A controversial bill that would allow organizations that have been breached to hack back has undergone revisions that include an exemption permitting victims to recover or destroy their data on an attacker’s infrastructure.
Rep. Tom Graves (R-GA) introduced the updated Active Cyber Defense Certainty Act today after incorporating feedback acquired since the first draft debuted in March.
The exemption allows for the recovery or destruction of an organization’s data so long as it does not cause the destruction of another’s data, Graves’ office said in a statement.
Before any active defense measures can be taken, however, it would be mandatory that organizations notify the FBI’s National Cyber Investigative Joint Task Force.
“These changes reflect careful analysis and many thoughtful suggestions from a broad spectrum of industries and viewpoints,” said Graves.
The new draft also proposes an exemption to the Computer Fraud and Abuse Act (CFAA) for beaconing technology that would aid in attribution of the offender. The beacon would return location data and other information that would be used to identify the source of the intrusion, the draft said.
“The enhanced flexibility will allow individuals and the private sector to develop and use tools that are currently restricted under the CFAA to protect their own network,” Graves’ office said in a statement. “Additionally, by allowing defenders to develop and deploy new tools, it will also serve as a disincentive for criminal hacking.”
The original draft raised some eyebrows among security and legal experts, and the topics generally put people on edge to begin with. Active defense and hacking back, to computer security practitioners, are two different things. Active defense constitutes putting up hurdles on the victim’s side of the firewall in hopes of driving up the cost of a potential attack and frustrating a hacker to the point of moving on to another target. These methods include the use of honeypots, recursive directories and the use of false data or data tagged with a web beacon that would leave a trail for investigators.
Hacking back is illegal under the CFAA and sternly not recommended primarily because given the fact that many times computers involved in a breach are also compromised and belong to innocent victims, it would be difficult to have any certainty that hacking back would land on the attacker’s computer.
“This bill does expand active lawful cyber defense to hacking back for the expressed purpose of gathering information for attribution. That’s really broad and well intentioned, but it can result in a host of negative consequences for those engaging in this activity,” Ed McAndrew , an attorney with Ballard Spahr in Washington, D.C., told Threatpost in March. McAndrew is a former federal cybercrime prosecutor. “One thing is the lack of limits placed on the conduct authorized under this statute.”
The updated Graves draft also adds to the definition of active defense actions that monitor an attacker, a clarification that forbids financial injury, and adds safeguards for intermediary computers protecting them against collateral damage.
The law would also sunset after two years, giving Congress the opportunity to make any updates and modifications necessary.