There are two conflicting cybercrime regulations in the making, one national and the other one international. Which one deserves to be supported and why should you know this?
National: Hack back Bill
The US Congress has been considering a law relating to cybersecurity defence named as ‘Active Cyber Defense Certainty Act’ (ACDC). This proposed bill is intended to defend organisations against cyber intrusions by retaliating. In other words, the projected regulation would allow boards and executives to decide on utilising an active cyber defence by hacking back.
The ACDC Act gives authorised individuals and companies the legal authority to leave their network to:
- Establish attribution of an attack,
- Disrupt cyberattacks without damaging others’ computers,
- Retrieve and destroy stolen files,
- Monitor the behaviour of an attacker, and
- Utilise beaconing technology.
The bill proponents presume that most defenders would likely use active-defence techniques to perform ‘deep reconnaissance’ of the hackers who originated the attack. As explained, a defender, for example, using active-defence techniques could ‘follow the bread crumbs’ back to the source of the attack. They could then attempt to attribute the source, ‘naming and shaming’ the attacker, turn over relevant information to law enforcement, or simply learn the ‘vector’ that the attacker took to execute the original malicious attack and avoid it.
It is not further elucidated that the federal government should play a crucial role in investigating and prosecuting cyber-crimes but it shouldn’t stand in the way of victims who are capable of responding to an ongoing attack, nor should it stand in the way of industry innovating and creating new active-defence techniques.
The justification is that hacking back guidelines would help a much larger number of cybercrimes to be prosecuted.
International: UN Cybercrime Treaty proposal
In December 2019, the United Nations Assembly met to vote on a Russian-led resolution on cybercrime that suggests the establishment of a committee of experts to consider a new UN cybercrime treaty.
This resolution reflects Russia’s and some BRICS countries (including South Africa) long-standing goal to replace the Council of Europe’s Budapest Convention, which is the only international instrument addressing this issue but considered already outdated.
In fact, the Russian initiative goes back to 2001 when they tabled a draft resolution at UN named the ‘Developments in the field of information and telecommunications in the context of international security’. Later, the same year, Russia proposed the establishment of the UN Group of Governmental Experts (UN GGE). The group was tasked to review potential and existing threats to information security, examine possible ways of cooperation between the UN member states, and perform a study of international information security issues.
At the first GGE convened in 2004, Russia, China and Brazil had called for state sovereignty over information security. The US had opposed such calls for state control of information, considering the move to be political, culturally and socially disruptive.
The GGE 2009 report endorsed dialogues on norms for states’ use of ICT to reduce risk and protect critical infrastructure. It also recommended risk reduction methods, including the use of ICT during the conflict.
It is at this time that other countries (including China and South Africa) became increasingly aligned with Russia, consistently arguing that the 2004 Budapest Convention is outdated. Fast forward to 2019, this resulted in the passing of Russia’s current resolution.
The final vote showed that 79 countries agreed with the resolution while 60 nation-states, aligned with the US, opposed it. Some 33 countries abstained. The vote was largely along the same ‘traditional’ political dividing lines.
Although those countries that voted against the resolution raised serious human rights concerns, the majority of the nation-states agree that the global negotiations on the cybercrime treaty represent a positive move in the right direction.
Why you should know this?
One of the problems with the adoption and application of the ACDC might arise when organisations try to retaliate but are not really in the best position to do so. This particularly can happen in the situation when trying to retaliate to well-organised syndicates or the state actors. The consequences will be even more disastrous.
Secondly, many cyber-attacks function by using very hard to navigate and regulate ‘dark web’. Any counteraction, even by a mighty government entity, runs the risk of being founded on incomplete or misleading information in the first place, cautions the Quartz portal.
Thirdly, the cyber-attack attribution is still very difficult and sometimes almost impossible. Even powerful government agencies, such as the US NSA, Russian Kiber Voyska or Chinese People’s Army specialised cyber command, are struggling with attribution – never mind private companies with far fewer resources.
What happens if well-intentioned defenders truly believe they have identified the source of a cyber-crime, and even have evidence that points to a specific actor/s but it turns out they were wrong? Would the retaliating company and the individual in charge be prosecuted? Would they have safe harbour protection?
The above questions posed by the Quartz portal, suggest that the adoption of the US hack back bill could potentially have disastrous consequences not just for the retaliate organisations but for the worldwide economy and stability.
Even worse, will the nation-state on the other end of an attack consider this retaliation as an act of war and respond with the kinetic weapon? Possibly, yes.
As we have spotlighted recently, this already had happened. The Israeli Defence Force (IDF) response against cyber attackers was decisive and literally with the ‘bang’. Israel bombed hackers from Gaza! The IDF flattened a building allegedly used by hackers from Hamas.
In the freshest conflict between the US and Iran, the latter already pulls some cyber punches in a retaliatory attack to the killing of its high ranked general. The Iranian hackers briefly took over and defaced a website for the Federal Depository Library Program. This looks as only warning that might escalate to a substantial cyberwar.
Will the US respond with its massive cyber offensive capabilities? Or will it retaliate with its mighty kinetic weapons? It is still to be seen but the situation is highly volatile.
As FBI Director Christopher Wray commented, “We don’t think it’s a good idea for private industry to take it upon themselves to retaliate by hacking back at somebody who hacked them”.
Former FBI director James Comey also expressed concern that any kind of active defence strategy could impede the FBI’s own law enforcement efforts. This is especially true now as cybercrime and geopolitics become more and more intertwined.
This brings us to the Russian proposed UN Cybercrime Treaty. We do not necessarily promote this particular treaty proposal but are in favour of negotiations and reaching global arrangements. Although the discussion on information security remained polarised as ever, reaching the common resolution seems far better than entering into endless and spiralling retaliations that can bring only disastrous results.