HR 4036 Introduced – “Hack Back Bill”

Earlier this month Rep. Graves (R,GA) introduced HR 4036, the Active Cyber Defense Certainty Act. The bill would amend 18 USC 1030 to, according to a Graves press release, “to allow use of limited defensive measures that exceed the boundaries of one’s network in order to monitor, identify and stop attackers.”

Attributional Technology

Section 3 of the bill would add a new paragraph (k) to §1030 that introduces the concept of ‘attributional technology’. It defines the term as “any digital information such as log files, text strings, time stamps, malware samples, identifiers such as user names and Internet Protocol addresses and metadata or other digital artifacts gathered through forensic analysis” {new §1030(k)(2)}.

The new paragraph would exempt the use of attributional technology from prosecution under §1030 when used by “a defender who uses a program, code, or command for attributional purposes that beacons or returns locational or attributional data in response to a cyber intrusion in order to identify the source of an intrusion” {new §1030(k)(1)}. The ‘program, code or command’ must have been removed from the defender’s computer by the unauthorized user being attributed. Further the ‘program, code or command’ cannot “result in the destruction of data or result in an impairment of the essential operating functionality of the attacker’s computer system, or intentionally create a backdoor enabling intrusive access into the attacker’s computer system” {new §1030(k)(1)(B)}.

Active Cyber Defense

Section 4 of the bill would add a new paragraph (l) to §1030 that introduces the concept of ‘active cyber defense’. The term is defined as actions taken by (or at the direction of) a defender accessing without authorization the computer of the attacker to the defender’s own network to gather information in order to {new §1030(l)(3)(B)(i)(II)}:

• Establish attribution of criminal activity to share with law enforcement and other United States Government agencies responsible for cybersecurity;

• Disrupt continued unauthorized activity against the defender’s own network; or

• Monitor the behavior of an attacker to assist in developing future intrusion prevention or cyber defense techniques.

The definition goes on to exclude any actions that {new §1030(l)(3)(B)(ii)}:

• Intentionally destroys or renders inoperable information that does not belong to the victim that is stored on another person or entity’s computer;

• Recklessly causes physical injury or financial loss as described under subsection (c)(4);

• Creates a threat to the public health or safety;

• Intentionally exceeds the level of activity required to perform reconnaissance on an intermediary computer to allow for attribution of the origin of the persistent cyber intrusion;

• Intentionally results in intrusive or remote access into an intermediary’s computer;

• Intentionally results in the persistent disruption to a person or entities internet connectivity resulting in damages defined under §1030(c)(4); or

• Impacts any computer described under §1030(a)(1) regarding access to national security information computers, or to §1030(c)(4)(A)(i)(V) regarding a computer system used by or for a Government entity for the furtherance of the administration of justice.

Section 5 of the bill adds a new paragraph (m) to §1030 that further limits the use of an ‘active cyber defense’ by requiring a requirement for advance notification of its use to the FBI. Approval is not required, but acknowledgement of receipt is a prerequisite for the use of ‘active cyber defense’ measures. The notification would be required to include {§1030(m)(2)}:

• The type of cyber breach that the person or entity was a victim of, the intended target of the active cyber defense measure, the steps the defender plans to take to preserve evidence of the attacker’s criminal cyber intrusion;

• The steps they plan to prevent damage to intermediary computers not under the ownership of the attacker; and

• Other information requested by the FBI to assist with oversight.

Other Provisions

Section 6 of the bill would require the FBI to establish a program “to allow for a voluntary preemptive review of active defense measures” {§7(a)}. It would provide for the review to provide an assessment of “how the proposed active defense measure may be amended to better conform to Federal law, the terms of section 4 [new §1030(l)], and improve the technical operation of the measure” {§7(b)}.

Section 7 of the bill would provide for the obligatory report to Congress.

Section 8 of the bill would require the Department of Justice to update it’s ‘‘Prosecuting Computer Crimes Manual’’ to reflect the changes made by this legislation.

Section 9 of the bill would provide for a two-year sunset provision; removing the changes to §1030 two years after the bill is enacted.

Moving Forward

Neither Graves nor his cosponsor {Rep. Sinema (D,AZ)} are members of the House Judiciary Committee to which this bill was referred for consideration. That means that it is unlikely that the bill will be considered in that Committee.

A number of attempts have been made to amend §1030 over the last couple of sessions (see for example here) carving out exemptions to the provisions of the statute. There is a natural legislative inertia when it comes to changing criminal law. I expect that the same inertia would apply to this bill, above and beyond the lack of influence that the sponsors have to move the bill forward.

Commentary

This bill has received lots of attention in the press (see here, here and here for example) when it was introduced but it seems that many have missed an important component of the legislative requirements; any tool used to ‘hack back’ would have to be extracted from the defenders computer by the attacker. The defender would have to construct a honey-target (smaller than a honey-pot) file that the attacker downloads from the defended system. That file would include some sort of communications protocol that would send information back to the defender that provides attributional information on the attacker.

If this sounds like what a hacker does when they use a phishing attack or boobytrapped web site, that is almost certainly deliberate. It requires the attacker to be explicitly involved in ultimately providing information from their system to the original defender. This may end up causing problems in using the information obtained under the self-incrimination provisions of US law. Lawyers will have fun arguing both sides of this.

What the bill does not allow, and in fact explicitly prohibits, is either the establishment of a backdoor or actively pivoting through the attacker’s system searching for information. This is the typical next step of an attack on a computer system. This is what distinguishes the bills ‘hacking back’ (the term is not actually used in the bill) from the prohibited actions of §1030.

The requirements for pre-notification help to ensure that the new provisions are not used by nefarious hackers as an extraneous tool in defending against prosecution for traditional hacking prohibited by §1030.

It is important to note that the active cyber defense provisions are not an exemption from prosecution under §1030, instead it allows them to be used as a defense against federal charges under §1030. That means that prosecution for a properly notified active defense measure is still possible at the discretion of the government. A judge would have to decide if the active cyber defense measures actually-employed met the requirements of the revised §1030. FBI ‘approval’ of the proposed active defense measures would obviously be beneficial in convincing a judge of the appropriateness of the activities.

More importantly, the active cyber defense provisions in the bill are specifically not allowed to be used as a defense in a civil action undertaken under §1030(g). That paragraph allows anyone who suffers ‘damage or loss’ from unauthorized access to a system to obtain “compensatory damages and injunctive relief or other equitable relief” in federal courts. The reasoning is that active cyber defense measures cannot, by definition, cause damage or loss, so proving damage or loss means that an authorized ‘active cyber defense’ measure was not employed.

Unfortunately, the provisions in this bill would only apply to attackers using computers located in the United States. This is an inevitable problem cause by international law; each country has sovereign control of the rules prohibiting access to computers physically located within their boundaries. Prosecution would have to take place in the target country, but extradition could be possible depending on the extradition status of the country involved.

The problem here is that, by definition, a defender would not know the location of the target computer when they initiated active cyber defense measures. Thus, a defender could end up violating foreign law by executing measures allowed by this bill and could be potentially extradited to face charges for that violation. This bill should include provisions that require a judge at an extradition hearing from taking specific cognizance of the provisions of this bill as a defense against extradition. This would not, however, protect a defender against arrest and prosecution while traveling outside of the US.