SPOILING FOR A FIGHT: HACKING BACK WITH THE ACTIVE CYBER DEFENSE CERTAINTY ACT.
Date | 22 September 2020 |
Author | Porch, Alice M. |
-
INTRODUCTION: FIGHTING HACKERS
In 2007, Michel Cukier, assistant professor of mechanical engineering at the University of Maryland, wanted to profile the behavior of hackers who randomly attack computers using unsophisticated methods. (1) To collect data, Cukier and his graduate students set up four Linux (2) computers with Internet access and weak security. (3) They discovered that the computers were almost constantly under attack, mostly from hackers using "brute force" hacking techniques. (4) The research showed that hackers launched their random attacks using basic software - aided techniques such as "dictionary attacks" (5) to guess passwords by running through lists of common words. (6)
Almost a decade later, ransomware emerged as the fastest growing threat that targets all types of users by taking their files hostage. (7) Ransomware is a type of malware that locks users out of their systems, encrypts their files with algorithms that are nearly impossible to break, and then demands a payment to unlock their files. (8) A United States interagency technical guide reported that every day since January 1, 2016, an average of 4,000 ransomware attacks occurred, which was an increase of 300% from 2015. (9) By 2019, ransomware attacks affected "more than 70 state and local governments" in the United States. (10) Even worse, new strains of ransomware include a threat to publish stolen files on the Internet if the victim refuses to pay the ransom. (11)
In recent years, Supervisory Control and Data Acquisition ("SCADA") hacking of industrial control systems has become a major concern in the evolving world of cyber wars. (12) SCADA devices "control nearly every type of industrial system such as the electrical grid, power plants, manufacturing systems, sewage and water systems, oil and gas refineries and nearly every type of industrial system." (13) The manipulation and control of these industrial systems though SCADA hacking "could itself become a weapon." (14)
To empower organizations to protect themselves from hackers, in 2017, United States House Representatives, Rep. Tom Graves (a Republican from Georgia) and Rep. Kyrsten Sinema (a Democrat from Arizona), introduced the Active Cyber Defense Certainty Act ("ACDC Act"), H.R. 4036, into the 115th Congress. (15) Along with its sponsor. Rep. Graves, H.R. 4036 had nine bipartisan cosponsors, but it did not become law. (16) In 2019, Rep. Graves reintroduced the ACDC Act under H.R. 3270 with Rep. Josh Gottheimer (a Democrat from New Jersey), and this time it has eighteen bipartisan cosponsors. (17) The bill would make "targeted changes" to the 1986 Computer Fraud and Abuse Act ("CFAA") "to allow use of limited defensive measures that exceed the boundaries of one's network" to monitor, identify, and stop hacking attacks. (18) Currently, the CFAA does not make exceptions for the use of defensive actions to prevent attacks other than taking preventative measures, such as installing anti-virus software. (19) Rep. Graves believes that the passage of the ACDC Act could be "the most significant update to the CFAA since its enactment." (20)
Cyber breaches are getting out of control, and the proposed ACDC Act aspires to give the private sector a tactic to fight cybercrime. Although the bill intends to give organizations a way to fight back against hackers, critics worry that instead of stopping cybercrime, it may create more problems and potential liabilities for organizations. (21) If passed, the Act could leave organizations with the feeling that they are fighting outlaws in a cyber-version of the Wild West.
Part II of this article examines how organizations protect their networks and then explores existing issues such as the arrests of security researchers. (22) Part III evaluates the relevant parts of the CFAA, examines information sharing, and breaks down the ACDC Act to analyze how effective it would be for preventing hacking attacks. (23) Part IV looks to the future of cybcrsecurity by analyzing the pros and cons of passing the ACDC Act and offers possible solutions to make the law more effective. (24)
-
PROTECTING COMPUTER NETWORKS
-
BEST PRACTICES
Organizations have the responsibility of protecting their networks from intruders by adhering to the best practices in their industries. Although best practices are based around voluntary actions, state breach notification laws establish a duty for organizations to use reasonable procedures and practices to secure their data. (25) The National Institute of Standards and Technology ("NIST") promotes a "Cybersecurity Framework" that is based on five primary functions: Identify, Protect, Detect, Respond, and Recover. (26) These functions work together to create a "successful and holistic cybersecurity program." (27) The International Organization for Standardization ("ISO") established ISO 27001, which contains detailed standards for information security that is accepted internationally as a "de facto" cybersecurity framework. (28) The ISO standard provides guidance for organizations to review, measure, and audit their cybersecurity programs so they can take corrective actions and make improvements. (29)
An effective cybersecurity program should balance security measures with safety concerns. (30) The concept of "defense in depth" aims to secure an organization's assets by establishing multiple layers of security controls. (31) For example, to protect the physical environment, the "first line of defense" involves implementing administrative, technical, and physical controls. (32) Administrative controls include facility design, employee management, and emergency response. (33) Technical controls include access limits, intrusion detection, and system audits. (34) Physical controls include perimeter security, locks, and guards. (35)
As an example of defensive measures, a "robust" network defense should include an Intrusion Detection System ("IDS") and an Intrusion Prevention System ("IPS") solution. (36) Conceptually, an IDS captures and analyzes data packets in real time to detect malicious traffic, which is called "promiscuous" mode, and it works with other network devices, such as routers and firewalls. (37) In contrast, an IPS monitors traffic and provides protection in real time by not allowing packets to enter the network on its trusted side, which is called "inline" mode. (38) There are different types of IDS/IPS sensors such as signature based, policy based, anomaly based, and honeypot based. (39) These concepts are combined into an Intrusion Detection and Prevention System ("IDPS") that "consists of more than one application or hardware device and incorporates more than just detection" and involves three network defense functions: "prevention, detection, and response." (40)
-
PENETRATION TESTING
A cyber breach can leave an organization exposed to legal liabilities and "are frequently the result of vulnerabilities that could have been fixed for a relatively low cost." (41) To identify weaknesses in a network, an organization should conduct a risk assessment that includes a penetration ("pen") test (42) Organizations routinely allow security researchers, also referred to as "pen testers," to reveal security gaps in their networks by using "brute force" hacking methods. (43) A pen tester is considered to be a "white hat or good hacker" who is trained to "think like a bad guy" with the end goal of improving the security practices of an organization "to prevent theft and damage." (44)
The purpose of a pen test is to figure out how a cybercriminal could harm an organization's computer systems and applications. (45) A pen test involves multiple phases that include planning, reconnaissance, scanning, exploitation, risk analysis, recommendation, and report generation. (46) An efficient pen test helps to identify various attack vectors so an organization can prioritize correcting any misconfigurations and improve the time to respond to a security incident. (47)
When researchers engage in reconnaissance and set up network defenses, an organization must maneuver through a "fog of legal and ethical uncertainty" that surrounds a maze of federal and state laws regarding computer crimes and privacy protections. (48) Generally, a pen tester needs express written permission by the targeted organization to conduct security tests along with a detailed agreement that includes the rules of engagement during the project; otherwise, the pen tester may end up in trouble with law enforcement and also face civil liabilities. (49)
A Florida case from 2016 demonstrates the need for an express agreement to conduct pen testing. An independent security researcher, David Levin, found a vulnerability in the website for the Lee County Elections in Florida. (50) To announce his findings, Levin appeared in a video posted on YouTube.com with Dan Sinclair, a candidate running against Sharon Harrington, the Supervisor of Elections. (51) In the video, Levin demonstrated how he used a SQL injection (52) attack to access uscrnames and passwords in the website's database. (53)
Harrington reported the hacking incident to the Florida Department of Law Enforcement ("FDLE"). (54) The FDLE served Levin with a search warrant and took his cellphone and laptops belonging to him and his wife. (55) As a result of the investigation, the FDLE arrested Levin and charged him with "three third-degree-felony counts of property crimes." (56) While Levin faced prosecution, Harrington accused Sinclair of creating a publicity stunt. (57)
A written contract for pen testing should include details of the rules of engagement, which may require notification to law enforcement. In 2019, two pen testers employed by Coalfire, a security firm, tripped an alarm at the Dallas County Courthouse in Iowa. (58) Within three minutes, police officers arrived and found the pen testers walking around the building, taking pictures, and manipulating doors. (59) One of the pen testers...
-
To continue reading
Request your trialCOPYRIGHT GALE, Cengage Learning. All rights reserved.