What Georgia's failed 'hack back' bill says about the future of cybersecurity laws

Georgia has made cybersecurity headlines twice in recent months for two isolated cases, each questioning how organizations should respond in the aftermath of a cyberattack.

Not long after Atlanta disclosed a citywide ransomware attack, the state government proposed a cybercrimes bill that was met with security industry criticism, including those who were helping pull Atlanta from its ransomware ashes.

Proposers of Georgia's vetoed "hack back" bill thought it would ultimately benefit the cybersecurity community. Georgia Governor Nathan Deal did not agree, but his official statements suggested further discussions to improve the bill.

Hack back bills are founded on the same grounds as any other law designed for self-preservation, but in an age of maturing cyberattacks, risking a hack back may not be worth the emotional gratification.

The original language of the proposed bill was considered too vague because it indicated any unauthorized access to a computer system would lead to crimes punishable by fines and a year in jail.

This type of legislation could demotivate researchers from exercising "responsible disclosure," said Alex Yampolskiy, CEO of SecurityScorecard, in an interview with CIO Dive. The bill would have effectively criminalized someone for performing ethical security research if a company chose to pursue legal action.

Additionally, the bill would have legalized an organization's right to hack a perceived attacker's systems in retaliation. Experts widely agree bills legalizing hacking back are simply "a desire primarily born out frustration," said Herbert Lin, senior research scholar for Cyber Policy and Security at Stanford's Center for International Security and Cooperation, in an interview with CIO Dive.

Supporters of hacking back are like the "NRA of cyberspace."

Herbert Lin

Senior research scholar for Cyber Policy and Security,Stanford's Center for International Security and Cooperation

Supporters of hacking back are like the "NRA of cyberspace" because no one wants to be the victim, said Lin. However, when bare knuckle boxing becomes fair play in cyberspace, anyone has the potential of "punching" the wrong person.

Georgia's bill was a "clumsy attempt at creating an anti-trespass law for the digital age," said Dror Liwer, CISO of Coronet, in an emailed statement to CIO Dive. The haziness surrounding a bill like Georgia's has helped open up the conversation surrounding the ethics of hacking.

Why the bill was proposed

The bill began its processes at the request of law enforcement, Georgia Rep. Christian Coomer, R, told CIO Dive. Coomer was among other Georgia legislators to sponsor the bill because it was meant to "act as a deterrent" for malicious actors.

During committee hearings, multiple "safeguards" were added to the bill in an effort to more directly clarify the limitations of hacking back without undermining legitimate business practices.

However, Coomer said the argument of flawed attribution was not something that was raised during the review process, leaving him unfamiliar with the terminology.

"I'm cognizant of my own limitations," he said, but because the issue was never raised during the committee process, it led Coomer to conclude that the "big tech" critics of the bill "didn't have the intent to fix the bill." Instead, they were more focused on stopping the bill entirely, which led to "unintended consequences," like the case for attribution.

Coomer encourages industry experts to participate in committee processes and tell legislatures what they're doing wrong and how to fix it. At the end of the day, the big companies who criticized the bill, like Microsoft and Google, just "weren't at the table," said Coomer.

Federal government is struggling to keep pace with tech

The Georgia bill was an answer to the current form of the Computer Fraud and Abuse Act (CFAA). The CFAA was enacted in 1986 as an amendment to the Comprehensive Crime Control Act in response to the emerging age of computers, according to the Department of Justice. The CFAA has been amended over the last few decades to compensate for the growing sophistication in technology.

However, while the federal law criminalizes any unauthorized access on a computer, the law fails to clearly define the degree of trespassing or what counts as unauthorized access.

For example, if someone sends a form of "active content" like a PDF file or a Word Document with macros, which run on the receiving party's computer, that could technically be a violation of the CFAA, said Lin.

The Georgia legislation was intended to "relax" aspects of the CFAA. As the CFAA currently stands, a hack back is illegal because it still indicates accessing another system without permission, according to Lin.

The "whole concept of harming an offending source of attack, I think that's just a fool's errand."

Dr. Salvatore Stolfo

Computer science professor and cybersecurity researcher, Columbia University

Legislation proposed by Rep. Tom Graves, R-GA, named the Active Cyber Defense Act, has survived several rounds of amendments. The latest amendments include a joint partnership with law enforcement and a limit on how aggressive the private sector can be in terms of offensive activities, said Tom Gann, chief public policy officer at McAfee, in an interview with CIO Dive.

Graves's bill has undergone a more "thoughtful process" to better cyberdefense measures to "act in a more predictive fashion," said Gann. Policy changes like this could streamline data sharing between the public and private sector to make understanding cyberdefense more contextualized.

Communication between the two sectors continues to remain a point of contention for security experts, despite calls for more collaboration.

Above all, organizations need a way of better evaluating systems for exploitable flaws. By adopting AI and ML technologies, defensive measures become more proactive than reactive.

Where do hack back bills go from here?

Amendments to the current bill could lead it to avoiding another veto.

However, the "whole concept of harming an offending source of attack, I think that's just a fool's errand," Dr. Salvatore Stolfo, computer science professor and cybersecurity researcher at Columbia University, told CIO Dive. These types of bills also seem misguided in an organization's objective when it comes to rationally addressing the reality of an attack.

But beacon files remain a legal way to maneuver privacy laws, like the EU's GDPR. Beaconing is sort of like "GPS for your data," according to Stolfo. If a beacon file is executed on a machine that was taken from its owner's computer, it alerts the original owner that it's now "living" on another computer and sends its locational information, like an IP address, said Lin.

Lin, however, argues that beaconing heightens the confusion surrounding the hack back bill and the CFAA "at a higher level of sophistication" because technically it's still an unauthorized program running on another machine even if the program was stolen in the first place.

Hack back bills are unlikely for now

Cybersecurity is a top-level concern, but unnecessary cyberwarfare is not the right avenue to address it, most experts say.

The likelihood of a bill passing like the one proposed in Georgia depends on the "function of the language and definition" of what qualifies as a malicious intrusion, said Stolfo.

But the current definition of hacking back is "not useful" and gives credence to acting out of vengeance, which is "not oriented to solving the problem of stopping data losses," said Stolfo.

"Being solely defensive all the time is not the winning proposition."

Tom Gann

Chief public policy officer, McAfee

The most troubling aspects of hack back legislation are defining criminal acts and subsequent enforcement.

Enforcing a hack back law can only be done "selectively," which makes the law "irrelevant" by definition, according to Liwer.

Non-lethal defense

Time and again, security professionals are told the best cyberdefenses are not reactionary. Instead, they are active and rooted in the basics. Distributing patches, multilayered authentication and workforce training programs are the what help build the protective moat around an organization. There would be no need to fight back when the right protections are already in place.

"Being solely defensive all the time is not the winning proposition," said Gann. Organizations need a "lifecycle" of defense strategies that protect an IT environment in real time.

Active security protocols are a security team's best solution for cyberthreats. If an organization is able to essentially capture attackers while they are in its network, it's much more effective than guessing an attack's genuine attribution.

Hackers can exist in a system for months, as seen in cases like Equifax. They can hide in systems for long periods of time while slowly extracting data at a pace that goes unnoticed and it's all "free," according to Stolfo. He proposes a more "non-lethal" way of making a cyberattacker pay for their actions through "deception in depth."

Stolfo advises placing data decoys or fake data strategically throughout an organization's operational network. If a hacker gains access and begins collecting staged, fake data that sits among real data, the hacker ultimately pays a resource consumption cost. The hacker would then have to dedicate time to sifting through real versus fake data and determining what is factual.

Decoy data serves as an additional layer of protection while gaining the "means of breaking the asymmetry" of an attack, said Stolfo.