John Strand //
I wanted to take a few moments and address the “Hacking Back” law that is working people up. There is a tremendously well-founded fear that this law will lead to mass confusion, collateral damage and some say… possibly war.
While some of these fears are a bit unfounded they are still legitimate and need to be discussed clearly. Further, we need to back away from the extreme fringes of this debate. Unfortunately, the discussion has dissolved into whether hacking back is good or bad, with little wiggle room in between.
To be clear, I think the law as it stands now is a bad idea. However, I do believe that with a few tweaks it can be saved and possibly even made useful.
There are two sections of the law that cause me to pause and, I think, are the cause of concern for most security professionals. Basically, it is the section that would allow the following:
(bb) disrupt continued unauthorized activity against the defender’s own network; or
(cc) monitor the behavior of an attacker to assist in developing future intrusion prevention or cyber defense techniques; but
Yeah, that is where this law crosses the line. Through the removal of those two lines, and possibly a few more tweaks, it can be saved.
Let’s back up for a few seconds and cover what it may allow. First, in Section 3 the law allows for the use of Attributional Technology. This would be technology that would allow an organization to take measures to identify where an attacker is. In the Active Defense Harbinger Distribution we have things like this in the form of Word Web Bugs and various apps and programs that will call back when executed.
The components in ADHD that do this were designed to be in line with previous case decisions such as Susan-Clements vs. Absolute Software where Judge Rice ruled:
It is one thing to cause a stolen computer to report its IP address or its geographical location in an effort to track it down, it is something entirely different to violate federal wiretapping laws by intercepting the electronic communications of the person using the stolen laptop.
This creates a clear and sane line for defenders to follow.
And, to be fair, this law follows that line of reasoning, up until sections 3-2-bb and 3-2-cc.
With these two sections this law, I feel, is crossing a dangerous line. By continuing to monitor a system there is a strong possibility that the defender will be monitoring the activities of an unsuspecting third-party victim of the attacker. By degrading the ability of an attacker to attack, there is a strong possibility of degrading a third-party system.
Either way, I think it would be in the interests of the community at large to stop simply breaking this conversation into bad and not bad camps. There is plenty of room in the middle to find new and inventive ways to detect bad guys without breaking existing laws or impacting third parties.