The debate around whether companies should be able to engage in “active cyber defense” is heating up.
Often described by critics as “hacking back,” the controversial concept involves organizations employing a variety of techniques to prevent breaches or track down the perpetrators in the event their systems are attacked.
Legislation awaiting the signature of Gov. Nathan Deal in Georgia would allow individuals to engage in “active defense measures” in the name of cybersecurity, potentially clearing the way for companies and private citizens to hack into other networks for the sake of protecting their own systems.
Google, Microsoft and others in the technology industry have mounted a campaign against the bill, warning of the potential for grave ramifications. They have urged Deal to veto it before the May 8 deadline.
{mosads}
The fight in Georgia is being closely watched in Washington, where Reps. Tom Graves (R-Ga.) and Kyrsten Sinema (D-Ariz.) have introduced legislation that would allow companies and private citizens to engage in some “active defense measures” against hackers.
Proponents of the concept of “active cyber defense” say these methods would help companies protect their networks from attacks and identify hackers who have breached their systems to steal information or conduct other nefarious activity.
The defensive actions could include techniques like using beaconing technology to determine the location of a hacker, deploying honeypots to fool adversaries or leaving one’s network to track down stolen data.
Most of these active cyber defense measures fall into a legal gray zone. Federal law currently prohibits individuals from knowingly hacking into other networks without authorization, as a result of the Computer Fraud and Abuse Act passed by Congress in 1986.
In late March, Georgia’s State Assembly approved Senate Bill 315, which would amend state law governing the crime of “unauthorized computer access” to carve an exemption for those who engage in “cybersecurity active defense measures that are designed to prevent or detect unauthorized computer access.”
The bill does not detail what these measures could include.
The legislation has rattled many in the tech community. Executives from Google and Microsoft wrote to Deal, a Republican, last month urging him to veto the bill. They warned that the provision “broadly authorizes the hacking of other networks and systems under the undefined guise of cybersecurity.”
“Network operators should indeed have the right and permission to defend themselves from attack, but, before Georgia endorses ‘hack back’ authority in ‘defense’ or even anticipation of a potential attack with no statutory criteria, it should have a much more thorough understanding of the ramifications of such a policy,” they wrote.
“Provisions such as this could easily lead to abuse and be deployed for anticompetitive, not protective purposes.”
The legislation also creates an exemption for individuals who access a computer or computer network for a “legitimate business activity,” such as researchers who hunt for cyber vulnerabilities in networks to make them more secure.
Some in the cybersecurity community have objected to the proposal, arguing that it presents a new “liability” for security researchers in academia and elsewhere, given the vague language and lack of definition for what constitutes a “legitimate business activity.”
Deal faces a May 8 deadline to sign or veto the legislation.
“The governor is carefully reviewing this piece of legislation (including input from stakeholders) along with all other bills to reach his desk,” a spokeswoman for the governor’s office said in an email.
The bill is triggering broader debate about the prospect of active cyber defense. Proponents argue that the conversation has been unfairly limited to the idea of “hacking back,” noting the spectrum of proactive steps companies could take to better protect themselves in cyberspace.
The concept has an apparent advocate in Kirstjen Nielsen, President Trump’s Homeland Security secretary, who has suggested that the U.S. government take a more aggressive approach to cybersecurity going forward.
“This concept of ‘hack back’ has so many different dimensions to it and it’s not one particular action,” Nielsen said at the RSA conference in San Francisco last month. “There are many things in the realm that some call ‘proactive defense’ — for example, to prepare our systems to prevent the intrusion of nefarious activity or traffic.”
Allowing companies to take such actions would inevitably require the government to issue some legal clarifications around them.
“If you were to put rules of the road to allow companies to take a more proactive defense short of what I would call hacking back … I think that should be part of the discussion,” said Frank Cilluffo, a homeland security adviser to President George W. Bush. “We can’t continue as is.”
The bill in the U.S. House of Representatives sponsored by Graves and Sinema would amend federal law to allow individuals or companies to leave their networks to attribute, disrupt or monitor cyberattacks affecting them. It would prohibit individuals from destroying data on another’s computer that doesn’t belong to them or causing other harm, such as financial loss.
The bill picked up additional bipartisan support late last year, despite longstanding concerns among some in the security community. Companion legislation has not yet been introduced in the Senate.
The debate comes at a time when companies across the globe face a seemingly unprecedented level of attacks from cyber criminals and nation-state hackers. High-profile breaches have struck major U.S. firms, from credit reporting firm Equifax to rideshare giant Uber.
Georgia’s capital of Atlanta was itself hit with a debilitating ransomware attack in March that crippled operations for several days and cost the city an estimated $2.7 million.
There is broad agreement that the status quo is not working.
“I do think the current situation is unsustainable,” said Michael Sulmeyer, a former cyber policy official at the Pentagon. “The reality is, so many American companies are getting hacked, and the government as currently organized can’t seem to do much about it.”
Still, some doubt that allowing companies to engage in what could be considered offensive cyber activities would actually help them mitigate the damage from breaches or deter attacks in the future.
“There needs to be greater clarity about what potential active defenders seek to accomplish and how to measure and know that,” Sulmeyer said. “Otherwise, it just feels like I’m mad and I want to hit somebody.”