Proposed bill isn’t the solution
The fight for better cybersecurity is a layered, nuanced thing. It has complexities, rules, and numerous nodes to account for. It’s not the answer anyone wants to hear, but it’s true. Like any network, it’s composed of hundreds if not thousands of different variables, which is why a constantly updating defense strategy is important.
But the problems with cybersecurity can extend well beyond yourself or an enterprise. In fact, a lot of major issues confronting businesses and people in the United States start at home, aka the Senate and House. Both Senate and House members have been forced to take a critical look at the emerging threat climate presented by cyber-attacks. Again, from SolarWinds to the Colonial Pipeline, it’s no longer a matter only impacting IT industries.
The issue, though, is what’s done in response. For instance, we’ll examine a “feel good” but ultimately tone-deaf bill proposal that addresses very little, beyond a visceral satisfaction of “hitting back.”
The Hack Back Bill
The bill was originally proposed by Senators Steve Daines (R-Montana) and Sheldon Whitehouse (D-Rhode Island).
Naturally, businesses across the nation are fed up with being the victims of rampant malicious attacks. Understandably so, because threat actors and digital bandits seem to cause chaoswith zero repercussion while running off with thousands, sometimes millions. It’s what gave birth to the recent “hack bill,” a proposal which would allow agencies to launch their own counteroffensive against intruder(s). But this bill demonstrates, unfortunately, how out of touch many senators and congressmen are with the present issues of cybersecurity.
It’s a fairly barren bill in terms of actual usefulness for a multitude of reasons. First, think of the parallels with actual crime: when it occurs, citizens aren’t the one that make the arrests, compile evidence, go to court, and go through the entire information collecting/judgment procedure. It’s the same philosophy with cybersecurity investigations.
The FBI and CISA, when “retaliating” against cyber intruders, don’t do so with the intent to launch their own brand of malware to attack hackers. Their efforts are designed to learn about hacking methods, the tools malicious parties use, common targets, demographics, and a whirlwind of other information silos to improve cyber defense.
This isn’t the intent of the bill, however. And, in reality, it creates a wave of issues instead of resolutions. Some of the key reasons for those weaknesses are as such:
- Hackers and malware parties, even at a basic level, are capable of hiding their activity and obfuscating their origins
- The bill creates too many ethical questions about who and what to target during a “response breach,” creating collateral problems
- There are no rules in the bill for reconnaissance or intel gathering
- Concerns about what a private entity can accomplish when reacting to an unknown entity attack can easily be misconstrued as hostile, creating additional tensions in the political realm
These are just tidbits, as a bill like this creates numerous gray area questions about what is allowed (or should be).
There’s little, if any guarantee, a “hack back” response would prevail in the positives for a private entity. For experts, it stands on a weak premise and demonstrates a lack of understanding when it comes to efficient cybersecurity. However, with that said, it’s unlikely the bill will see any true action beyond a handful of supports in both the Senate and House.
While not a pressing issue for the time being, it could signal additional bills in the future similar to the one we discussed. It also demonstrates a need for better insight into effective cybersecurity policies and responses.
Despite the flawed approach, though, private entities face numerous external pressures from hackers. It’s not a bad concept to give them defense tools but said tools should be effective in nature. As always, the fight for better cybersecurity continues.