Full Report
John Strand // I wanted to take a few moments and address the “Hacking Back” law that is working people up. There is a tremendously well-founded fear that this law […] The post Debating the Active Defense Law.. Because Arguing is Fun appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Regulation/Compliance: Proposed Hacking Back Legislation Discussion
## Overview
This summary addresses a discussion concerning proposed legislation that would permit certain defensive cyber actions, often termed "hacking back." The core concern revolves around specific clauses allowing defenders to disrupt unauthorized activity on their own networks or monitor attacker behavior, which the author argues crosses a legal line by potentially impacting third parties or violating existing laws (like federal wiretapping statutes).
## Key Details
- Issuing Authority: Unspecified legislative body proposing the bill (context implies US federal law given references to federal wiretapping laws).
- Effective Date: Not applicable; the article discusses a *proposed* law as of November 2017.
- Jurisdiction: Implied US Federal (based on legal references).
- Status: Proposed (under debate).
## Requirements
### Mandatory Requirements (Based on Existing Law/Precedent Cited)
1. **Attributional Technology Use:** Technology used to track an attacker's location (e.g., IP address reporting) is acceptable, aligning with prior case law (e.g., *Susan-Clements vs. Absolute Software*).
2. **Prohibition on Intercepting Communications:** Defenders must *not* violate federal wiretapping laws by intercepting the electronic communications of the attacker when tracking, mirroring the line drawn in the cited case law.
### Recommended Practices (Implied by Author's Critique)
1. **Exclusion of Disruptive/Monitoring Clauses:** The author strongly suggests removing (or heavily tweaking) sections that allow defenders to:
* Disrupt continued unauthorized activity against the defender’s own network (Section 3-2-bb).
* Monitor the behavior of an attacker to assist in developing future intrusion prevention techniques (Section 3-2-cc).
2. **Focus on Detection, Not Degradation/Interference:** Organizations should focus on detecting threats without intentionally degrading attacker capabilities or impacting third-party systems.
## Affected Organizations
- Industries: Any organization that faces unauthorized cyber intrusions and is subject to the jurisdiction of the proposed legislation.
- Organization Size: Not specified, though impact is potentially sweeping.
- Geographic Scope: Implied to be national (US focused).
## Compliance Timeline
- **Current Status:** The proposed legislation is under discussion/debate.
- **Final deadline:** Not applicable, as the law is only proposed; compliance requirements hinge on its final passage and specific wording.
## Implementation Guidance
### Assessment Phase
- Assess current defensive technology capabilities against existing US federal laws (e.g., CFAA, wiretapping statutes) to ensure existing responses do not violate current prohibitions on unauthorized access or interception.
### Implementation Phase
- If the law passes, organizations must immediately review their incident response plans to excise any activities mirroring the proposed Section 3-2-bb or 3-2-cc, focusing defensive efforts narrowly on containment and data acquisition, not active interference.
### Validation Phase
- Legal review should validate that any use of attributional technology remains strictly limited to identifying location/IP and does not involve intercepting communications or degrading remote systems.
## Technical Requirements
- **Attributional Technology:** Allowed, provided it is used only to identify the location of the attacker (e.g., reporting IP address).
- **Prohibited Activities (If Law is Passed as Written):** Systems that actively disrupt or degrade ongoing attacker activity across their command and control infrastructure or monitor third-party activity stemming from that connection.
## Penalties & Enforcement
- Fines: Not specified in the article, but implied to be subject to existing federal statutes governing unauthorized access (CFAA) and wiretapping if actions cross that line.
- Other Consequences: Potential collateral damage leading to civil liability against the defender for harm caused to third parties.
- Enforcement: Enforcement would likely fall under existing federal law enforcement agencies responsible for cybercrime.
## Related Standards
- **Existing Law:** Federal wiretapping laws (explicitly mentioned as a boundary).
- **Case Precedent:** *Susan-Clements vs. Absolute Software* (used to define the existing acceptable boundary for tracking stolen property).
## Resources
- Official Documentation: Not provided (article discusses a proposal).
- Guidance Documents: None provided.
- Tools: The Active Defense Harbinger Distribution (ADHD) technology is mentioned as an example of tools capable of performing location reporting.
## Practical Recommendations
1. **Advocate for Clarity:** Engage in the policy discussion to ensure problematic language (like 3-2-bb and 3-2-cc) is removed or significantly refined before any law is enacted.
2. **Establish Clear Legal Boundaries:** For current operations, strictly adhere to the precedent set by case law: measure and locate, but do not intercept communications or actively interfere with systems external to the defender's immediate environment.
3. **Seek Legal Counsel:** Before deploying any technology aimed at tracking an attacker past initial detection, confirm its operation aligns with current federal wiretapping and access statutes.