The behind the scenes debate on this issue is raging.
Some view hacking back as a real deterrent. Once some examples are made, others may be hesitant.
Issues formerly associated with ‘pirates’, such as a letter of marque, have been suggested. Licensing is another. Comparisons to bounty hunters and mercenaries have also been made.
Some question the purpose. Is it supposed to be punitive or to establish evidence?
The debate continues.
US congressman says ransomware attack could have been prevented
by: Hannah Kuchler in San Francisco
WannaCry, the ransomware that ransacked servers from hospitals to telecoms, could have been prevented if companies were allowed to “hack back”, according to a Congressman behind a new bill that aims to improve cyber security defences.
Representative Tom Graves, a Republican from Georgia, is drafting a bipartisan bill that would allow individuals and companies to “fight back”, hunting for hackers outside of their own networks. Hacking back, sometimes known as
Hacking back, sometimes known as active defence, has been illegal in the US under the Computer Fraud and Abuse Act, where companies are only allowed to disrupt an attacker inside their own computers and servers.
It is controversial with many cyber security experts who are concerned that it is too difficult to ascertain who is behind an attack to give companies the right to hack back either to retrieve information or to deter future attempts.
Active defence is also sometimes used to refer to tricking the attacker within your network, which is legal.
Mr Graves said he believed the WannaCry ransomware, that hit the UK’s National Health Service and US companies including FedEx, may have been prevented if his bill had already been passed.
“I do believe it would have had a positive impact potentially preventing the spread to individuals throughout the US,” he said. “Our proposal is to empower individuals and companies to fight back basically and defend themselves during a cyber attack.”
The Active Cyber Defense Certainty bill, co-sponsored with Arizona Democrat Kyrsten Sinema, is in its early stages. After consulting with cyber security executives at an event at the Georgia Institute of Technology, the bill is being redrafted to include safeguards such as the requirement for companies to notify law enforcement if they are using such techniques, so they can examine that they are being used responsibly.
Under the current terms of the bill, companies that are victims of cyber attack will be able to access the computer of an attacker without authorisation to disrupt an ongoing attack or gather information in order to share it with law enforcement. The bill includes caveats such as you cannot destroy data on another person’s computer, cause physical injury to someone or create a threat to public safety.
“We’ve received a lot of input and feedback and support. Clearly the tech community, the cyber community and the financial communities out there want tools and resources to defend themselves,” Mr Graves said.
Yacin Nadji, an analyst at Georgia Tech’s Institute for Information Security and Privacy, said companies may not be equipped to perform a “active cyber retaliation effort”.
“The bill currently allows any victim to hack back, but ignores the potential consequences of them doing it wrong,” he said. “Personally, I think a more prudent course is to improve the ability for law enforcement officers to do their job well.”