By Mark Weatherford
Like Colin Clive screaming “It’s alive!” in the original 1931 Frankenstein movie, the Active Cyber Defense Certainty Act (H.R. 4036) continues to live. Reintroduced last month by Representatives Tom Graves (R-Ga.) and Kyrsten Sinema (D-Ariz.) and also called the “Hack-Back” bill, this draft legislation amends Section 1030 of title 18, United States Code (which was previously amended by the 1986 Computer Fraud and Abuse Act) to “provide a defense to prosecution for fraud and related activity in connection with computers for persons defending against unauthorized intrusions into their computers, and for other purposes.”
While I’m sure Representatives Graves and Sinema have qualified advisors, I think they may be listening to the wrong technical security experts. People within the cybersecurity community regularly battle and argue about technologies, architectures and policies, but one thing that they agree on almost universally is that hacking back is a colossally bad idea. There are a number of reasons, but most importantly, from my perspective, when you engage in cybersecurity retaliation, you no longer control the timeline or the reaction of the adversary who may in fact have a bigger army and more talented resources than you. Inexperienced boxers never survive in a fight with Mike Tyson.
As a guy with lots of operational cybersecurity experience, I get it. I really do. You feel helpless when a bad guy breaks in and steals your data and you want revenge—serious, scorched-earth revenge. It’s like someone breaking into your home and stealing all your valuables. You feel violated and want to track them down and take the law into your own hands. Unfortunately (and I acknowledge this is an unfair thing to say), if a company wasn’t defensively talented enough to keep the bad guys from stealing in the first place, why would they think they have the skills for an offensive campaign? The technology and skill level required to launch an attack is easy, almost absurdly easy. However, doing the appropriate reconnaissance, intelligence gathering and confirming attribution to make sure you have the right guys and understand what kind of response you may get falls into the “very hard” category.
Most people (and most companies) simply do not have the talent, resources or time to comprehend all the possible implications and unintended consequences that come with cyber-retaliation. Attribution is a truly complicated business, and the hazards of giving the wrong person (or wrong nation-state) a cyber-bloody nose can be disastrous and the possibility of escalation is very real. H.R. 4036 requires “qualified defenders with a high degree of confidence in attribution,” but who determines what qualified means? I know a number of cybersecurity experts who are really good at this kind of work and wouldn’t trust themselves to make 100% positive attribution. Jane Holl Lute, my former boss at DHS, once said that “a little information in the hands of the eager can be a dangerous thing.” How very true.
British Vice Admiral Horatio Nelson is quoted as saying that “desperate affairs require desperate measures.” We live in a world of imperfect choices, and law enforcement is obviously overwhelmed, but one person’s cyber-missionary can be easily misinterpreted as another person’s cyber-terrorist. Congress shouldn’t be so desperate that they create a legal avenue for what can easily be discerned as vigilantism. H.R. 4036 opens the door for profound unintended consequences and is an incredibly dangerous path for Congress to take.
Mark Weatherford is SVP & Chief Cybersecurity Strategist at vArmour. He is the former Deputy Under Secretary for Cybersecurity at the US Department of Homeland Security.