In late May, Representative Tom Graves (R-GA) released an updated draft of the controversial Active Cyber Defense Certainty Act (ACDC). If enacted, the law would allow organizations who have been victims of cyber crime to conduct their own attack-back strategies to identify assailants, stop adversaries and/or retrieve stolen files.
The legislation has been met with skepticism from security professionals and officials alike. In a recent article for CSO Online, Ira Winkler wrote that the ACDC would make the threat landscape more complex and dangerous for cyber attack victims.
According to Winkler: “The reality, though, is that most victims are ill-equipped to deal with an incident and even less equipped to hack another organization without creating damage. It is reminiscent of the scene in The Dark Knight, where Batman points out to the would-be vigilantes that he is wearing bulletproof armor.”
The ACDC would complicate everything from the attribution process to digital infrastructure and third-party relationships. “A website can be hacked and used to launch attacks, but the website is hosted on AWS,” Winkler writes. “Would Amazon then be justified in hacking the victim again to stop the attack against the hosted website?”
Overall, some politicians, like Tom Graves, celebrate the image of the cyber vigilante: a person who takes cyber security into his or her own hands. Meanwhile, on the opposite side of the coin, other officials are doing everything in their power to curb it.
For example, effective security technology, such as encryption, is consistently threatened. Former FBI Director James Comey was a prominent critic of encryption and often discussed inserting backdoors into private technologies. Internationally speaking, France’s new president, Emmanuel Macron, and the UK’s Thersa May have both vowed to regulate encryption for national security purposes.
Ultimately, encryption breaking seeks to discourage what officials see as criminal vigilantism. Government officials view encryption technology as a way for bad actors to hide their misdeeds from law enforcement. In their minds, back doors would jeopardize dangerous vigilantism.
However, this perception is unrealistic. Unfortunately, we often see digital spaces as the Wild West: there are no rules, regulations or borders online. Everyone is out for himself or herself and the person with the most weaponry is on top. This perception is unrealistic. In reality, the cyber security landscape is much more complicated. A “shoot first, ask questions later” mentality can cause more problems than solutions
So, it's important that we avoid the celebration (or subsequent condemnation) of the cyber vigilante. We cannot give organizations free reign to actively launch an attack on any perceived threat. But, on the other hand, we cannot take away necessary components of their security technologies.
We have the capacity understand the principals of cyber security enough to be able to craft this effective legislation. But first, officials must throw out their preconceived notions of vigilantism. At this point in time, both the ACDC and the call for backdoors are based on an unrealistic perception of cyber space and its actors. Thus, both propositions would cause much more harm than good to the digital realm.
If we can move past the image of the cyber vigilante, perhaps we can begin a meaningful conversation on how to support cyber attack victims and encryption. Until then, we need to go back to the drawing board.