Last Updated: 15th January, 2020
Hack Back Bill: Two years earlier, The Active Cyber Defense Certainty Act (ACDC), as well regarded as the ‘hack back‘ bill, had first been introduced by two United States representatives. To establish it concisely, the proposed Hack Back Bill would provide a defense to companies that are victims of fraud, allowing them to conduct an aggressive defensive action beyond the traditional “detect and report” mode we operate in today where self-defense is ‘clearly justified.’ The Hack Back Bill is still in discussion and if passed, it would also amend the Computer Fraud and Abuse Act.
Companies must be aware of the deeper implications of this complicated Hack Back Bill and understand that having the right security policies, programs and tools in place to properly secure data is still the best line of defense.
If any ambiguity remains in this Hack Back Bill, companies may end up throwing gasoline on their own fire by unknowingly overstepping their legal bounds and as a result, experience themselves facing issues of fraud or even a lawsuit.
Hack Back Bill: Drink From The Firehose
As we have seen with the implementation of GDPR, interpretation, case law and industry adoption take time. In the dialect of supplemental bills, it seems like there’s a lack of clarity, particularly the case while they have been until now in draft form.
In Representative Graves’ (who reintroduced the Hack Back Bill to the United States Congress) own words: “Justifiable defense in instances under which self-defense is explicitly justified for this kind of access.”
This brings up the moral debate if you are allowed to execute the robber because they are committing a crime and you are frightened or do you have to wait for the robber to first shoot you to take action?
The concept of standing your ground is unique in every state, and as such, every company might possess a unique understanding of what “self-defense” means.
As the constitutional boundaries are not, however defined, in case law, primary adopters will need to protect themselves through legal interpretation ahead of time, strong rules of engagement and embrace vertical best practices if something were to go wrong.
When these uncertainties exist, a rapid adoption of active defense could land their company in the middle of the proper battle of disambiguating.
While hacking back allows companies to actively defend themselves, this will likely also be accompanied with the responsibility to appropriately report to law enforcement.
It is completely conceivable that companies will assimilate extremely valuable information about the way in which cyber-criminals are targeting United States organizations, or about the identity of these cyber-criminals, and it is critical that information be shared with the appropriate channels.
If not, companies could purposefully withhold information about the way in which criminals are targeting a specific sector in hopes their competitors fall under attack.
Any company that chooses to take on hacking back should be required to report all findings. Additionally, a training or certification program should be required for all companies that decide to hack back and ensure the appropriate parties are in the know.
Hack Back Bill: Fire Risk Assessment
If the Hack Back Bill passes, companies that fall under attack will need to weigh their options to hack back carefully. Underneath are some considerations companies should keep in mind:
- What are you expecting to happen through active defense? This might be an incredibly complicated and expensive undertaking, so enterprises need to decide on a transparent, specific goal, particularly since the investment put to hacking back might be put rather to implement enhanced security control to counteract attacks in the future. Attackers are thoroughly versed in their attack methods, so figuring out who is unquestionably behind the keyboard and computer screen is well-nigh impossible. The open defensive response might be disadvantageous to a vulnerable passage by the victims unintentionally used as a hostage.
- How credible is this specificity, as well as how foolproof remain beacons? Blunt defensive approaches may build on the presumption that the allocation will indeed be dependable, but the infrastructure of beacons will eventually be savaged by sophisticated adversaries as hackers constantly can come up with ways to deactivate or diffuse them.
- Does your enterprise do enough to secure its cyber-hygiene? Most data breaches occur because of simple security mistakes such as asset management, patching, security testing and incident response. Your organization should be confident that all security controls are mature before investing in active defense. Hacking back is an extreme mature form of security and until you undergo the fundamentals in place, you are probably not well-equipped to take on the new beast.
The present defense bill affords companies current constitutional grounds to defend themselves, but there is, nevertheless, a lot to consider and preparations to be made.
Before diverting funds towards hack back activity, organizations should think about more prudent ways to drive that maturity, such as implementing an outsourced basic hygiene, using automation based adversarial emulation to develop confidence in their defenses then shift to advanced defense capabilities like active defense and deception.
By continually testing security controls, organizations can clearly identify and remediate security issues before they result as a critical problem.