Active Defense Bill Raises Concerns Of Potential Consequences

A bill that would exclude organizations from prosecution for hacking back is already stirring up some concerns about potential unintended consequences.

A discussion draft of a bill proposed on Friday by Rep. Tom Graves (R-GA) that would exclude organizations from prosecution for hacking back is already stirring up some concerns about potential unintended consequences.

The Active Cyber Defense Certainty Act would exempt victims of computer crimes from prosecution for taking “active cyber defense measures.” The bill proposes an amendment to section 1030 of the Computer Fraud and Abuse Act, which prohibits unauthorized access of computers.

The bill identifies victims as those suffering from persistent unauthorized intrusions of their computers. Meanwhile, active cyber defense would constitute measures taken by the victims that include accessing the attacker’s computer without authorization in order to learn enough information for attribution that can be shared with law enforcement. The bill specifies that victims cannot cause destruction, or endanger public health or safety.

The language of the bill seems to be a conflation of two different strategies: active defense and hacking back. Active defense constitutes putting up hurdles on the victim’s side of the firewall in hopes of driving up the cost of a potential attack and frustrating a hacker to the point of moving on to another target. Think honeypots, recursive directories or false data tagged with a web beacon that leaves a trail for investigators. Hacking back, on the other hand, is quite illegal today under the CFAA and gives many researchers and legal experts great pause. The concerns are many, with first foremost being that given so many compromised computers are involved in attacks, a victim could rarely be certain they would be attacking the attacker rather than an innocent victim.

“This bill does expand active lawful cyber defense to hacking back for the expressed purpose of gathering information for attribution. That’s really broad and well intentioned, but it can result in a host of negative consequences for those engaging in this activity,” said Ed McAndrew, an attorney with Ballard Spahr in Washington, D.C., and a former federal cybercrime prosecutor. “One thing is the lack of limits placed on the conduct authorized under this statute.”

McAndrew said that attributing the malicious behavior accurately is one of the most difficult things to do.

“The first question that comes up with this, assuming you’re able to do it, is ‘Do you know who it is you would hack back against?'” he said. “This is a real concern. You could have people hacking back at pivots (in an attack). Are you hitting back against an attacker or someone accidentally in the middle?”

Paul Rosenzweig, founder of a homeland security consulting firm called Red Branch Consulting, said that while the bill has its shortcomings, it’s an encouraging step that legislators are bringing the topic to the forefront.

“I welcome the beginning of a discussion about active cyber defenses because this is a tool that should be seriously considered,” he said.

Rosenzweig suggest that should this eventually be refined and passed as law, it would require some sort of standard of practice for organizations, particularly for service providers, that could include some sort of licensure and bonding requirement.

“It’s very good that someone is thinking about this in a serious way,” he said.

In the meantime, the discussion draft as written gives rise to legal issues that could backfire, McAndrew said. For example, he wonders whether allowing a victim to access an attacker’s computer to gather information for law enforcement essentially deputizes them, or would inspire online vigilantism. Another nugget for thought is the Fourth Amendment, he said.

“You could have a Fourth Amendment defense arguing essentially that the individual engaged in self-help has engaged in unreasonable search and seizure of evidence through hacking back,” McAndrew said. “This could be a violation of the Fourth Amendment. Law enforcement would need a warrant today to carry this out. The bill, the way it’s written, could actually create a scenario that would make it difficult to prosecute attackers if they’re caught. This is why we don’t want private individuals playing cop.”

Hacking back could also create broad affirmative defenses for any hacker who gets prosecuted, McAndrew said, enabling them to conveniently use this law as a cover for their activity.

“Whatever you can convince a jury of is what truth is; that’s the view of a defense lawyer,” McAndrew said. “The hacker could tell their story that they were doing this activity to aid law enforcement. You’ve got a lot of situations where I could envision a defendant saying they’re doing this because they’re trying to help law enforcement or assist victims.”

Suggested articles


  • Dave Dittrich on

    With all due respect to Mr. McAndrew, I don't believe this proposed law has any 4th Amendment issues. The Bill of Rights only limits government, or its agents. Other recent proposals that do include "deputizing" (i.e., the government actively authorizing private sector entities to enter systems and gather information to be used as evidence in criminal process) raise this issue without directly addressing it. If the government actively works with the private sector, then the private sector actor becomes an "agent" and thus falls under Constitutional limits, specifically warrant and subpoena requirements. Would blanket exemptions like this have the same effect as deputizing? I don't think so. I believe the larger problems with this proposal have to do with the conflation of physical attack with theft of property (the "attacker" and "self-defense" language), invoking "self-defense" as a metaphor for immediacy and urgency for the "victim" to act (even when the bill itself cites "persistent" attacks over a long period of time, which has no such urgency), and it provides no guidance as to where the lines are drawn (beyond simple unauthorized access to gather information) nor does it address the fact that the "last-hop" computer(s) being accessed may not be those of the "attacker", but rather innocent third parties. The best aspect is that it focuses on the non-damaging collection of information that could become evidence, even if it requires accessing third party computers without their owners' knowledge, involvement or permission. This is action at the lowest risk/least intrusive end of Level 4 of the Active Response Continuum. Section (k)(2)(B)(ii) attempts to limit going any higher within Level 4, though I could see some people who I know are proponents of this kind of exemption in CFAA pushing much higher up Level 4 due to the vague language and the common use of best case estimates of the effects of certain actions. I agree with Paul Rosenzweig that there is much work to be done before this could be a workable change in CFAA. Just to raise one issue, if the private sector is allowed to enter systems without coordination or prior involvement of law enforcement how would their collection of this information be usable in a court of law? What chain of custody measures would be necessary to allow the information they collect to meet the "beyond a reasonable doubt" standard of evidence in criminal process? Other recent proposals have included deception actions, changing information in ways that would not raise to the level of destruction. If any changes to the system (not simply destructive actions as cited in the bill) are made, how are these differentiated from changes that are made by the "attacker", should the DoJ actually go to trial? The broader the rights granted to the private sector to enter into third party systems to collect "evidence" as they see fit, the greater the chances of the negative consequence of tromping all over the crime scene so badly that it becomes unusable at trial. This is not a hypothetical scenario, by the way. It has happened in the past, even without this proposed change.
  • James Bone on

    The article points out the confusion that exists around the term, Active Defense, and as proposed assumes that the "victim" is Hacking Back not using Active Defense methods in use today. The proposed legislation is well intended by misguided in its efforts. Secondly, I have proposed that corporations be allowed a "Safe Harbor" from lawsuits in the event of attacks if they participate in confidential sharing of information about the attacks, their nature and the impacts to the firm. If the CIA cannot prevent an attack NO firm should ever be sued because of a cyber hack unless management is completely negligent. All firms deserve a Safe Harbor from Cyber Attacks but should be required to participate in information sharing that is organized and run by a Self-Regulatory Organization of technology and business groups NOT the government. Federal agencies should be allowed to have access by permission from the SRO. ##CognitiveHack
  • some random guy on

    As said before, the Amendments to the constitution limit powers of the government, protecting the people from the government, not other people. There is no 4th amendment argument that has any validity in this case, or any amendment for that reason. This will be an invaluable tool for businesses. Previously, you would have no form of gathering information to report who you are being attacked by. This is not saying that you can brick another person's computer, it almost specifically limits you to gathering information. This would in turn allow for the proper law enforcement to be able to launch a possible investigation. There is no real reason bill should not have been proposed before.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.