A US congress bill that would give companies limited power to hack attackers back has been reintroduced, but cybersecurity experts are concerned about the wording and implications.
The bipartisan bill was reintroduced yesterday by Tom Graves, Representative for Georgia, after being previously thrown out for violating the Computer Fraud and Abuse Act.
It is designed to assist businesses who are increasingly under attack from hackers, but who, argued Graves, face a lack of regulatory clarity over how they can respond.
However, cybersecurity experts are concerned, with Alex Rice, CTO of HackerOne expressing particular issues over the wording of the renewed bill.
Concerns over the Congress hack back bill
Rice pointed to one section in particular, which he described as “worrying”, which is worded as follows:
“Congress holds that active cyber defense techniques should only be used by qualified defenders with a high degree of confidence in attribution, and that extreme caution should be taken to avoid impacting intermediary computers or resulting in an escalatory cycle of cyber activity.”
While this may sound reasonable in principle, Rice argues that the reality is far more complex.
“Attribution is hard, and any legislation that assumes it can be done at scale with a high degree of confidence is suspect,” he said.
“Until we can agree on terms like ‘qualified defender’, ‘high degree of confidence’, and ‘extreme caution’, hacking back will inevitably lead to collateral damage and misguided defenders could wind up facing jail time for an inadvertent misstep over an invisible line. We can’t wait for legal precedent to be established here.”
He also echoed concerns held by many in the wider cybersecurity industry that the bill encouraged an approach deemed unacceptable in other industries.
“This proposed vigilantism doesn’t work in any other societal structure for a reason,” he said.
“Today, the best digital offense for companies is a good defense, and this is where American companies should invest their resources.”