Bill Would Legalize Active Defense Against Hacks

Trailrunner7 quotes a report from On the Wire: A new bill intended to update the Computer Fraud and Abuse Act would allow victims of computer attacks to engage in active defense measures to identify the attacker and disrupt the attack. Proposed by Rep. Tom Graves (R-Ga.), the bill would grant victims of computer intrusions unprecedented rights. Known as the Active Cyber Defense Certainty Act, the legislation seeks to amend the CFAA, the much-maligned 1986 law that is used in most computer crime prosecutions. The proposed legislation includes the caveat that victims can't take any actions that destroy data on another person's computer, causes physical injury to someone, or creates a threat to public safety. The concept of active defense has been a controversial one in the security community for several years, with many experts saying the potential downside outweighs any upside. Not to mention that it's generally illegal.

eHolocaust

[Roger+W+Moore]

Way too vague, neither "disrupt" or "continued unauthorized activity" not defined; this'd very quickly result in these so-called victims in just using DDoS against anyone who they disagree with

Even a strict interpretation will lead to an eHolocaust. Attacker hijacks a machine in company A and uses it to attack company B. Company B retaliates against the machine in company A. Company A detects attack from company B and returns the favour. Multiply that by all the machines in a botnet and you can kiss goodbye to the internet.

Danger Will Robinson!

What constitutes an attacker? Warning: PDF

(C) the term ‘attacker’ means a person or an entity that is the source of the persistent unauthorized intrusion into the victim’s computer.

If you want to be able to legally counter-hack a large group of people all you need to do is spread a virus that will first infiltrate a lot of machines, then use those machines to start attacking your machine's IP. This allows you take countermeasures, easily accomplished via a vulnerability that the existing virus leaves open. So let's take a look at some scenarios and the implications.

I can imagine the RIAA and MPAA and their goons drooling over this capability. They can search for and destroy pirated materials, which of course would accidentally have many false positives. To get around the requirement to avoid to destroying data all they have to do is claim those files were infected (which the virus of course handles, providing 'proof').

Facebook would love to know even more about you than they do now. Plausible deniability: 'it was just a bad ad, not our fault'. There's all sorts of Facebook malware out there, with many guides on how to deal with it.

The government could use this scheme to justify their intrusions into your system. They can claim probable cause for anything they find while trying to ascertain the identity of the 'attacker'.

Re:Backward

[mysidia]

"We thought they were the ones trying to hack us, see our logs? (cat log | sed -e 's/someip/theirip/g'

I would suggest formal Licensure for Cybersecurity professionals requiring Passing a practical Examination, also a Test, and committing
to a code of conduct including No Espionage, Theft, or Disclosure of Data --- requiring any item of data unrelated to an attack be kept confidential and not shared, even with a boss, employer, or co-worker.

Then have the bill so the Active Defense argument is ONLY valid for an individual Response reviewed and directed by a Licensed professional, Regardless if the Professional is a member of Law Enforcement or working in private industry and Protects only the direct actions of the licensed professional, Not actions that automatically selected and committed a response without specified human judgement and scrutiny.

Also, modify the act so Law Enforcement professionals Otherwise excluded from the Act are Subject to prosecution for any Hacking, If they don't have the same license.

Any misbehavior such as Hacking an innocent system, will be brought before a board, and their license will be revoked or
on a minor offense suspended for a minimum of 5, 6, or 7 years.

Re:A giant step ... sideways

[rtb61]

Forget crashing a single computer. This has every oppurtunity of spreading out of control. Think hosted server fasley identifying an attack and then launching it.s own attack against another hosted server, which detects an attack and launces it own attack not against the hosted server but the server hoster and all other servers, who then retaliate. This then spreads to other server hosters who host server from the same network and you get the idea. Utterly moronic and the only purpose, the only true purpose, is to allow corporations to, whoops, sorry we attacked your political activist site by mistake, oh and the police raid and half a dozen people beaten up, well thats you fault for, saying we do bad things. Basically corrupt politicians allowing corporations to use vigilantism to attack anyone they want for any reason they want based upon evidence they self fabricate of an false flag attack, repercussion, zero. Next step corporations being able to send mercenaries to conduct a direct raid ie private police.

So I gather the penalty for a false defence attack is to be charge with a computer crime and imprisonment for the false defence attack, what no it isn't, let me fucking guess, there is no penalty what so ever for a false defence attack (that a solid sign of political corruption).