One of the coolest laws I have seen put forward in a very long time is currently being considered by US Congressmen Thomas Graves of Georgia. It is officially called the “Active Cyber Defense Certainty Act” and it proposes to amend Section 1030 of the decades old Computer Fraud and Abuse Act of 1986, to legally allow the victim of a cyber attack to hack the person who attacks them.
Technically speaking the bill has yet to be formally introduced, but Congressmen Graves has released a discussion draft to the public to assemble feedback from professionals and cyber security experts before the finalized version gets submitted.
View Full Discussion Draft: https://tomgraves.house.gov/uploadedfiles/discussion_draft_ac-dc_act.pdf
Honestly, my first reaction is that I am not really sold on the name of the bill, but thats really not important.
To put it most simply, the aim of the law is to allow the victim of cyber attack to gain unauthorized access to the device or network of the person who perpetrated the cyber attack against them, so that they can gain information about the attacker to give to law enforcement. If you are unaware, any unauthorized access to another persons device, computer or network is illegal under any circumstance – even if you are simply doing it to catch a criminal. This is what Mr. Graves proposal will attempt to address.
According to the document, the proposed amendment to the Computer Fraud and Abuse Act would allow a victim to access “without authorization the computer of the attacker to the victim’ own network to gather information in order to establish attribution of criminal activity to share with law enforcement or to disrupt continued unauthorized activity against the victim’s own network; but ‘‘(ii) does not include conduct that ‘‘(I) destroys the information stored on a computers of another; ‘‘(II) causes physical injury to another person; or ‘‘(III) creates a threat to the public health or safety; and ‘‘(C) the term ‘attacker’ means a person or an entity that is the source of the persistent unauthorized intrusion into the victim’s computer.’’
For years now I have been on record as stating that the Computer Fraud and Abuse Act of 1986 is completely “Draconian,” outdated at best. The first web page did not go online until 1991 and in the year 1986 hacking a computer or network took on an entirely different meaning than it does today. The laws simply have not kept up with the times or the development of technology.
If you are wondering why the laws governing hacking have not been updated since the mid 1980’s, it is because strict laws remain in law enforcement’s best interest. Just think about it for a moment, what incentive does the Government or law enforcement agencies have to reduce the sentences/punishment for hacking offenses? Wouldn’t that send the wrong message and just invite more hackers to try and commit cyber attacks in the future? In many ways, the harsher the punishment for a crime, the less likely anyone will be willing to commit it – this includes hacking.
While these laws indubitably need to be updated, I am not sure Mr. Groves proposal quite gets there – though it is a start. Even though his proposal is simple and seems to be a common sense solution to a problem which might actually result in the prosecution of more malicious cyber criminals in the future, I do foresee some potential complications which might result from it…..
Would It Be Legal To Hack Government Agencies?
I think most Americans are quite aware by now that some of the worlds most dangerous and active “Black-Hat Hackers” are currently employed by and carry out actions on behalf of the United States Government. For example, lets say I am aware that the CIA just hacked my email account. In accordance with the new terms of Mr. Graves legislation, would I be allowed to hack into the CIA without facing any legal problems? What if I catch the NSA spying on my phone, can I hack the NSA now? What if the FBI is monitoring my web activity, can I hack the FBI too?
I could go on, but I think you have received my point on the matter. Unless hacking the United States Government could be interpreted as “creating a threat to public safety,” I do not see this issue addressed in his legislation.
Would It Be Legal To Hack Foreign Countries?
Another problem could present itself when a cyber attacker is located in a country outside of US borders, which isn’t governed by and will not recognize US Laws. For example, even if Congressmen Graves makes it legal to ‘hack back’ in the United States, if my attacker comes from Germany and I have to breach a network in Germany to find them, technically speaking I just committed an international crime and could be prosecuted under the laws of that country.
So, while this law might be great for United States citizens, it could result in problems on an international level.
People Might Be Able To Fake “Proof” or Frame Others
Lets be honest, hacking and knowing all of the little details behind it are over a lot of people’s heads right now. There are already certain pieces of “proof” for alleged cyber crimes that are inadmissible in courts because they can be easily forged, for example screen shots.
If someone has the ability to hack back into the computer systems of another hacker, then they certainly posses the skills to frame anyone else for a cyber crime. I would fear that hackers would begin planting evidence on someone else’s device, which would make it look like someone performed an action that they did not, then hand that person over to law enforcement under the guise of a crime they did not commit.
As it stands today the laws are 100% black and white, it is illegal to access anyone’s device without authorization for any reason. This makes it very clear whom the victim of an attack is and whom is not. Adding this new law might open the door for hackers to begin framing others by making access to someone’s device legal under certain circumstances. Theoretically we could then start confusing whom the real victim is.
What About Botnets?
Giving credit where credit is due, I did not think of this last bit myself. This came from Muhit Kumar, founder of The Hacker News. I was first inspired to write this article after reading his analysis of Mr. Graves new law last week.
If you do not know how botnets operate, they work by hijacking various devices in order to create a giant network (net) of interconnected devices (bots). This is done to either flood a specific target or network connection with a spam of digital traffic, or to conceal a cyber attackers location within a sea of thousands to hundreds of thousands of other IP Addresses.
Most importantly, generally speaking, nearly every device within a botnet is unaware that they are caught in a botnet. This means that even if an individual device is part of a botnet which was used in conjunction with a cyber attack, the owner of that device was more than likely oblivious that a crime even took place and is technically innocent in the whole affair.
As Muhit Kumar points out, if this law goes forward and people are allowed to hack back after a cyber attack which involves a botnet “a hacking victim could rarely be certain they would be attacking the real attacker rather than an innocent victim. Even worse, that compromised machine could also belong to a company that stores personal and/or financial information of its customers. So, accessing that data without authorization would unintentionally compromise the confidentiality of the company’s data.“
For obvious reasons, this also pokes a very big hole the in the ambiguity of Mr. Graves Legislation. I also want to point out that while I am being constructively “critical” of Congressmen Graves proposal here, this does not mean I am entirely opposed to it. However, before this legislation finally does get introduced, there are some serious flaws which need to be addressed first.
For whatever it’s worth I commend Mr. Graves for trying to update our countries outdated hacking laws and bring them into the 21st century when many of his peers in Congress remain completely oblivious to the issue. He has made a fan of me so far.