Hack me? I’ll hack you back!

Introduced by our very own US Representatives, the “hack back” bill allows businesses to attack our attacker’s computers or networks. Yup.  When James Brown recorded, “The Big Payback,” in 1973, he must have seen this coming. Were there ever a bill that deserved a theme song, this might be it.

Although the Active Cyber Defense Certainty (ACDC) Act, is lamely titled, it sure sounds like a potent and potentially frightening amendment to the Computer Fraud and Abuse Act anti-hacking law. The down low is this: it’s really cool that good citizens can arm themselves in the wild west but the scary part is that our well-intentioned business owner’s may not be the best shots. Hackers are pretty adept at misdirection and are likely going to frame innocent third parties and draw them into the crossfire. So the big payback is very capable of serving up its fair share of collateral damage.

Identifying a hacker often takes time and analyses that most ordinary researchers are not capable of performing. The cliché that comes to mind: “sometimes the cure is worse than the disease.”

Hackers may leave a trail of evidence in the code but will often spoof that evidence. One convincing way is to leave code from known hacking organizations in malware or more often, do the same but to an innocent third party. Not good.

To make this act all the less effective, the right to bare virtual arms and use them is only good inside the United States. This is a deal breaker. Most attacks come from abroad and even those that don’t are often routed through servers that come from overseas.

Then there are the requirements- before you fire back, you must alert the National Cyber Investigative Joint Task Force (NCIJTF). Maybe they’ll want to review and weigh other options before allowing action to be taken. Great. Now that you’ve seen the basement, let me show you the cellar.

Prying into hacking networks may be an obstruction to ongoing investigations and the last thing I want is being brought up on charges of contaminating or tampering with evidence. Then there are the aforementioned limitations against foreign retaliation. The NCIJTF is led by the FBI and the FBI defense review is worried that actions taken by private organizations could effectively trigger our government’s international legal responsibility. Should the government be held liable for some hired guns trying to track down the bad guys, they’re not going to be happy. At all.

Despite these ominous warnings, many companies are wading into international waters and proceeding with the “hack back.” Although they realize it’s illegal, the new passed act makes them braver about breaking the law in the name of justice. Yeah, it’s a hot mess.

Let’s bring this home. One, I should have never invoked the great James Brown. He did not deserve that. Two, companies should be preventing hacks, not going on cyber manhunts. Ransomware, which goes largely unreported, is expensive to small businesses and most hacks are easily avoided. The Equifax breach failed to patch a hole in their software despite a fix being available for months. It was not some high-tech heist I can assure you.

Most companies get the basics wrong and I’m going to double down on cliches, “an ounce of prevention is worth a pound of cure.” Remove Internet access from all hardware that does not require access to it. Patch holes as they come up and maintain sound software hygiene. It’s doable, I swear.

The reality of the hack back is that there are going to be a lot of innocent victims. As fellow security experts have pointed out, the Babylonian code of an “eye for eye,” shall wreak havoc. And as Ghandi pointed out, “an eye for an eye and soon the whole world is blind.”

Trevor Goering – CEO, Gotham Security