Cybercrimes are tough to beat. Just ask the execs at Equifax, whose recent security breach revealed that even colossal organizations are susceptible to devastating attacks.
The defenses that consumers have? They’re a little less powerful, at least for now. By 2020, some major companies will shovel billions of dollars into developing more comprehensive forms of security according to the International Data Corporation, and policy-makers are following closely, proposing new legislation and regulations to accompany them. One of the latest is the newly repurposed Active Cyber Defense Certainty (ACDC) Act, also called the hack-back bill.
Introduced by Reps. Tom Graves, a Georgia Republican, and Kyrsten Sinema, an Arizona Democrat, the bill would loosen current anti-hacking laws to allow cybercrime victims to retaliate against their attackers by accessing the bad guys’ computers. Victims are encouraged to literally “hack back” against their aggressors.
While this kind of retaliation has some biblical appeal, it makes many experts uneasy.
“I think that the visceral gut desire for vengeance is what’s behind this,” said Justin Cappos, a computer science professor and director of the Secure Systems Lab at New York University. “In some cases this may be an appropriate response to actions, but in this case I think it’s misguided.”
Most experts agree that this bill, if passed, would boil down to vigilantism, incentivizing people to retaliate against hackers in ways that are less about self-defense and more about taking arms against what they see as lawbreaking behavior.
One of the biggest concerns is “attribution”–the process of sourcing an attack to the actual perpetrator. Real-world attribution is easy enough: if someone steals your wallet, you can try to get a good look at the pickpocket’s face to describe to police later. Digital attribution isn’t so simple.
When you’re under attack from a virtual thief – if they’re trying to steal your credit card information, for example – they’ll typically cover their tracks (and their identity) by hauling those files through botnets: networks of computers compromised by spam or shady links left open to criminal control. The benefit of using a botnet is that a hacker can influence any number of computers from far away.
This is where hack-back becomes muddled. Rather than having a clear line of sight to their attackers, a company or individual trying to retaliate won’t know who – or where – their attackers are. At best, they know some of the channels an attacker used – but that’s it.
“It’s not like bombing a house where you know that some criminals live,” said Cappos. “It’s a very different situation where now you’re saying, ‘They went through phone lines that went through this neighborhood, so let’s blow it up.’”
According to cybersecurity professor Steven Bellovin of Columbia University, attribution is best done by establishing continuity – being able to recognize that the attack today looks like the attack seen last week, last month, or last year, and being able to pin down a target with that information.
“When you read that Russian hackers are the ones who attacked the DNC, it’s because federal investigators have years of experience saying here’s what the attackers’ tactics look like, here’s what the software looks like, and so on.” said Bellovin (though even those claims can be met with some scrutiny).
Right now, only a handful of experts have significant experience with cyber attribution. An ordinary victim, he said, won’t have that kind of skill – and would almost definitely end up taking aim at the wrong party.
As it’s written, the bill only authorizes retaliation against the attacker’s computer. So while a person retaliating might end up hurting an innocent third party, they might also end up with an expensive lawsuit on their hands.
“There’s a reason why people haven’t just said, ‘If you spot someone that you think might be committing a crime, then you can blindly shoot,’” said Cappos. “I think that this might be taking that idea to a very dangerous place.”