Navigating the Nuances of Congress’ Proposed Hack Back Bill

An eye for an eye, right? In 2017, members of Congress originally introduced the “Active Cyber Defense Certainty Act,” or as it’s more commonly become known as, the “Hack Back Bill.” In short, this bill would allow companies that have been victims of a data breach or other cyberevent to seek vigilante justice against their attackers.

While the proposed bi-partisan bill did not become law when it was first presented two years ago, the cyberthreat landscape has changed quite a bit since then, and the act was reintroduced last month. So, what legal protections would this bill provide compromised organizations? What are the cybersecurity and legal implications? Are we in the early beginnings of the Cyber-Wild, Wild West?

This blog will give a comprehensive overview of the bill, look at it from a technical and legal perspective, and provide insight on proactive measures to mitigate recovery efforts.

What is the Hack Back bill?

Backed by representatives Tom Graves and Josh Gottheimer, the Hack Back Bill recognizes the sophistication, severity, and rapid increase in cybercrime targeting businesses of all sizes. In addition, the writers note that with the rise in cyberthreats, law enforcement officials lack adequate resources and struggle to respond to and prosecute cybercrime in a timely manner.

In response to the difficulty in prosecuting these crimes, the bill’s 14 co-sponsors hope to allow companies to use active cyber defense measures—aka: “hack back”—threat actors that have compromised their systems and data in order to collect evidence of illegal cybercriminal activity for law enforcement. However, like law, this bill is not without its guidelines.

The bill allows companies to:

  • Establish attribution of criminal activity to share with law enforcement and other U.S. government agencies responsible for cybersecurity.
  • Protect or delete data from a threat actor’s systems.
  • Disrupt continued unauthorized activity against the victim’s network.
  • Monitor a threat actor’s behavior to assist in developing future intrusion prevention or cyber defense techniques.

The bill does not allow companies to:

  • Intentionally destroy information that does not belong to the compromised organization
  • Recklessly causes physical harm or financial loss
  • Create a threat to public health or safety
  • Intentionally exceed the level of reconnaissance required on an intermediary (third-party) device to allow for attribution of the origin of the attack
  • Intentionally results in the intrusive or remote access to an intermediary’s (third-party’s) computer.
  • Intentionally persistently disrupt a person or entities internet connection
  • Create activity that impacts national security, government computers, or computer systems used by or for government entities for the furtherance of the administration of justice, national defense, or national security.

The text also outlines that any organization who uses active cyber defense measures must give advance notice to the FBI National Cyber Investigative Joint Task Force of:

  • The type of cyber breach or intrusion the victim is experiencing
  • The intended target of the reconnaissance mission
  • The steps the victim plans to take to gain evidence
  • The steps they plan to take to prevent damage to intermediary computers not under the ownership of the attacker
  • Any additional information requested by the FBI to assist with oversight.

Cyber and Legal Implications of the bill?

The Active Cyber Defense Certainty Act is essentially a cyber-self-defense protection. However, just like any self-defense law, allowing individuals to take matters of justice into their own hands can lead to great power and great responsibility

Traditionally, from a victim’s perspective, post-cyberincident protocol is all about collecting evidence from your own infrastructure and reporting it to law enforcement—hoping, of course, that officials are able to respond to your request within a timely manner. Tasking the infiltrated parties with preserving the chain of custody on the evidence and having an appropriate incident response that can be used in a court of law.

The “Hack Back Bill” introduces a new opportunity to gather evidence from the malicious entities network, as opposed to just your own, under the protection of the law. The uncharted territory of cyber self-defense it also opens up a rabbit hole of uncharted technical territory and potential legal issues.

From a technical standpoint, there are likely very few people technically qualified to “hack back” a threat actor. Though the intentions may be good, having untrained and unqualified individuals seeking justice presents a larger margin of error in terms of mistakes. Simply hitting one wrong key could potentially bring down a device or network or unintentionally create new vulnerabilities—ultimately causing more harm than good.

Additionally, you could potentially create risks for third-party organizations who are unknowingly in the crossfires. Attackers can masquerade as third parties or use a previously compromised third-party machine to compromise your organization. In this scenario, you could wind up hacking back an organization that was never explicitly involved to begin with, now making you the bad guy.

Furthermore, emotions begin to get involved and cloud the judgement of the defender and/or original hacker. Showing that you’re aware of the attack and are taking necessary measures to gain evidence, the original hacker could become further agitated and cause more harm. Alternatively, if emotions are heightened during your reconnaissance mission, you risk making harmful or illegal decisions in the vein of justice or revenge.

From a legal standpoint, there are also gray areas in terms of preservation of evidence, chain of custody, third-party involvement, and much more. Will individuals need to have training or a certification before being able to “hack back?” If a business hires an unlicensed third-party—rather it be a friend, freelancer, etc.—is the organization still protected, or not if something were to go wrong? Can your company still be sued when proper notice was given and plan accepted prior to trying to “hack back”? There are also questions regarding accountability, , and handling international hack backs. .

If passed into law, much of this bill—like any other—will be figured out through trial and error. The first trial and error scenario is in regards to the communication and dealings between businesses and the FBI National Cyber Investigative Joint Task Force (NCI-JTF). Currently, there is a proposed system on how to move forward following a breach, i.e. providing advance notice with specific requirements, but we don’t know how it’s going to work from there. Will the FBI be working with organizations? Will they provide a list of necessary steps to take? We’re not sure yet. The purpose is to bring the FBI into the loop before individuals set out for active cyber defense measures. Since this type of system hasn’t been used before, it’ll have to play out first in order to understand best practices.

The second trial and error scenario will be in terms of trial cases and setting precedents regarding the ramifications of an organization going outside the bounds of the bill to retrieve evidence. Will nonadherence to NCI-JTF warrant an automatic fine? Can the accidental harm of an intermediary party be great enough to rise to damages even if the hack back was performed properly? Courts will more likely than not require the proof of intention when assigning liability in future litigation on this matter.

This bill is a double edged sword in the sense that it opens both a lot of uncertainties and possibilities. Many times a bill is brought forward out of necessity and to show companies that something is being done about the adverse action addressed in the proposed legislation—in this case, hacking. From there, the intricacies and technicalities of the bill are figured out along the way. Trial and error isn’t bad, in fact, it’s necessary to learn best practices and set precedents.

Preparation vs. Reconnaissance

In a perfect world, there would be no need for this proposed law and organizations would be prepared to combat threats with adequate security measures up front, as opposed to needing a safety net after the fact. However, we don’t live in a perfect world and cyberattacks are continuing to rise.

It’s always best practice to set up security measures to prevent these types of attacks using layered security, strong passwords, educating employees, etc. Hackers are creative though, and where there’s a will, there’s a way. More and more organizations are adopting an assumed breach posture. That’s why creating a comprehensive incident response plan—perhaps with an active cyber defense plan built in—is crucial to the safety and security of your organization.

Watching Congress and the Cyber defense world merge together for the passing of this bill is a sight to see. Many people in government and the legal sphere don’t have the background to know about the nuances of technology, but they are quickly learning and trying to take action. The more open all parties are to trial and error, the easier it will be to navigate this new territory of active cyber defense measures. There will be bumps, there will be bruises  and this may take years to hammer out its imperfections, but with the limited number of resources and time available to handle every attack reported to authorities, the Hack Back Bill presents another option for organizations who are properly equipped to seek out their own justice.

Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals