08 Jun Active Response Against Cybercrime – Is It Time?
With the continuing onslaught of cybercrime and malware, more and more organizations are seriously contemplating an active response program—striking back at their attackers instead of merely taking a defensive posture. Done correctly, active response could significantly slow cybercrime, or at least give cybercriminals pause. However, active response is a vigilante endeavor, and if it goes wrong, the consequences could be worse than the crimes it is intended to stop.
Actively responding to a cyberattack, also known as “hacking back,” is illegal in most countries. In the United States, it’s specifically outlawed in the 30-year-old Computer Fraud and Abuse Act (CFAA), which criminalizes unauthorized access to a computer.
However, a bill has recently been introduced within the U.S. government that would, to some degree, amend the CFAA to allow “active cyber defense measures.” This “Active Cyber Defense Certainty Act” (ACDC), if passed, would “decriminalize defensive deeds undertaken by, or at the direction of, a victim.” Such defensive actions would consist of accessing, without authorization, the computer of the attacker who went after the victim’s network.
The bill would protect defensive computer intrusion that’s done to gather information about who’s behind an attack and that’s shared with law enforcement or used to disrupt a continued attack or intrusion. The defensive actions of the bill are limited to information gathering. Hacking into the attacker’s computers or networks to modify or disable their system(s) is not authorized by the bill.
Even this partial step towards active response is likely to meet stiff resistance from some. Any sort of active response is very challenging. Here’s a sampling of potential pitfalls:
- Attacks launched from innocent person’s machines: Cybercriminals use innocent middlemen to launch attacks. It’s often difficult to know who’s behind an attack that appears to be coming from a specific machine or network. Very few organizations have the skills and resources to root out the actual criminals behind most attacks.
- Addresses are easily spoofed: IPv4 is still the predominant protocol in use today, but it lacks secure packet origin. Attackers can easily fake the addresses of their packet streams to implicate a nonexistent or worse, innocent person’s IP address.
- A web of legal confusion: Even if defensive hacking is legalized in some areas, it will likely remain illegal in other regions, creating a confusing web of laws for organizations to understand and adhere to. These skills are not likely to be found in even the best security operation centers.
- Accidental loss of control: Strike back always runs the risk of casualties from friendly fire, or worse yet, powerful weapons falling into the hands of enemies. Microsoft recently accused the US federal government of creating the very hacking tools used in the global Wannacry ransomware attack [i].
With all of the challenges, should we be taking any steps towards active response? Some would argue that yes, we should begin to carefully investigate active response. Today, the laws and regulations certainly favor the criminals. Able to launch attacks from virtually any location in the world, cybercriminals can hide behind not only geographic, political, and technical walls, but legal barriers too. The current cyberwar is akin to a ground war where the defending army is limited to using shields—they have no guns, even on their own turf–while the invading army has every modern weapon available. Some believe that unless we start equipping ourselves with tools to actually fight back, the cybercriminals will continue to advance and win the battles.
Others however, are vehemently opposed to any sort of active response. Concerns over privacy, mistakenly impacting innocents, loss of control, and over-zealous vigilantes are all significant and legitimate. Currently we don’t have regulations in place to adequately address these issues.
Whether we should engage in any sort of active response is a difficult question, and surrounded by strong viewpoints. Even taking a few baby-steps could be dangerous, yet doing nothing is also hazardous. It will be very interesting to watch the debate on this topic as the ACDC bill and similar initiatives move forward.
[i] The Seattle Times, Microsoft criticizes government creation of hacking tool used in global cyberattack, May 14, 2017. http://www.seattletimes.com/business/microsoft/microsoft-criticizes-government-creation-of-hacking-tools-used-in-global-cyberattack/