A controversial piece of legislation that would allow companies to retaliate against hackers is gaining traction in Congress even as it sets off alarms with security and legal experts.
The legislation would amend a 1986 law that made it a federal crime to access someone else’s computer without proper authorization, allowing companies who fall victim to hacking to engage in a limited range of “active defense measures” against their perpetrators.
Victims would be able to leave their networks to attribute attacks, disrupt them, retrieve or destroy stolen data and track the behavior of the attacker. They would also, if files were stolen, be able to use beaconing technology to find the physical location of a hacker. {mosads}
Proponents say the bill would give companies the much-needed power to monitor, identify and stop attackers that target their systems in an era where cyber threats abound.
“The status quo is not acceptable anymore,” Rep. Tom Graves (R-Ga.), who introduced the legislation alongside Rep. Kyrsten Sinema (D-Ariz.) in mid-October, told The Hill in an interview.
The lawmakers have worked on the legislation for the better part of 2017, and it is finally showing signs of gaining steam in the House. Last week, it picked up a slate of seven bipartisan co-sponsors, including House Oversight and Government Reform Committee Chairman Trey Gowdy (R-S.C.).
Graves also said he has had conversations with Trump administration officials who have been “very positive” on the thought that went into the bill.
The concept of “hacking back” has been criticized in national security circles.
“My concern is, be leery of putting more gunfighters out on the street in the Wild West. As an individual tasked with protecting our networks, I’m thinking to myself, we’ve got enough cyber actors out there already,” National Security Agency (NSA) Director Mike Rogers said during congressional testimony in May.
On Monday, former NSA Director Keith Alexander suggested that companies could start wars by “hacking back,” according to Vice.
Proponents of the bill, which has gone through multiple iterations before being formally introduced, say that it has enough controls in place to prevent “vigilantism” and any unintended consequences.
For example, the legislation would prevent companies from destroying or damaging data that does not belong to them and is stored on another person or entity’s computer.
Still, security experts have raised concerns over the proposal, pointing to the difficulty of attributing cyberattacks in the first place.
“You’re talking about this idea that private actors, say mostly companies, are going to be able to know who is attacking them and know with enough certainty to be able to retaliate effectively,” said Josephine Wolff, a professor at Rochester Institute of Technology and fellow at the New America Cybersecurity Initiative.
Wolff noted that foreign actors often compromise an intermediary first in order to use that system as a platform for attacking their ultimate target. This could result in companies infiltrating the wrong system in the quest to track down the perpetrator of an attack, she said.
“You’re not necessarily going after the people who initiated the attack. You could be going after somebody who is caught in the middle,” Wolff said.
Some legal experts agree that it could lead companies into a thorny situation.
“You’ve got to wonder whether it would be in the best interests of a company to do something like this, particularly if they had just been hacked and their systems were thus possibly vulnerable in ways they might not yet know that could actually be further exploited were they to go digging in presumably hostile systems,” observed Doug Henkin, a Washington lawyer with cybersecurity expertise.
Those who support the bill say such criticism is misguided, pointing to controls incorporated in the final legislation to limit damage. Companies looking to engage in “active defense,” for instance, would have to notify the FBI’s cyber crime unit before taking action.
“We’re trying to give them more additional tools to defend themselves,” said Graves.
Some say that it would boost cooperation between private companies and law enforcement and help the latter better attribute and combat cyber crimes.
“It turns a victim — a company that has been attacked — into a witness,” said David Inserra, a policy analyst at the conservative Heritage Foundation. “That’s more information that our authorities can use to find and catch the offender.”
The business community isn’t signing on just yet. The U.S. Chamber of Commerce says it’s not supporting the bill because of the potential for unintended consequences, but still sees it as a vehicle for dialogue on what companies can do to thwart cyberattacks.
The bill still faces an uphill battle, as the legislative calendar winds down with no companion legislation filed in the Senate. Graves said he has had discussions with Chairman Bob Goodlatte (R-Va.) and other members of the House Judiciary Committee, which will need to consider the bill before it can advance to the full chamber for a vote.
While Graves would not say that the White House or the Department of Justice support the legislation outright, he said both are “reviewing” it.
“Cyber is one of the priorities of the administration, and they are very interested in what we are proposing here and the thought that has gone into this,” Graves said.