The Hacking Back Act Is Reintroduced
The Active Cyber Defense Certainty Act a.k.a. the Hacking Back Act has been reintroduced by Reps. Tom Graves (R-Ga.) and Josh Gottheimer (D-N.J.). This bill is a train wreck waiting to happen!
First, I will speak to you from my law enforcement side, private companies, by hacking back, could make a complete mess of an investigation. The article mentions that in 2017 Rep Graves put in the bill that private companies would have to contact the FBI before hacking back. As if the FBI is the only law enforcement or government entity that conducts investigations. The FBI does not have sole jurisdiction or oversight in every federal, state, or local cyber investigation in the country!
Secondly, I will speak from the security operations executive perspective. There are no certainties to attribution, its cyber space, you can make an educated guess and maybe find a server or two, but you have no way of knowing that is the actual “computer of the attacker” as defined in the Act. Also, what would prevent an attacker from baiting you into taking an action that then escalates even further into some sort of international incident, a true “act of war” type of scenario. The company is in huge trouble and if you aren’t sure you can defend against the next escalated attack that will probably come your way, you might not want to engage in the war.
Lastly, I will speak as an attorney… NOOOOO!!!!!! :-) The attorney’s job is to protect the client. Knowing everything I know about the difficulty with attribution, and knowing details about possible law enforcement involvement, the intricacies of interconnected systems, proxies, state-sponsored attacks, gullibility, etc. I just do not believe the security team will ever get me comfortable with the belief that our best option is to hack back
If you can find them, block them and use that information to profile them, i.e. TTP’s (tactics, techniques, and procedures), and prevent them from getting in again, share that information with your ISAC’s or other information sharing organizations to help others. Because as quoted in the article, I agree with Jen Ellis, vice president of community and public affairs at Rapid7, “The vast majority of organizations aren’t even getting the basics right, how about we focus on that instead.”