ACDC Is ‘Stand Your Ground’ Cybersecurity Legislation

Representative Tom Graves (R-GA) released federal cybersecurity legislation in February 2017 (with updates in May) called the “Active Cyber Defense Certainty Act,” or ACDC. It’s intended to make it legal for victims of hacking attacks to “hack back” as a means of defense.

ACDC 'Stand Your Ground' Cybersecurity Legislation.jpg

To qualify for the provisions in the bill, that rolls back measures in the Computer Fraud and Abuse Act (CFAA), there are a few conditions that would have to be satisfied. The threat would have to be a persistent threat; if the threat activity had already taken place and the threat was no longer present, you couldn’t hack back. But if still present, the victim can undertake activities to gain access to the attacker’s network(s) and computer(s) to gather information to establish attribution of criminal activity to share with law enforcement. The provisos are that the hack back may not destroy the information stored on systems of another, cause physical or financial injury to another, create a threat to public health and safety, and may not exceed reconnaissance activities on intermediary computers.

It’s an interesting proposition. While it conjures up colorful imagery in one’s imagination, such as a cyber action thriller where our protagonist lashes back at the threat actor or group, the reality would be much less entertaining, if possibly equally dramatic.

Consider first that, unless the environment is very well monitored, threat actors are rarely caught in the initial act.  According to the Ponemon Institute’s report on breach costs in the U.S. for 2016, the mean time to detect and identify a corporate breach in 2016 was 191 days. In the same report, the mean time to contain a breach was 58 more days. Also, consider that it is difficult and sometimes impossible, to be able to tell exactly where the attacks originate. For instance, hackers will jump from server to server, creating a chain of connections, with only the last one opening a connection into the intended victim’s network.  This is one way to obscure the attacker’s actual location. If you attacked and hacked back that last server, it would be another one of the hacker’s victims, not the hacker themselves.

 

Learn why cybersecurity is a shared responsibility in the organization and how to embed it into your culture. 

 

Most compelling is speculation about what techniques victims would employ to hack back. Would the victims avail themselves of hacker toolsets, marketed illegally?  That would expose the victims to risk, such as the recent story of a group of cybersecurity researchers that started a crowdfunding campaign to raise $25,000 to purchase Shadow Brokers’ exploits. The crowdfunding hacktivists intended to use the exploits to notify vendors of their vulnerabilities in advance of the exploits hitting the underground market. But, they cancelled their campaign upon realizing the legal problems they would encounter if they bought stolen exploits and hacks from a criminal organization – of note is that Shadow Brokers recently sold the stolen NSA exploit that led to the WannaCry ransomware outbreak of May 2017.

Given the market that such a bill would create, i.e., legalized hacking by demonstrated victims, the threat landscape would change dramatically. Lacking resources to hack back themselves, a market would be created for Hack Back As A Service (HBaaS perhaps).  Who could or would legally provide such a service? Would laws be further changed to allow the marketing and sale of legal hacking toolkits? It doesn’t seem very feasible, as countermeasures for known functionality would certainly follow.

ACDC doesn’t look like a reasonable, practical or sustainable effort and it seems like it can create lots of uncertainty and confusion.

Who will determine that the threat is persistent? How can it control the length of the “hack back” and its impacts? From a corporate perspective, it’s better to close vulnerability gaps, raise security awareness, monitor main security events, manage your attack surface, and keep up with a changing threat landscape. What do you think of this proposed ACDC Cyber legislation?

6 Reasons to Leverage an MSSP

Did you enjoy this blog article? Share it with your friends or comment below.
 
.

About CIPHER

Founded in 2000, CIPHER is a global cybersecurity company that delivers highly accredited Managed Security Services holding ISO 20000 and ISO 27001, SOC I and SOC II, PCI QSA and PCI ASV certifications. We have received many awards including Best MSSP from Frost & Sullivan for the past five years. These services are supported by the best in class security intelligence lab: CIPHER Intelligence. Our offices are located in North America, Europe, and Latin America with 24×7×365 Security Operations Centers and R&D laboratories, complemented by strategic partners around the globe. 

Our clients consist of Fortune 500 companies, world-renowned enterprises, and government agencies with countless success stories. CIPHER provides organizations with proprietary technologies and specialized services to defend against advanced threats while managing risk and ensuring compliance through innovative solutions.

Subscribe to Us!

Maeasure Your Information Security Maturity Self-Assessment Survey
Measure Your Information Security Maturity Self-Assessment Survey

Recent Security Posts

security consulting services

Twitter Feed