Attack of the Hack Back

[Nytro]

Attack of the Hack Back

The worst idea in cybersecurity is back again.

By Josephine Wolff

 

 

At its heart this bill would just serve as an excuse to let anyone access anyone else’s computer systems with impunity.

Alexander Ryumin/TASS

If there were a prize for the worst cybersecurity policy idea that just won’tdie, it would have to go to “hacking back,” or making it legal for people to attack the computers that are attacking them. This idea has been around foryears, which means that for years,

 

people have been warning that this is a verybad idea—it’s not the first time I’ve written about this topic myself. But it’s astrangely persistent piece of policy, regardless of the fact that it’s been condemned by just about everyone, including law enforcement, and openly endorsed by almost no one.

Just last week Reps. Tom Graves, R-Georgia, and Kyrsten Sinema, D-Arizona, introduced a revised version of the Active Cyber Defense Certainty Act (anupdate of a bill discussion draft that Graves proposed back in March). It’s nice to see some bipartisan teamwork on an issue in these highly partisan times, buta pity to see it wasted on such a foolhardy endeavor.

 

The ACDC Act (please, go ahead and eye-roll that initialism) attempts to carve out some exceptions to the Computer Fraud and Abuse Act, the U.S. anti-hacking statute, which essentially makes it illegal to access computers that don’t belong to you without permission (or “authorization”). The bill would roll back that restriction to allow companies to access computers that don’t belongto them in the name of self-defense or, as the bill calls it, “active defense.”(Active defense, for those not familiar with cybersecurity euphemisms, is thepolite term for offense. It’s meant to convey that you’re just protecting yourself,not attacking anyone, even though, of course, you are attacking someone—that’s what makes it so “active.”)

Most people have interpreted the CFAA to mean that companies (and individuals) are allowed to protect their computers and data only by taking measures confined within the boundaries of their own network. So it’s fine to monitor unusual traffic patterns, or encrypt data, or implement strong authentication systems—those are all things that only require accessing yourown servers and data. But going outside the boundaries of the computers and data that you own to target people who have stolen your data, or are trying tosteal your data, could be considered illegal hacking under the CFAA. Enter the ACDC Act.

Get Future Tense in your inbox.

The ACDC Act clarifies “the type of tools and techniques that defenders can use that exceed the boundaries of their own computer network.” In particular, it specifies that people facing criminal charges under the CFAA for illegal hacking can defend themselves by claiming that their activities were just “active cyberdefense measures.” According to the bill’s text, the accused would have to showthat they were the victims of a “persistent unauthorized intrusion” directed at their computers.

In short, if someone has compromised your computers and stolen some of your data or is bombarding your servers with a denial-of-service attack, the ACDC would make it legal for you to access their servers and delete the files that they stole from you, or bombard their servers to interrupt the ongoing attack.

 

What’s really incredible about the ACDC Act is that Congress is still taking this idea seriously.

There are also some limitations placed on what can be considered an “active cyber defense measure.” To be active defense, the measure has to either help establish attribution of the attack, disrupt an ongoing attack, or “monitor the behavior” of the attacker in order to help develop better defensive methods. Things that do not qualify as active defense include: creating a threat to public health or safety, recklessly causing physical injury or financial harm, deliberately accessing an intermediary’s computer, or destroying information that does not belong to the victim stored on the attackers’ computers. (This can get a little confusing to write about because the terms “victim” and “attacker” lose all meaning when we’re talking about hacking back. If A hacks B and then B hacks A back, then, according to the language of the ACDC Act, B is the victim and A is the attacker. But once the hacking back—I mean, the active defense—starts, then the reverse is also, of course, true.)

 

This might all seem reasonable at first glance, but it’s a highway to hell. I am thunderstruck by how terrible it is. At its heart it would just serve as an excuse to let anyone access anyone else’s computer systems with impunity. Want to go after a competitor? Stage an attack directed at yourself coming from their servers, and then hack back! Or plant some of your sensitive files on their computers and then go in and delete them and monitor their behavior while you’re at it (all in the name of building better defenses). Of course, once that company realizes what’s going on, it may decide to take matters into its own hands and indulge in a little active defense directed at you. What could go wrong?

 

But don’t worry, Congress has anticipated all these problems (maybe because people have been pointing them out, repeatedly, for the better part of a decade). The bill’s authors include this incredibly vague safeguard in its text: “Congress holds that active cyber defense techniques should only be used by qualified defenders with a high degree of confidence in attribution, and that extreme caution should be taken to avoid impacting intermediary computers or resulting in an escalatory cycle of cyber activity.” It’s unclear what constitutes a qualified defender in Congress’ view, much less a “high degree of confidence in attribution.” Attribution is really, really hard. Not to mention that part of the bill’s explicit purpose is legalizing hacking intended to help gather information about attribution. Why would anyone hack back to gather information about attack attribution if hacking back is only legal when victims are absolutely, 100 percent positive they know who the perpetrator is in the first place?

 

I could go on and talk about how legalizing this type of activity under U.S. law doesn’t mean that people who practice active defense won’t be breaking laws in other countries. (Don’t worry, Congress has thought of that too; the bill warns that defenders should “exercise extreme caution to avoid violating the law of any other nation.” That’ll fix it!) Or how this would make the work of law enforcement harder, not easier—a point the FBI has already made.

 

But what’s really incredible about the ACDC Act is not how terrible its proposals are, but that Congress is still taking them seriously after years of people pointing out how terrible they are and in the absence of any clear demand. The ACDC Act authors have clearly heard all these concerns, but their only response seems to have been inserting tepid language into the draft advising active defenders to exercise “extreme caution.” The rationale behind hacking back is supposed to be that the U.S. is full of highly sophisticated technical companies with the ability to do much more advanced and effective cybermaneuvers than the slow, bureaucratic law enforcement agencies. But if those sophisticated tech companies are eager to be doing active defense, they certainly haven’t been vocal about that desire or publicly endorsing proposals like the ACDC.

 

When I last wrote about hacking back legislation, I spoke with Greg Nojeim, the director of the Freedom, Security, and Technology Project at the Center for Democracy and Technology, and asked him who he thought was lobbying for this kind of regulation. Nojeim, who has been working on cybersecurity policy in Washington for years, told me: “I haven’t heard from particular companies that they want to have that activity authorized. I just have not heard the proponents of that position other than some academics, one or two think tanks, and Stewart Baker.” Baker is a lawyer and former homeland security assistant secretary under George W. Bush who is probably the most vocal supporter of hacking back.

No one wants this law. Or, at the very least, almost no one, except Stewart Baker, is willing to admit they want this law, which is pretty damning in itself.

 

And yet, even though the companies that would presumably be hacking back, were it legal, have not publicly expressed any need for such a statute, it turns out to be the rare issue that Congress members from both parties can rally around right now. In fairness to Graves and Sinema, there are some reasonable things in the ACDC Act text: It still allows for civil suits against active defenders, and it permits “beaconing” tools that help defenders locate their stolen data, after it has been stolen. Though it’s not at all clear that attaching “beacon” code to your sensitive data while it’s stored on your system was illegal in the first place.

 

 

But at its core, the ACDC Act is a bill that would open the door for much more misbehavior online and even greater obstacles to trying to charge the offenders and hold them responsible. Hells bells. It’s hard to fathom why, in 2017, Congress is taking up this idea, unless members are so completely out of ideas for cybersecurity that they’re stuck recycling the worst ones over and over again.

This article is part of Future Tense, a collaboration among Arizona State University, New America, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, follow us on Twitter and sign up for our weekly newsletter.

 

Sursa: http://www.slate.com/articles/technology/future_tense/2017/10/hacking_back_the_worst_idea_in_cybersecurity_rises_again.html

[theeternalwanderer]

 

[gutui]

conform textului actului normativ, acuzatul/entitatea va trebui sa probeze ca fost victina unui “persistent unauthorized intrusion” indreptata asupa computerelor sale. toti ne aflam sub “persistent unauthorized intrusion”, atacuri initiate de contoarele de electricitate smart, frigidere smart, televizoare smart, telefoane mobile smart, ECU-ul masinii conectat prin can bus via Wi Fi, la angajatii big brother, vecini cu routere Wi Fi, ISP, site-uri de stiri, advertiseri, email-uri, guvernele si agentiile tarilor de resedinta care colecteaza indiscriminatoriu "amprenta digitala", banci, asiguratori, toti "by default". si daca incalcare unui drm va fi privita ca “persistent unauthorized intrusion” si atunci raspunsul va consta intr-un firmware/microcode update ce va va "brick-ui" echipamentul ?

si daca vor aparea vigilantes sau mercenari din agentii guvernamentale?

vom migra catre  hardware " Trusted Computing " si virtualizare ?

 

Edited October 23, 2017 by gutui

[Nytro]

Deja se misca lucrurile: https://www.darkreading.com/attacks-breaches/new-tool-debuts-for-hacking-back-at-hackers-in-your-network/d/d-id/1330121 

[theeternalwanderer]

Mda, articol scris cu si pentru "senior management". MazeHuhter seamana mai mult cu o platforma de "live forensics" decat hack-back.

 

Sunt curios cum o sa fie acceptata de specialistii in forensics.

[gutui]

16 hours ago, Nytro said:

Deja se misca lucrurile: https://www.darkreading.com/attacks-breaches/new-tool-debuts-for-hacking-back-at-hackers-in-your-network/d/d-id/1330121 

"...allow companies to access computers that don’t belong to them in the name of self-defense or, as the bill calls it, “active defense.” (Active defense, ca si eufemism, este termenul politicos de a descrie ofensiva. dorindu-se a semnifica ca tu te aperi si nu ca ai ataca pe cineva, fie si de tu in realitate ataci — din acest motiv apare utilizat atributul “active.”)"

sintagma "active defense" imi aduce aminte de sintagma "active shooter" folosita in media, mereu intrebindu-ma  in opozitie ce ar insemna  "inactive shooter"? iar acum, in acest context, ce ar insemna "inactive defence"?

 

interesant  concept. deci, daca "infiltram" Firma  X, este de presupus ca ar fi posibil ca rezultatul intors de software  sa fie  "nothing going on here" dupa ce a scormonit/corupt/inlocuit   datele Firmei X ? ...

[yoyois]

1 hour ago, gutui said:

 

sintagma "active defense" imi aduce aminte de sintagma "active shooter" folosita in media, mereu intrebindu-ma  in opozitie ce ar insemna  "inactive shooter"? iar acum, in acest context, ce ar insemna "inactive defence"?

 

interesant  concept. deci, daca "infiltram" Firma  X, este de presupus ca ar fi posibil ca rezultatul intors de software  sa fie  "nothing going on here" dupa ce a scormonit/corupt/inlocuit   datele Firmei X ? ...

In acest context active nu are ca opus inactive. Ai 4 categorii:

Active

Passive

Proactive

Reactive

 

Conceptul de active security e stupid si e bine ca nu are priza la public. Ma indoiesc ca o astfel de legislatie va fi adoptata.

[gutui]

7 hours ago, yoyois said:

 

[...]

Conceptul de active security e stupid si e bine ca nu are priza la public. Ma indoiesc ca o astfel de legislatie va fi adoptata.

va fi adoptata legea. va aduce in noul "normal", in public , practica celor din Tailored Access Operations (TAO) .

nu uita ca aceste servicii sint externalizate unor contractori civili, externi. deschizind piata unor astfel de servicii catre zona civila, este si in avantajul contractorilor si scade si presiunea financiara pe agentiile guvernamentale, in plus, sub pretextul hack back, se vor putea derula black ops, oferind  o perfecta "Plausible Deniability".

... aparent off topic, insa legat de actualitate, imi vine in minte scaderea entropiei "zarului electronic" ... "[...] The bizarre thing is that people did indeed adopt Dual EC in major commercial software packages. Specifically, RSA Security included it as the default generator in their popular BSAFE software library. Much worse, there’s evidence that RSA was asked to do this by NSA, and were compensated for their compliance. "