A new bill could be the first step in companies being able to “hack back” at bad actors – but doing so could come with major risks, experts say. (File)

WASHINGTON: Two members of the Senate Finance Committee have introduced a bipartisan bill that instructs the Department of Homeland Security to study the “potential consequences and benefits” of allowing private companies to hack back following cyberattacks.

Sens. Steve Daines, R- Mont., and Sheldon Whitehouse, D-R.I., have introduced the legislation as frustration over repeated cyberattacks against US companies has led to growing calls across the national security community and the private sector for retaliatory actions. Some, including military legal advisors, are now calling for the US to revisit its policy on military offensive cyber operations, especially in response to increasing ransomware attacks targeting the public and private sectors.

The draft Study on Cyber-Attack Response Options Act tells DHS to study “amend[ing] section 1030 of title 18, United States Code (commonly known as the Computer Fraud and Abuse Act), to allow private entities to take proportional actions in response to an unlawful network breach, subject to oversight and regulation by a designated Federal agency.”

DHS’s report would provide recommendations to Congress on the “potential impact to national security and foreign affairs.” Specifically, the report would address the following issues:

  • Which federal agency or agencies would authorize “proportional actions by private entities;”
  • Level of certainty in attribution needed to authorize such acts;
  • Who would be allowed to conduct such operations and under what circumstances;
  • Which types of actions would be permissible; and
  • Required safeguards to be in place.

“The Colonial Pipeline ransomware attack shows why we should explore a regulated process for companies to respond when they’re targets,” Whitehouse said in a statement to Breaking Defense. “This bill will help us determine whether that process could deter and respond to future attacks, and what guidelines American businesses should follow.” (A request for comment to Daines’s office was not returned by publication.)

The idea of allowing companies to retaliate in response to cyberattacks is not new. Former Rep. Tom Graves introduced a similar bill in 2017 that ultimately failed to gain steam. Also not new: the tricky issues that will surround hacking back, regardless of whether the retaliation comes from a government or private entity.

The issue is not technical capability. Many cybersecurity companies employ penetration testers, cyber experts highly skilled in offensive tactics, techniques, and procedures. These companies are often hired by businesses and governments to hack their networks, with advance permission and according to guidelines, in order to uncover vulnerabilities before the bad guys find them.

There is also a degree of legal precedent. US tech companies in the past have worked with CYBERCOM and the FBI to take down cybercriminal infrastructure.

Rather, some of the trickiest topics revolve around seemingly simple issues such as basic definitions.

“It’s all very fuzzy about what it means to hack back,” Herb Lin, an expert on cyber policy and strategy at the Center for International Security and Cooperation and Stanford University’s Hoover Institution, told Breaking Defense in an interview. “I don’t know what it means to hack back. It’s emotionally satisfying, but you have to ask yourself: What is it that you’re trying to accomplish? And until someone can tell me what they’re trying to accomplish by it, it’s a bad idea, because it’s giving someone a gun and not knowing what they’re going to shoot and why, and if it will do anything to solve the problem.”

Additional ambiguities revolve around policy and legal issues, such as determining the level of confidence needed in attributing cyberattacks before authorizing retaliation and specifying “proportional actions.” These issues and others have bedeviled nation-states for years as international bodies have tried — and failed — to establish agreed-upon “cyber norms.”

“So you’re going to allow the general counsel of [some company] to be determining what’s proportional? Is that what [hack back] means? It’s unclear to me that I want some [company’s] general counsel to be determining what could be counted as a use of force under the UN Charter,” Lin said.

There are also issues around potential mistakes and blowback.

“The problem with hitting back is that [threat actors] almost certainly use stolen infrastructure,” Lin observed. “So what will happen is you’ll be destroying your grandmother’s computer in Kansas that has been taken over. It’s not clear to me that that’s the best way.”

James Lewis, a cyber policy expert at the Center for Strategic and International Studies, also sees risks in such a policy. “Putting aside the fact that [companies hacking back] can make mistakes, they may not be as careful about collateral damage or retribution. Those are serious problems,” Lewis observed.

Lewis also pointed to a broader issue: “Why don’t you see more privateers? The answer is because no privateer can stand up to a navy. And so no private hacker is going to be able to stand up to [the Russian Foreign Intelligence Service], or the [Chinese Ministry of State Security], or the [Iranian Islamic Revolutionary Guard]. It would be a bold general counsel who would let his company attack one of those groups, because they will retaliate.”

“This isn’t badminton,” Lewis continued. “The IRG, probably one of the toughest groups in the world, and you want to play? You want to dance with them? Okay, have fun!”