Highway to hell
It’s the bad idea that just won’t die: The Active Cyber Defense Certainty (ACDC) Act. Earlier this month Representatives Tom Graves (R-Ga.) and Kyrsten Sinema (D-Ariz.) issued an updated version of the proposed bill that would allow companies to take offensive action if a “persistent” and unauthorized cyber intrusion is identified. The bill’s stated aim is to counter some of the restrictions placed on companies by the antiquated and contentious Computer Fraud and Abuse Act (CFAA) of 1984, and to empower companies that have been victims of cyber crime to aid law enforcement in fighting cyber fraud and “related cyber-enabled crimes [that] pose a severe threat to the national security and economic vitality of the United States.” It’s a noble cause, to be certain, but the reality of the bill leaves ample room for interpretation and does not “[clarify] the type of tools and techniques that defenders can use that exceed the boundaries of their own computer network,” as promised. In fact, the language in the bill is so vague it could, theoretically, be used to prove that a victim company acted recklessly when actively “cyber defending” its own computer networks.
Before we go much further, though, let’s address the issue of active cyber defense, which is what the bill supposes to aid. In the security community, many have dubbed the ACDC Act the “hacking back” bill, but as Ed Moyle of Security Curve wrote so eloquently in his blog post, “Hack-Back is NOT Active Defense,” hacking back is…well, not the same as active defense. To summarize, active defense uses techniques and tools like beaconing, honeypots, and client hooks to catch criminals or would-be criminals. Hacking back would require the victim organization (who becomes the aggressor, since it’s now doing the attacking??) to gain unauthorized access to the organization that breached its network(s). The ACDC Act specifically lays out that acceptable active cyber defense measures include:
“Accessing without authorization the computer of the attacker to the defender’s own network to gather information in order to:
Importantly, the bill then adds that any destruction, modification, or removal of information—even if the information found by the defender is its own—is prohibited. The defender-turned-aggressor may not cause any harm, install backdoors or remote monitoring capabilities, or disrupt the attacker-now -attacked organization’s systems or data. Tricky, isn’t it?
For purposes of this post, I won’t delve into the perils of hacking back, the challenges and inaccuracy of adversary attribution, the fact that cyber crime knows no geographical boundaries (the bill only applies to US companies accessing attacker networks in the US), how easy it is for criminals to make traffic appear to stem from innocent third-party networks/IP addresses, etc. This skew has been covered in many, many other articles and blog posts.
Instead, the rest of this post will be dedicated to why this bill is not only not necessary—because active defense isn’t illegal, and because of reasons stated in the previous paragraph—but how passing this bill could cause the adverse effects.
As a community, information security is attracted to what’s new, what’s exciting. Of course we are! This is a generalization that could apply to any population (except, maybe, accountants??). The problem with this in security, though, is that when security practitioners are hyper focused on zero-day exploits, active malware variants, widespread attacks (e.g., Mirai, WannaCry, the Experian breach), etc. basic blocking and tackling—security fundamentals—are discarded in favor of research into emerging trends and live incidents. Security teams, on the whole, struggle with attending to many of the things that would keep their organizations more secure: better password policies/practices, implementing 2- or multifactor authentication, up-to-date asset inventories, encryption of sensitive data, patch management, vulnerability testing, etc. Though the security basics are well known and proven to mitigate incidents, they don’t incite excitement. The ability to go after the bad guys? Now that’s exciting!
Taking a step back, many security basics are typically pre-incident activities. Once an incident is discovered, patching a vulnerable system or changing employees’ passwords won’t stop what has already happened (you can’t change the past, sadly). However, covering the basics during an incident might minimize additional damage and reduce the possibility of future incidents. For argument’s sake, let’s remove “prevent” and “detect” processes from the equation and concentrate on response, which is when the ACDC Act would come into play.
When incident response is needed, the organization should execute the incident response plan (which was obviously developed and tested pre-incident…). At this point, the security team’s focus should be on containing the incident and assisting with forensics, recovery, and restoration. Now, assigned duties will vary depending on the number of an organization’s resources, but up to 82% of companies lament a lack of cybersecurity staff. What, then, will happen if the already-stretched security team gets the green light to hack back? Incident response, in and of itself, is a security “basic” and should receive the highest level of attention when required, like during an incident. If security teams have the choice of handling basics or applying offensive measures, what will happen to the basics? Probably what already happens to the basics—they’ll take a back seat to other, more interesting things, like trying to find the adversary and monitor his/her activities.
The ACDC Act is a slippery slope for many reasons, but fundamental security is one area earning short shrift in this discussion. As it often does. Unless an organization has sufficient resources to both respond to an incident and find the adversary, response should always be the priority. Could organizations create policies that dictate, “IR first, ACDC after”? Sure, but the most compelling activity will always prevail, if history has taught us anything. While it’s encouraging to see elected officials taking cybersecurity seriously, the ACDC Act is unlikely to do more good than harm, at least until the government learns the nuances of what they’re trying to solve.
Attend InfoSec World 2018 in Orlando, Florida, March 19-21, 2018 to try your hand at an incident response tabletop exercise. Work with colleagues in a mock setting that will prepare you for a real-life incident in "Beware the Ransomware."