A bill that amends the Computer Fraud and Abuse Act (CFAA), the U.S. law that governs cyber-related crimes, is crawling its way through the legislative process toward legalizing some countermeasures following a cybersecurity breach.

Today, it is against the law for victims to engage in acts of cyber retribution.

Close

This bill would allow some very minor activities related to the recovery of a victim’s data from a cybercriminal’s website. This of course assumes that the victim would be able to actually identify the attacker and correctly attribute the crime to its source. It’s a chimeric assumption at best, but then the bill itself is fancifully abbreviated as AC/DC, or the Active Cyber Defense Certainty Act, so I guess it fits.

The true problem, however, lies in the erroneous assumptions underlying the premise of the bill and in the unintended consequences arising from it.

If this bill as it is currently written becomes law, it will require that victims of cybercrime first notify the FBI prior to conducting its retributory “endeavor” and then share with U.S. government law enforcement and cyberdefense agencies the evidence of the crime and the steps taken to establish attribution and authority for attributive evidence as well as the specific steps the victim has taken to assure that none of the “intermediary” computers used in the proposed countermeasure will not be damaged or compromised as a result of the data-recovery activity. And that’s just the planning stage.

[lz_graphiq id=7UPLdTLMIpn]

In order to satisfy the letter of this bill, a victim of a cyberattack would spend far more time, money and calories checking all of the compliance boxes to pursue the attackers than he would by simply recovering the lost data from backup files, notifying the actual victims of the crime (the customers, patients, etc.) of the loss, paying the retribution/penalty/legal fees and beefing up his security postures so as to prevent a recurrence in the future.

The truth is that cybersecurity attribution is virtually impossible. Unless the laws change to accommodate something similar to the differences between civil and criminal procedure in a courtroom, our ability to attribute with certainty the source of a cybercrime will remain elusive. Unless we are able to collect and present overwhelming circumstantial evidence that points to the identity of a perpetrator — as we were able to do using the techniques and technologies employed in the recent WannaCry ransomware attack — we will never be able to pursue our attackers under this bill.

In the example of WannaCry, the cybersecurity community has concluded that since the tactics and technologies were the same as those used in the Sony Pictures attack, the perpetrators must be the North Koreans. Using that standard, my beard and ponytail would have me serving consecutive life sentences somewhere.

Beyond the attribution problem, the bill additionally prohibits the destruction of any non-victim information stored on the computers of another party, any physical or financial injury to another person, any threat to the public health or safety of another, and any actions that exceed the level of activity required to perform reconnaissance on an intermediary computer to identify the persistent cyber intrusion.

Who do you think would win the Presidency?

By completing the poll, you agree to receive emails from LifeZette, occasional offers from our partners and that you've read and agree to our privacy policy and legal statement.

That’s like saying to the vigilante drifter in an old western that we want you to clean up the town, but please be aware that you can’t accidentally shoot and/or kill any of the good guys, horses, dogs, cats, women or children, and — oh by the way — no bullet holes in walls or broken windows, either.

In short, it is almost impossible to conduct reconnaissance activities in cyberspace without putting intermediary data and software at risk. It is equally challenging to conduct an investigation of this type without (legally) jeopardizing the financial health of others through exposing security holes in intermediary cybersecurity chains that are being explored. And the chances of adequately protecting others’ data encountered along the way are zero.

In fact, just the cost to assure compliance with these regulations is far greater than the value any such hack-back might return.

So, instead of creating a bill that would actually serve the victims of a cybercrime, our congressional leaders have instead created another drag on the economy and further reduced our ability to fight cybercrime or increase our cybersecurity defenses.

The bonus is that this bill could establish a brand new basis for cybersecurity-related lawsuits. Maybe, when all is said and done, that’s the actual job that our legislators imagine they were elected to perform.