Per usual, Stewart Baker wrote a wonderful article for The Volokh Conspiracy recounting a Luxembourger’s actual hackback against Mandiant’s famed APT1, or what is most likely PLA Unit 61398. In doing so, Baker came out forcefuly and persusaively against the DOJ’s stand on hackback/active defense/mitigative counterstriking. That stance is that hackback (but perhaps not active defense?) is a bad idea, for both reasons of law and policy.
Here’s a report by Paul Rascagnères–the aforementioned Luxembourger with balls of steel–exploring just how he did it. Mr. Baker went into a nice discussion of Mr. Rascagnères’ efforts (the report is very technical), so I strongly suggest looking to the article; I’ve left that discussion out here.
Having said that, I just have to quote a few of Mr. Baker’s thoughts on the DOJ’s stance:
Actually, the [DOJ] spokesman could have stated the Department’s policy [on hackback] even more concisely: “We don’t know how to protect you, but we do know how to keep you from protecting yourselves.”
Justice wants to cut off the debate over hacking back. But it’s too late for that. Even if Justice adopts something tougher than its carefully qualified (and longstanding) statement that hackbacks are “likely a violation” of federal law, all it can really do is drive hackbacks offshore, leaving US companies more exposed to intrusions than companies in more tough-minded jurisdictions.
. . .
Now we owe a lot to Paul Rascagnères, though he seems to have treated the Justice Department’s line the way Steve McQueen treated the fence in The Great Escape.
Well, God bless him, he’s showing us a new path to cybersecurity. It’s better than the old path, for sure. And no matter what the Justice Department says to American companies, the rest of the world is going to follow.
***
Via itnews’ Juha Saarinen, apparently the EFF thinks CISPA will enable companies to engage in hack back so “long as it’s done in good faith.”
And I’ll be damned, apparently there was an actual amendment that would have limited hackback. From the EFF’s website:
Another amendment (PDF) approved by the committee attempts to clarify whether or not a company can “hack back” at a suspected online threat. But just like the previous amendment, its intent is far different than its actual impact.
The amendment limits companies from acting beyond their own computer networks to gather threat information; however, it ignores another section of the bill that allows wide ranging acts in response to the perceived threat. The immunity section of CISPA covers any “decision made” based on information a company learns so long as it acts in good faith.
Again from the EFF’s website, here’s their interpretation of how CISPA allows for hackback:
CISPA provides companies with immunity “for decisions made based on cyber threat information” as long as they are acting in good faith. But CISPA doesn’t define “decisions made.” Aggressive companies could interpret this immunity to cover “defensive”—and what some would consider offensive—countermeasures like DDOSing suspected intruders, third parties, or even innocent users. Private defense contractors have already advocated for this power. These actions should not be allowed by such expansive wording. It leaves the bill ripe for abuse.
This is a huge loophole. A company could still use aggressive countermeasures outside of its own network as long as it believed the countermeasures were necessary for protection. This section could have been fixed by limiting the broad legal immunity given to companies. But it wasn’t. So the amendment still leaves the door open to abuse. A user’s only recourse is to prove a company didn’t act in “good faith,” which is notoriously hard.
2 Pingbacks