Congressman files new 'hack back' bill
A new draft bill would allow private companies to use "active cyber defense measures" in response to a hack, but officials warn such measures could result in cyber escalation and unintended consequences.
Under newly proposed legislation, private entities would be given legal cover to "hack back" in response to a persistent breach or intrusion.
The discussion draft filed by Tom Graves (R-Ga.) updates a previous version based on initial feedback, but the premise remains the same -- victims of a cyberattack may access the computer of an attacker to disrupt the attack and gather information to establish attribution.
The legislation, which would modify the Computer Fraud and Abuse Act, bars victims from destroying the data on attackers' systems, causing physical or financial injury or "creating a threat to public health or safety."
The Active Cyber Defense Certainty Act 2.0 adds provisions to the March 2017 draft requiring that entities notify law enforcement when they use active cyber defense measures and allowing entities to recover or destroy data using active defense techniques.
In addition, the new version adds an exception for beaconing technology and allows victims to "monitor the behavior of an attacker to assist in developing future intrusion prevention or cyber defense techniques." Another provision sunsets the bill after two years.
Many officials and experts have expressed empathy for intent of the bill, even if they have argued against it, saying it could result in the private sector inadvertently dragging the country into a conflict with other nation states.
They acknowledge that private companies have the technology to hack back or can hire security firms to do so, and the response would be much faster than waiting for the government to intervene in the case of a persistent breach.
Rep. Jim Cooper (D-Tenn.) stated in a recent House hearing that he was unaware it was currently illegal for companies to "hack back" and asked Adm. Michael Rogers, head of the National Security Agency and U.S. Cyber Command, if active defense should be legal.
"While there is certainly historic precedent for this -- nation states have often gone to the private sector when we lacked government capacity or capability ... my concern is, be leery of putting more gunfighters out on the street in the wild west," Rogers replied.
He expressed concerns about second- and third-order consequences that could result from a private entity hacking back.
Cooper argued that as long as businesses feel "disconnected from government or that ... government response is too slow or that certain national security interests are not recognized as being national security interests even when it's protecting the grid, I think you're going to see greater pressure."
Rogers agreed there could be greater pressure from the private sector and legislators to allow active defense.
"I would just be concerned that going that route argues against the broad principles we've used about the role of the state applying force kinetically or non-kinetically," Rogers said.