US politicians are drafting a bill that – if approved – could allow companies and individuals to “hack back”, allowing victims of a hack to “access without authorization the computer of the attacker… to gather information in order to establish attribution of criminal activity to share with law enforcement or to disrupt continued unauthorized activity against the victim’s own network.”
The Financial Times reports that US Congressman Tom Graves, a Republican from Georgia, who is drafting the Active Cyber Defense Certainty (ACDC) bill with Arizona democrat Kyrsten Sinema, believes that the recent WannaCry ransomware attack could have been prevented if victims had been able to hack their attackers:
“I do believe it would have had a positive impact potentially preventing the spread to individuals throughout the US. Our proposal is to empower individuals and companies to fight back basically and defend themselves during a cyber attack.”
Yes, the same companies who failed to install a critical Microsoft security patch released over a month before the WannaCry malware struck are being encouraged to hack other people’s computers… can anyone else see a problem here?
As the Financial Times reports, although the bill currently being proposed would give a green light for companies hit by internet attacks to access third-party computers used in the attack without authorisation for the purposes of disruption or gathering information to share with law enforcement, there are limits. For instance, they would not be allowed to destroy data on the remote system, cause physical injury or create a threat to public health or safety.
This would be my big concern. Often internet attackers hijack innocent computers to do their dirty work for them, meaning their owners’ simply aren’t aware that their systems are being abused as part of a larger criminal endeavour. If your counterattack disrupts or wipes data on someone else’s computer then how are you any better than the people who attacked you?
If you launched a denial-of-service attack against a computer that you believed was attacking yours, isn’t there a danger that you could be impacting other innocent companies that might be sharing the same server infrastructure? Isn’t there a risk that you’re having a financial impact on hosting companies and service providers in between you and the attackers?
Furthermore, blundering onto a server controlled by a hacker risks unintentionally disrupting efforts by law enforcement to gather evidence that could lead to the identification and successful prosecution of hackers.
Finally, can you ever be truly confident that your counterattack is being targeted against the right person? Reliable attribution of internet attacks is notoriously difficult.
Take-downs of criminal computer systems should be done by the authorities, not internet vigilantes.
If we allow ‘amateurs’ to launch counterattacks there is always the danger that an existing investigation is being compromised, preventing the collection of information required for a successful prosecution, or making it difficult to provide evidence has not been corrupted by those retaliating.
And I can’t see how a “vigilante hack” would have helped defend any organisation against WannaCry, anyway. The simplest way to defend your systems from the way that ransomware spread was to have the Microsoft patch in place. If you weren’t able to have that basic protection in place I question your ability to take down a hacker.
If not those affected 'hacking back' ??
WHO THEN ??
Cos nobody seems to be doing anything.
Heard the latest ?? Companies keeping a supply
of Bitcoins in contingency accounts.
WHATEVER NEXT ??!!
Great idea. Let's allow this. So long as we allow vigilante groups and legalise hand guns in all countries. Someone knocks into you in a shopping mall, and you have the right to punch them out.
Where does the insanity end?
Where did civilisation go?
Bring it on?
Do American politicians use their brains? Are some of them even human?
Too many questions about this brilliant idea.
Graham, apart from your rightful concerns does this proposal not assume that the victims will have the necessary skill, knowledge and resources to hack back? And hack back accurately. As you point out Graham the chances of some amateur wreaking havoc on an innocent victim’s computer system would seem to be quite high.
Will the US Government be supplying Hack-Back Kits of suitable software? I see a marketing opportunity for an entrepreneur here. Or the NSA perhaps?
This is redolent of an old Wild West posse chasing down a band of rustlers. Except of course, you won’t be able to head them off at the pass, because they could be busy running a small business on the other side of the world oblivious to your existence.
And what right does the US Government have to permit some vigilante action in another country?
How will they react if other countries legalise their citizens attacking US companies?
Hopefully this will never be passed into law but with the current publicity surrounding WannaCry I would not be too certain.
Interesting points. If this becomes US law I could definitely see companies offering offensive retaliatory hacking services, assuming that the legislation allowed for that. Not too dissimilar to the paid bounty hunters that US law allows.
As for what right the US has and how they will react, I suspect they will not give a damn on either point. They would probably view it as protecting their citizens' interests which as we know particularly with the current Commander In Chief comes above any other concern.
Clearly, people in-office have been watching too much TV "hacking"!
1. WannaCry doesn't work like that! It spreads from one un-patched PC to the next because end users can't help clicking on every link they're sent!
2. WannaCry could have been patched a month earlier.
3. IT departments that don't have the capability to patch effectively, shouldn't be allowed to randomly hack-back. Attribution in this case or DDoS etc is next to impossible! Having random, unqualified monkey's hacking-back is a recipe for disaster.
4. This is real life, not a cowboy movie!
5. Even if an organisation managed to successfully hack back, how long before they're the victims of retribution attacks – we're talking about criminals!
I'm a Certified Ethical Hacker – I wouldn't want to take on a faceless criminal organisation, like, ever! Certainly not without a million protections from the government.
I would advocate a pool of qualified, licensed individuals whom law enforcement may engage with for assistance. (with a ton of other controls). "Hack-back" activities would need to be highly regulated and controlled; from specific, designated, monitored machines etc.
Barring that, Harden, Patch, update to strong passwords, multi-factor authentication, strong access controls, Secure coding, Secure SDLC, Secure DevOps, security training for users, would be far cheaper and a whole lot less risky!
This seems the ONLY sensible approach to a "hack back" solution. Even still, hacking back should be a last resort measure in my opinion. And we already have departments in the NSA, FBI and other nameless three-letter organizations that have this role. They should be the "first responders" in attacks of this scale, not Mr. "The Plague" from the server room. I do think you hit it right on the head. It seems these two twits in Congress have been watching too much Mr. Robot and not living enough reality to understand the difference.
"Often internet attackers hijack innocent computers…" or the computer in question could belong to a government agency?
Hack back?!?!? So we want to legalize vigilantism among people who cannot even manage their own IT patching, and have them blazing a path of chaos probably buying underground "hack kits" that, more than likely, will be infested with yet more malware, and maximizing collateral damage, while accomplishing virtually nothing in the way of stopping the actual perpetrators? How about we convince the victims to actually hire REAL IT people and have them do what they are supposed to do: UPDATE, PATCH, MONITOR? As an IT manager in the US, let me tell you, this is pretty depressing, and it gives real IT professionals a bad reputation. It's like giving a blind person a shotgun, and telling them the guy with the ski mask is the thief, shoot him!
GD American Warmongers… Attack Attack!!!…
If I wasn't already convinced before that we have idiots in charge of the laws, I am now.
First: Most attacks exploit a system flaw that an operating system or hardware manufacturer is aware of and / or has already provided a patch for but the user hasn't applied to their system. It is the responsibility of the system owner to update their system with the latest security fixes. The manufacturers typically offer the fixes through automated systems. All it requires the user to do is click "Yes". So the problem is not necessarily just the attackers. The real problem is the laziness of the system owner to simply click a button or take some time once in a while to educate themselves about the thing they own and depend on so much. Take vehicle ownership for example. Unless you're a mechanic, you probably wouldn't have the first clue how each component interacts with the next and maybe you shouldn't need to. But you should absolutely understand the basic maintenance schedule and processes even if you aren't the one performing the actual maintenance.
Second: Attack back? Victims of WannaCry attack back? Reference my first point – laziness. If the end user was too lazy to apply an ancient (in technology timescales) patch or too stupid to think they needed to, it is extremely doubtful that they possess the technical ability to strike back at such a complex attack, let alone figure out where it came from. For corporations with an IT department, they need to understand the risks and provide a reasonable budget for proper maintenance of their infrastructure. If they already have provided a budget, then they need to investigate the competence of their IT department. Either they are under-budgeted, under-staffed, under-trained or just stupid. In any case, preventing this kind of attack on an organization begins with them. You wouldn't expect ferrets armed with Pez dispensers to be able to defend the city gates. You can't expect a handful of "basic nerds" equipped with outdated tech and training to defend your company network.
In any case, it almost always boils down to education and application of a basic set of policies to protect against and / or recover from most of these kinds of attacks:
1. Keep your system up to date by applying software updates regularly (daily or weekly, not annually)
2. Don't open suspicious emails (trickier for a number of reasons, but application of a little common sense and basic pattern recognition should correct this)
3. Don't install programs you don't intend to or trust. READ the individual panes during an installation and be sure you understand what you read before clicking "Next". Click "Cancel" if anything seems odd or doesn't make sense and seek outside assistance or validation.
4. Create regular backups of your important data either to external drives or to a cloud service (see Carbonite and others)
5. Use strong passwords. Most password managers have a way to create strong passwords for most uses and are available across platforms so you only have to remember one strong password.
But then again, I bet those 5 things sounded like a broken record because experts have been saying the same things since the beginning yet no one seems to listen or learn from it. So, you know what? Screw it. They will learn or they will suffer from the same problems and no amount of "attacking back" will save them. Instead it will only make them look like a bigger idiots.
It would not have been possible to "hack back" to prevent this, unless you are talking about exploiting the vulnerable systems *before* they were infected with WannaCry. Such a pre-emptive action would hardly be justifiable legally or ethically, not to mention being technically infeasible as described above.
In fact, WannaCry is the perfect example of what could happen if a buggy "white worm" was used by someone in such a pre-emptive (or even reactive) "hack back" operation: systems becoming unavailable, without the coordination or involvement of the owners of those systems, has the same potential negative consequences in either case (malware, or so-called justified "hack back").
I understand that lawmakers and executives are frustrated and want to do something, but emotion needs to be balanced with technically competent analysis of the viability and risks of options by qualified people. I spoke about this topic just last week at the NCSC One conference and have a book in the works that goes into more details.
https://staff.washington.edu/dittrich/talks/NCSC-One-2017-Dittrich.pdf
https://leanpub.com/ARC
The right to hack back is like giving citizens the right to bear arms. Only worse, because the consequences won't respect borders. It's like giving citizens the right to posses medium and long range missiles. What could possibly go wrong?
Just how bad it could be was shown in an item entitled "From Mirai to mushroom clouds in five easy steps" (https://risky.biz/RB450/), reporting a desktop exercise which demonstrated how easily it could escalate.
Absolutely fascinating.
No, utterly horrifying.