June 14, 2019

Congress hack back bill “worrying”, says cybersecurity expert

By Lucy Ingham

A US congress bill that would give companies limited power to hack attackers back has been reintroduced, but cybersecurity experts are concerned about the wording and implications.

The bipartisan bill was reintroduced yesterday by Tom Graves, Representative for Georgia, after being previously thrown out for violating the Computer Fraud and Abuse Act.

It is designed to assist businesses who are increasingly under attack from hackers, but who, argued Graves, face a lack of regulatory clarity over how they can respond.

However, cybersecurity experts are concerned, with Alex Rice, CTO of HackerOne expressing particular issues over the wording of the renewed bill.

Concerns over the Congress hack back bill

Rice pointed to one section in particular, which he described as “worrying”, which is worded as follows:

“Congress holds that active cyber defense techniques should only be used by qualified defenders with a high degree of confidence in attribution, and that extreme caution should be taken to avoid impacting intermediary computers or resulting in an escalatory cycle of cyber activity.”

While this may sound reasonable in principle, Rice argues that the reality is far more complex.

“Attribution is hard, and any legislation that assumes it can be done at scale with a high degree of confidence is suspect,” he said.

“Until we can agree on terms like ‘qualified defender’, ‘high degree of confidence’, and ‘extreme caution’, hacking back will inevitably lead to collateral damage and misguided defenders could wind up facing jail time for an inadvertent misstep over an invisible line. We can’t wait for legal precedent to be established here.”

He also echoed concerns held by many in the wider cybersecurity industry that the bill encouraged an approach deemed unacceptable in other industries.

“This proposed vigilantism doesn’t work in any other societal structure for a reason,” he said.

“Today, the best digital offense for companies is a good defense, and this is where American companies should invest their resources.”

Read more: Cybersecurity for C-level executives: Why hackers target those at the top

Verdict deals analysis methodology

This analysis considers only announced and completed cloud-deals deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.

GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.

More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.

Topics in this article: ,