Historically, "hack back" bills have failed to provide a set of circumstances that would justify a retaliatory cyberattack.
But cybersecurity is an art, not a science, leaving room for adjustment.
The latest iteration of the bipartisan Active Cyber Defense Certainty Act (ACDC) is challenging how private entities terminate, or at least track through beacons, a cyberattack aimed at them, according to the bill.
An example of a company using beacons is intentionally poisoning or corrupting the files stolen by a bad actor. When someone who stole the files runs a program on their system, it sends the IP back to the initial victim.
"I like to think of it as the dye packs used by banks," Rep. Tom Graves, R-Ga., the ACDC's co-sponsor, told CIO Dive in an email. If cash is stolen from a bank, the dye released from the packs stains the money, leaving it useless.
In June, the bill was referred to the House Subcommittee on Crime, Terrorism and Homeland Security. If passed into law, the ACDA would make changes to the Computer Fraud and Abuse Act (CFAA), essentially absolving companies from legal ramifications for pursuing defensive cyber activities and beacons.
"Beaconing will be an important asset for companies looking to keep tabs on their data," said Graves. If used as intended, entities can track their data in the event of a breach.
But critics argue the bill lacks guidelines of when or why a company should pursue a offensive cyberattack.
Hacking back "can be done responsibly, but there's nothing in the bill that addresses that," said Herbert Lin, senior research scholar for Cyber Policy and Security at Stanford's Center for International Security and Cooperation, in an interview with CIO Dive, referring to appropriate use cases.
Time for an update
The CFAA, enacted in 1986, prohibits entities that overstep their computers' boundaries, including white hat operations.
Though prosecution of white hat hackers and researchers are few and far between, the CFAA treats everyone as "the bad guy," without differentiating the locksmiths and the robbers, Casey Ellis, CTO of Bugcrowd, told CIO Dive.
The ACDC wouldn't change penalties for unauthorized access, but it would allow for "legal defense for such access in cases where self-defense is clearly justified," said Graves. "The bill makes clear that if a person is inadvertently impacted by active-cyber defense, their right to sue for civil damages or injunctive relief is preserved."
White hat hacking, however, is an issue left unaddressed by the ACDC.
The proposed updates come after the federal government's changes for its active cyber defense policies. Last August, the Trump administration rescinded an Obama-era protocol, Presidential Policy Directive 20, which required government agencies to consult with one another before launching a cyberattack.
When the directive was signed in 2012, those critical of the measure said it would cause overly-shy and restrictive offensive cyber operations.
Now, however, the U.S. Cyber Command doesn't need permission from the White House to initiate cyber operations. It can conduct hacks as long as they don't violate the laws of war.
Given the new aggressive stance of the government, said Lin, "do we really want to encourage private sector entities to do stuff that might look like that?"
Though Graves expects the use of beacons to become common practice, critics warn a liberal approach to beacons is dangerous.
The main concern of hack back laws is the potential of unnecessary escalation, leading entities to "go where it shouldn't go," said Ellis. Suddenly, a private sector company could overreach its authority.
It "starts off with hackers and ends with troops on the ground," he said.
To beacon or not to beacon
Right now, the use of beacon technology is a violation of the CFAA and illegal. But Graves, who first proposed a bipartisan iteration of the bill in 2017, and now co-sponsor Rep. Josh Gottheimer, D-N.J., want the use of beacons legal.
The ACDC would allow entities to identify the unauthorized party, using beacons, and monitor attacker behavior to "assist in developing future intrusion prevention," according to the bill.
While the financial demands of beacons is low impact, a bill like the ACDC could entirely change cybersecurity's incentive, according to Lin.
There is a difference between using the right to hack back as the last resort or the first line of defense.
Justifying offensive cyberattacks for a company with existing security that failed and a company that "leaves the front door open" takes opposing stances on when to use hack backs, according to Lin.
In the latter case, "the victim has been totally irresponsible" and "now they have the gall" to venture outside their network to find the intruder, he said.
Graves maintains the bill was never written as a first resort security measure. It was written for entities with existing rigorous cybersecurity programs, that are still, despite best efforts and investments "beaten by criminals."
The safety net beacons allow should more or less supplement existing cyber defenses.
Cons of hacking back
While having the legal backing of the ACDC could make a company feel more relaxed with its use of active cyber defense, it doesn't insulate anyone from breach-related ramifications.
Even if a company were to deploy beacons in an effort to stop an attacker or track stolen data, "the bird's already flown the coop," said Ellis.
Hack back bills draw controversy and confusion for a number of reasons:
What if the attribution is incorrect?
How frequently should entities use beacons?
What justifies the use of beacons?
Is the ACDC written for every entity, regardless of size and scope?
Will companies use beacons as part of everyday security practices?
Graves and other lawmakers are consulting with industry. He received feedback from businesses, academics and cybersecurity policy experts when the first ACDC draft for public review was posted in March 2017.
While the bill awaits its fate on the Hill, Graves expects further input from the tech and cybersecurity industry.