The Internet is a modern day Wild West.
It is a largely lawless territory with still-uncharted potential.
We all find ourselves confronting modern and often elusive thugs — like the famous outlaws of the American West in the 19th century, such as Jesse James, Billy the Kid, Butch Cassidy, etc. — waging digital stagecoach robberies and worse (usually after the fact).
The past two years specifically have been a cornucopia of accelerating malice and resulting chaos: attempted Olympic disruption, American election interference, global ransomware worms, central bank heists, credit bureau pillaging, global business losses, cryptocurrency exchange thefts; and these are only the highlights of what has been publicly reported.
Individuals, businesses, and governments face extraordinary challenges protecting themselves in the digital Wild West, and history has shown that law enforcement is under-resourced to tackle all but the most pressing criminal cases. What's the answer?
U.S. Congressional Representatives Tom Graves and Kyrsten Sinema are proposing legislation — the Active Cyber Defense Certainty Act — with good intentions, aimed at reforming the Computer Fraud and Abuse Act (CFAA) – 18 U.S. Code § 1030. The CFAA is outdated (signed in 1986) and doesn't provide an adequate disincentive to cybercrime.
However, hacking back is not the answer. The Internet crosses national boundaries in milliseconds, and attackers routinely encrypt and disguise their traffic between compromised servers and victim machines in multiple geographies. Adversaries reuse existing code and tools to plant false flags and confuse attribution efforts.
For example, the origins of the recent Olympic Destroyer malware is still the subject of debate within the security community. Should the Olympics organization have engaged in a "hack back" campaign? The malware used hard-coded credentials from a major IT and telecommunications company. Does that present a green light to "hack back" against the IT company?
Similarly, India's City Union Bank was recently the victim of an unauthorized SWIFT transfer, resulting in a $2 million loss, two years after the Bangladesh Central Bank heist. The two attacks bear the same hallmarks. If the victim bank was American, should they employ offensive investigative techniques against the DPRK (Lazarus Group)? The answer should be a resounding "no." If the US is going to allow businesses to hack back, it won’t take international businesses long to follow suit.
If Congress opens the hacking-back Pandora's Box, defenders' jobs become even harder. It will become impossible to differentiate malicious activity. Far from helping organizations defend themselves, hacking back will escalate an already chaotic situation. Companies should not be initiating even basic fact-finding missions if unauthorized access is required.
There is too much nuance and potential for error when committing unauthorized access of Internet-connected information systems. Allowing — and even going so far as to encourage — "hacking back" will result in vast unintended outcomes, the consequences of which cannot be fully anticipated.
Congress should reform CFAA, but including a "hacking-back" provision is misguided and will only prolong the digital Wild West era.
Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.Levi Gundert is the vice president of intelligence and risk at Recorded Future where he leads the continuous effort to measurably decrease operational risk for customers. Levi has spent the past 20 years in both government and the private sector, defending networks, ... View Full Bio