The Law Offices of Mary N. Chaney, P.L.L.C.
The Cyber Security Law Firm of Texas

Mary's Blog

The Breach Whisperer

About Mary....

Mary N. Chaney, Esq., CISSP, CIPP/US is a former Special Agent for the FBI where she investigated cybercrime, a seasoned corporate executive that built and operated information security teams and now a cybersecurity attorney.

As a self-described “Breach Whisperer” our firm can train your company to properly prepare for your eventual breach!

The overall goal of our firm is to use our wealth of knowledge and expertise to help support, translate and advise, Boards of Directors, CIO's, CISO's and General Counsel's on how to legally protect their company from cyber related risk.

Blog Entries


 

The Hacking Back Act Is Reintroduced

See Article Here

The Active Cyber Defense Certainty Act a.k.a. the Hacking Back Act has been reintroduced by Reps. Tom Graves (R-Ga.) and Josh Gottheimer (D-N.J.). This bill is a train wreck waiting to happen! 

First, I will speak to you from my law enforcement side, private companies, by hacking back, could make a complete mess of an investigation. The article mentions that in 2017 Rep Graves put in the bill that private companies would have to contact the FBI before hacking back. As if the FBI is the only law enforcement or government entity that conducts investigations. The FBI does not have sole jurisdiction or oversight in every federal, state, or local cyber investigation in the country!

Secondly, I will speak from the security operations executive perspective. There are no certainties to attribution, its cyber space, you can make an educated guess and maybe find a server or two, but you have no way of knowing that is the actual “computer of the attacker” as defined in the Act. Also, what would prevent an attacker from baiting you into taking an action that then escalates even further into some sort of international incident, a true “act of war” type of scenario. The company is in huge trouble and if you aren’t sure you can defend against the next escalated attack that will probably come your way, you might not want to engage in the war. 

Lastly, I will speak as an attorney… NOOOOO!!!!!! :-) The attorney’s job is to protect the client. Knowing everything I know about the difficulty with attribution, and knowing details about possible law enforcement involvement, the intricacies of interconnected systems, proxies, state-sponsored attacks, gullibility, etc. I just do not believe the security team will ever get me comfortable with the belief that our best option is to hack back 

If you can find them, block them and use that information to profile them, i.e. TTP’s (tactics, techniques, and procedures), and prevent them from getting in again, share that information with your ISAC’s or other information sharing organizations to help others. Because as quoted in the article, I agree with Jen Ellis, vice president of community and public affairs at Rapid7, “The vast majority of organizations aren’t even getting the basics right, how about we focus on that instead.”