‘Active-defense’ Techniques Supports Revised ‘Hack Back’ Bill
By Prempal Singh
An updated version of the Active Cyber Defense Certainly Act (ACDC) or Hack into Back bill, introduced today by Rep. Tom Graves (R-Ga. ) would require mandatory reporting by organizations “that use active defense techniques, which supports federal legislation enforcement ensure defenders use these tools responsibly” and includes a “sunset terms to ensure that The legislature revisits the changes made by the bill after two years to make further updates or adjustments.
The bill, which would give cyber attack suffered the go-ahead to get back against their attackers, was modified to include an exception that would allow a victim to retrieve or destroy their own data located through active defense techniques authorized by the bill provided it data belonging to another person is not destroyed in the process.
Graves, after soliciting comment from the business community, lawmakers, internet policy pros and academic instruction, adjust the proposed laws to include clarification that financial injury is banned and expands the description of “‘active cyber defense’ actions delivered to monitor an attacker to be able to help develop better cyber security techniques” as well as providing additional safeguards for intermediary computers to reduce or eliminated security harm. The new iteration also contains “a specific {exclusion in the Computer Fraud and Abuse Act (CFAA) for beaconing technology.
The Georgia lawmaker has claimed that if in play the proposed laws would have prevented the recent WannaCry attacks. Although the revised bill is an improvement over previous efforts, it’s not without its shortcomings.
“This type of bill is significantly better than prior tries that tried to create remedies for victims to recover against attackers (who can never be seen and, thus, the security illusory), ” said Robert Overly, a Los Angeles-based cyber security legal professional at Foley & Lardner LLP.
Nevertheless Overly said while “being more proactive would certainly be useful” any such “efforts should be done responsibly and serious thought put into the consequence if those efforts, themselves, harm innocent parties.
This sort of bill, he said, “tends to induce businesses to ‘take their vision from the ball, ‘ which is preferable securing their systems from the outset” and might not be necessary to prevent something such as WannaCry.
“Recall that the overpowering majority of the WannaCry attacks could have recently been prevented in their whole simply by sticking with decades old, basic security procedures, promptly implementing security patches, ” said Excessively. “So while it is useful to think about attacking the attackers, the truth is that those efforts may have a very limited actual effect (e. g., cyber criminals don’t all launch their attacks from the same servers or use the same geographic location). Consequently, a defensive attack may cause nothing more than shutting down one server of thousands being used to launch malware.
Overly suggested that “promptly implementing security patches and thoroughly training personnel” would be more useful. “If just those two areas are addressed, every business of every size and of ever type could considerably enhance their protection, he said. “Consider that against using limiting costs and resources to try to preemptively attack assailants – an unproven strategy, at best. ”
Source: www.scmagazine.com