Blake Sobczak (@BlakeSobczak) June 12, 2019
After the leak, Radiohead released 18 hours of the tracks on the music site Bandcamp with proceeds benefiting a climate change charity. Here’s a play-by-play from Pitchfork’s Marc Hogan.
- The House Intelligence Committee on Thursday hosts a hearing on the “National Security Challenges of Artificial Intelligence, Manipulated Media, and Deepfakes.”