Congressman May Introduce Active-Defense Bill

https://www.onthewire.io/active-defense-bill-now-allows-destruction-of-data-use-of-beacon-tech/

Literally just ran across this and was really excited! It was the topic for my Masters Thesis and while I took it a bit further, it is definitely along the lines of what I wrote. The real kicker is I explicitly addressed the use of the CFAA in relation to a Cyber Stand Your Ground law! Nice to see perhaps I wasn't too far off the mark!

Find more posts tagged with

Comments

yoba222

The wording of the bill seems to imply a single user proactively defending themselves. But I think the wording may be meant for corporations. I wonder if this will be the beginning of something big. Picture private companies with their own DoD equivalent of CNE teams (Computer Network Exploit) to go after hackers. Wow.

paul78

meh - as proposed this bill needs a lot of work. I had a few discussions on this concept with friends back in March. It'll be a while before the bill is refined enough. The problem with this idea is that most direct attacks are typically proxy-ed through victims. I did some business last year with a firm that does something similar and I thought their approach was a bit sketchy. Some changes to the CFAA is overdue so it'll be interesting to see which of the various proposed bills actually makes it.

ITSec14

I feel like this is opening a big door to retaliation by a larger network of hackers...

the_Grinch

In my paper I discussed companies forming for the sole purpose of active defense. I generally looked at it with two points in mind. First, many companies would be unable to obtain or currently lack the personnel skilled in that arena. You don't want people without a background in this work launching active defense because let's face it, you're opening yourself up to legal issues.

Second, most companies probably couldn't afford to keep a full time staff member or team with that skillset. Thus a company built of people skilled in that arena could service multiple clients much like an MSP. This would also allow some transfer of liability and the company in question would probably be looking at some form of cyber insurance.

Ultimately, the point is to get this topic talked about because more and more we are seeing that the current options aren't enough. Yes a large portion of it is that companies aren't properly securing their environments and that has to change. But at the same time it is impossible to be 100% secure and in those times you need another tool in the arsenal. As I discussed in my paper, any company worth their salt is going to perform a proper risk assessment (both from the technical end and from the legal end) and then decide if it would be proper for them to begin an active defense.

wastedtime

I don't mind this being talked about but I feel like this would be a terrible idea. From a legal stand point and from the stand point of network defense. I think most of us have the idea of the legal issues of this. So much can go wrong and what is the likely hood you would gain anything by doing this. If anything any active defense should be additional federal support to track and arrest these people. I would love to hear someone explain how this could be valuable to a company without adding huge risks. If someone takes me up on that it needs to be more then situation-attack-profit but I would love for someone to prove me wrong about this as it would make my work more interesting.

Also every time I think of this my first thought is the brawls in the Anchorman movies.

paul78

It's an interesting premise. There are a few boutique firms that do this but it's borderlines violates CFAA. The reality though is that most companies already do outsource or use external entities for security functions - mostly because it's not a core business. There is very little reason for many companies to have in-house expertise in certain security roles. I.e. Forensics, threat-hunting.

So you hit on one of the issues which is the amount of E&O and liability insurance that such activity may need. And I would expect that this insurance would be quite expensive.

The other reality is that even if this bill was passed - it cannot address cross-border or privacy issues. For example - if as part of an investigation - the data collected belongs to a victim who's computer had been breached.

I'm not really a proponent of this bill as it stands - it is essentially legitimizing private-sector vigilantism.

the_Grinch

When you look at the overall bill you know that in its present form it would never come to fruition. There will be a debate, the House will make changes, pass it and then the Senate will make changes. All of that and then they will have to reconcile the two before it makes it to the President.

But we shouldn't forget that active defense, in a way, is already occurring out there. Microsoft has been a big player in taking down botnets and it all revolves around what this bill is pushing. They've worked with the FBI and other private sector partners along with law enforcement in other countries to seize servers operating botnet infrastructure. Now if you want to debate the effectiveness of such actions I could most definitely see a point that it is barely a bandaid fix. Even Microsoft admits that within months the botnets are back up.

We all know that for the most part the motivation here is money. Make being in that business expensive and they will move on to a different business. As you all have said the debate is definitely warranted. My main argument is that we debate it and allow it to be an option. It might ultimately be an option that a company never exercises, but at the same time being able to consider it can make a difference. Plus we always assume that these guys are strictly international, but research shows a lot of things going on with servers located in the US. Definitely something we can do in cases like that.

paul78

the_Grinch wrote: »

Microsoft has been a big player in taking down botnets and it all revolves around what this bill is pushing. They've worked with the FBI and other private sector partners along with law enforcement in other countries to seize servers operating botnet infrastructure.

That's a bit different though. And the techniques used currently do not intrude on another private citizens' property.

the_Grinch wrote: »

My main argument is that we debate it and allow it to be an option. It might ultimately be an option that a company never exercises, but at the same time being able to consider it can make a difference.

Yes - I would likewise like to see a good healthy discussion on this topic. And similar related topics too - one activity that occurs today but is usually not acknowledge is the when organizations or third-parties "recover digital assets" in the underground. It is currently considered being an accessory to a crime or possession of stolen goods but some researchers and reporters have bent that a bit.

the_Grinch wrote: »

Plus we always assume that these guys are strictly international, but research shows a lot of things going on with servers located in the US. Definitely something we can do in cases like that.

I can only go by my own research and the threats were geographically diverse. My point is that ip geolocation is somewhat crude although improving so there is no guarantee that active defense activities will cross a border.

wastedtime

the_Grinch wrote: »

But we shouldn't forget that active defense, in a way, is already occurring out there. Microsoft has been a big player in taking down botnets and it all revolves around what this bill is pushing. They've worked with the FBI and other private sector partners along with law enforcement in other countries to seize servers operating botnet infrastructure. Now if you want to debate the effectiveness of such actions I could most definitely see a point that it is barely a bandaid fix. Even Microsoft admits that within months the botnets are back up.

If this was what the bill was wanting I would fully support it and this is what I was talking about when it came to federal support. This doesn't seem to be the intent of the bill though. From what I can tell is this is a "Hackback" bill which means under certain circumstances it makes it legal to exploit other peoples systems. My understanding is they are trying to apply some form of "stand your ground" concepts to the "Cybers".

This seemed to talk about the bill a good amount from a legal perspective https://www.lawfareblog.com/legislative-hackback-notes-active-cyber-defense-certainty-act-discussion-draft