Bill Would Legalize Active Defense Against Hacks

Trailrunner7 quotes a report from On the Wire: A new bill intended to update the Computer Fraud and Abuse Act would allow victims of computer attacks to engage in active defense measures to identify the attacker and disrupt the attack. Proposed by Rep. Tom Graves (R-Ga.), the bill would grant victims of computer intrusions unprecedented rights. Known as the Active Cyber Defense Certainty Act, the legislation seeks to amend the CFAA, the much-maligned 1986 law that is used in most computer crime prosecutions. The proposed legislation includes the caveat that victims can't take any actions that destroy data on another person's computer, causes physical injury to someone, or creates a threat to public safety. The concept of active defense has been a controversial one in the security community for several years, with many experts saying the potential downside outweighs any upside. Not to mention that it's generally illegal.

What about government hacking?

[hawguy]

Do people get the right to disrupt police/FBI hacking of their devices as well? That's probably the only hackers that would actually be disrupted by this new law, since criminal hackers use someone else's computer to hack you -- if you hack back, you're only hurting some innocent third party that had *his* computer hacked.

Re:What about government hacking?

[AHuxley]

The NSA and GCHQ can do what they want as granted by a gov or what ever section of a gov they work for or got established by.
Different US law enforcement agencies working in the US have to respond to Congress as that is who has oversight and can demand all paperwork over any policy, funding or staffing issue. Government lawyers redacting internal documents that go to Congress is not the best policy to hide issues.

So the way around Congress for equipment interference is usually from third party staging servers and is made to look like any other normal company doing 'ads' or tracking or some expected packet flow.
The US gov get their ip lists, users just see another third party script, ad, tracker on a site. The other method is to turn the entire admin team and replace them with gov workers to keep a site/service running for a while.
No need for equipment interference as the server is 100% gov.
What the NSA or US police would like to do domestically but don't want to show in open court as the origin of an investigation, some trusted nation like Australia, the UK, NZ or Canada will report to provide a tip to the USA about. So domestic collect it all spying stays hidden from any US legal team in open US court.

The really bad news is NATO, the wider EU and what the NSA and other US contractors shared with such nations.
The US gave its very best tools and hardware to a lot of different EU nations, not just their top police forces or foreign intelligence services. Random gov/mil staff all over NATO and the EU got to work on projects. Smaller EU nations are now operating within the USA with NSA like methods for their own governments domestic politics.
So what might seem like the NSA in the USA using a very complex staging server could be some random NATO or EU nation now doing their own covert work to collect it all in the USA. The results of such NATO or smaller EU nations can then enter the press for very party political reasons.
The US has lost its keys to global crypto thanks to trusting new EU nations beyond 5 eye nations who had kept US secrets for decades.
The NSA cant get its older network tools back as too many nations mil/police and contractors got/made/found/shared copies.
So anyone of 20 nations could be looking out for their own domestic self interest and try some very advanced equipment interference.
The CIA also has its own vast global collect it all network thats very different from the NSA so never to have to ask the NSA for help.
Different US federal agencies have also given or offered very advanced US hardware to their friends in the EU to track crime. Hearts and minds. Such staff in other nations are very supportive of helping the US with any and all later requests thanks to that trust with advance software or hardware.
The US is never informed that such methods are passed around and used globally beyond the original case or taskforce.
Contractors who worked for work with a mil/gov get to see such methods and then work for the private sector walking out with advance US software, hardware needed to ensure they can attract clients in the private sector years later.
So a lot of teams, nations, contractors move around networks with a lot of different advanced US only methods.
All the enduser will see is a perfect supported site or server or a staging server selling ads from some front company.
Or old malware that AV can detect that reports back to a staging server that could be anyone.
"OPERATION SOCIALIST The Inside Story of How British Spies Hacked Belgium’s Largest Telco" (December 13 2014)
https://theintercept.com/2014/...
"Under the conditions of a non-disclosure agreement, they could not speak about what they had found, nor could they publicly warn against the malware. Moreover, they were not allowed to remove the malware."
Such changes to US laws will only encounter many different nations and their contractors in the wild that are totally protected by their own nations.

eHolocaust

[Roger+W+Moore]

Way too vague, neither "disrupt" or "continued unauthorized activity" not defined; this'd very quickly result in these so-called victims in just using DDoS against anyone who they disagree with

Even a strict interpretation will lead to an eHolocaust. Attacker hijacks a machine in company A and uses it to attack company B. Company B retaliates against the machine in company A. Company A detects attack from company B and returns the favour. Multiply that by all the machines in a botnet and you can kiss goodbye to the internet.

Danger Will Robinson!

What constitutes an attacker? Warning: PDF

(C) the term ‘attacker’ means a person or an entity that is the source of the persistent unauthorized intrusion into the victim’s computer.

If you want to be able to legally counter-hack a large group of people all you need to do is spread a virus that will first infiltrate a lot of machines, then use those machines to start attacking your machine's IP. This allows you take countermeasures, easily accomplished via a vulnerability that the existing virus leaves open. So let's take a look at some scenarios and the implications.

I can imagine the RIAA and MPAA and their goons drooling over this capability. They can search for and destroy pirated materials, which of course would accidentally have many false positives. To get around the requirement to avoid to destroying data all they have to do is claim those files were infected (which the virus of course handles, providing 'proof').

Facebook would love to know even more about you than they do now. Plausible deniability: 'it was just a bad ad, not our fault'. There's all sorts of Facebook malware out there, with many guides on how to deal with it.

The government could use this scheme to justify their intrusions into your system. They can claim probable cause for anything they find while trying to ascertain the identity of the 'attacker'.

Better define "Attack"

[Nkwe]

An attempt to create a TCP connection to an Internet connected machine is not an attack, or I at least hope not. I would hate to click on a link, be taken to a site that considers a regular connection as an attack, and be subject to legal retaliatory hacking. How about a ping? It would be bad if packets blocked by a firewall are considered an attack...

Re:Better define "Attack"

[mysidia]

An attempt to create a TCP connection to an Internet connected machine is not an attack

One attempt is not. But many attempts to create a TCP connection including randomized or incrementing destination attempts
can be viewed as an attack. Either as a flood, or as an obvious invasive "probe" to attempt to gain reconnaissance for hacking the system.

Backward

[s.petry]

This would allow vigilantism and encourage anti-competitive attacking. "We thought they were the ones trying to hack us, see our logs? (cat log | sed -e 's/someip/theirip/g'

As much as I hate big Government, I would rather see an easy to interface with government agency with law enforcement capabilities handling this. In fact, isn't that what the NSA is supposed to be for?

Re:Backward

[ShanghaiBill]

I would suggest formal Licensure for Cybersecurity professionals

Licenses mean compliance with a bureaucratic checklist, which is very different from actual competence. In a fast evolving field like computer security, the checklist will lag actual best practices by about a decade. Most existing formal computer certifications are widely considered to be negatively correlated with competence, so the track record is not good.

Re:Backward

[professorguy]

So what you're saying, a well regulated militia should be the only ones able to wield these weapons?

Re:A giant step ... sideways

[hey!]

Well, according to TFA the "active defenses" consist of "consisting of accessing without authorization the computer of the attacker to the victim’ own network to gather information in order to establish attribution of criminal activity."

So it sounds innocuous, but I do see a problem: it's a bit like pulling yourself up by the bootstraps, isn't it? You get permission to poke around on the attacker's network... to prove he's the attacker. It's not hard to dream up a lot of squirrely corner cases for that.

Also "active defense" of this sort provides the perfect cover... for hacking. You infect a competitor's computer network to launch an ineffective attack on your own, and then you invade his network with legal impunity.

It's not impossible to do a law like this right, but what are the chances?

Re:A giant step ... sideways

[rtb61]

Forget crashing a single computer. This has every oppurtunity of spreading out of control. Think hosted server fasley identifying an attack and then launching it.s own attack against another hosted server, which detects an attack and launces it own attack not against the hosted server but the server hoster and all other servers, who then retaliate. This then spreads to other server hosters who host server from the same network and you get the idea. Utterly moronic and the only purpose, the only true purpose, is to allow corporations to, whoops, sorry we attacked your political activist site by mistake, oh and the police raid and half a dozen people beaten up, well thats you fault for, saying we do bad things. Basically corrupt politicians allowing corporations to use vigilantism to attack anyone they want for any reason they want based upon evidence they self fabricate of an false flag attack, repercussion, zero. Next step corporations being able to send mercenaries to conduct a direct raid ie private police.

So I gather the penalty for a false defence attack is to be charge with a computer crime and imprisonment for the false defence attack, what no it isn't, let me fucking guess, there is no penalty what so ever for a false defence attack (that a solid sign of political corruption).

Re:A giant step ... sideways

[ShanghaiBill]

It will also provide the perfect defense for any hacker that gets caught: "He hacked me first!"