Self-defense in cyberspace would put businesses at risk, experts say
A House bill giving businesses the power to counter cyberattacks outside their own computer networks is fraught with risks to U.S. companies and critical infrastructure, and won’t stop criminals and nations from making attacks, experts warn.
Reps. Tom Graves, a Georgia Republican, and Josh Gottheimer, a New Jersey Democrat, recently introduced the Active Cyber Defense Certainty Act, which gives companies the power to respond to an “unauthorized intrusion” without criminal liability.
The legislation addresses concerns that businesses and individuals are limited to playing defense. Companies could monitor attacks using a “beacon,” or software that a company could embed in its files so that when its data is stolen, it can trace where the attack is coming from. Under the bill, businesses would inform law enforcement when they take an offensive measure. However, the law would bar the destruction of an attacker’s data, or remote access of the attacker’s computers.
Under current law, companies cannot take action outside their computer networks.
This is the latest iteration of a bill that Graves says would even the playing field for consumers and businesses. The Federal Bureau of Investigation says that last year cybercrime cost American companies more than $2.7 billion. In 2017, only 165 computer fraud cases were prosecuted, according to the U.S. Attorneys’ Statistical Report.
Graves, who declined to be interviewed, said in a June 13 press release that the bill will deter cybercriminals by allowing businesses and consumers to intervene in attacks and retrieve and destroy stolen files.
“The status quo is unacceptable and it’s important that private sector organizations feel empowered to take a more active approach to their cyber defense,” Graves said in the release.
David Inserra, a cyber policy analyst with the conservative Heritage Foundation, says he hopes the bill will empower businesses to “enable non-destructive, non-harmful, active cyber defense.”
“That way they have more information with which they can use to identify the person who is doing this to them, and then provide that information to proper law enforcement authorities who can take the ball the rest of the way,” Inserra said in a phone interview.
Some security experts warn, however, that taking a more aggressive approach could lead to an attack on a hospital, a business competitor, or a foreign adversary or ally.
Candace Worley, vice president and chief technical strategist of the software security firm McAfee, consulted with Graves when he wrote an earlier version of the bill. She supports what she called “guardrails” in the legislation. Businesses would call the FBI before going beyond their networks, and the agency would review all active defense measures, she noted.
“Active defense is still a highly risky undertaking,” Worley wrote in an email. “Our default recommendation is for organizations to engage with law enforcement.”
Worley said the bill will not deter criminal organizations and governments from attacking American businesses and consumers.
“I would assert that many of the laws we put in place over the course of many years have not necessarily deterred organized crime,” Worley said in a phone interview. “Why would it be any different in the digital world?”
Michael Daniel, the president and chief executive of the Cyber Threat Alliance, said companies would be better served by understanding what was on their own networks, using and updating the most recent versions of software, and developing cyber incident response plans.
“There’s a lot of things that you can do to harden your networks to make yourself more resilient, and those pay far greater dividends for almost every organization I can think of than trying to carry out activities outside of your network,” Daniel said in a phone interview.
The U.S. Chamber of Commerce’s cybersecurity executive, Matthew Eggers, says Graves’ bill is the product of frustration. He says business leaders would rather see more collaboration between the government and businesses.
“We want an internet that facilitates communication and creativity, not conflict,” Eggers said in a phone interview. “We need to push countries that would conduct malicious activity against our companies.”
But he added that businesses should look to the government to “engage bad actors on our behalf.”
“Private entities should not be doing that,” he said.
Rosa Smothers, a former CIA technical intelligence officer and a current cyber operations executive at KnowBe4, said that uncovering the source of a cyberattack is difficult. If a company mis-identifies an IP address or domain name that is owned by an unwitting intermediary, a company could take action against a government or state. That could lead to a diplomatic incident, she said in a phone interview.
“The international implications are mind-boggling,” Smothers said.
Introduced to the House on June 13, Graves’ bill was referred late last month to the Subcommittee on Crime, Terrorism, and Homeland Security. James Lewis of the Center for Strategic and International Studies said that the odds of the bill passing were “close to zero.”
Eggers said that while the bill was “worth the conversation” that it was unlikely that it would pass.