Sen. Whitehouse Seeks Formal Police Position on Industry ‘Hacking Back’
Congress needs a formal position from law enforcement on whether to let the private sector hack back, a controversial concept exempting companies from prosecution in cyber self-defense, Sen. Sheldon Whitehouse, D-R.I., told us. Though law enforcement mightn't have an appetite for this, Whitehouse said he heard from internet security companies and groups that depend on their services about the benefits of hack-back authority. “I’m sold on the notion that there should be some place that they can go to get a straight answer,” he said. “If the answer ends up being no, so be it. But I think it’s a mistake to answer serious questions by default without giving someone the chance to make their case.”
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The Senate Crime and Terrorism Subcommittee ranking member raised the issue at a recent hearing (see 1808210058). He asked officials from the Department of Homeland Security, Office of the Director of National Intelligence and DOJ to follow up with a direct point of contact within government to address hacking back. Whitehouse conceded law enforcement’s testimony signaled the topic isn't “on anyone’s immediate radar.”
It’s newsworthy a Senate Democrat is raising the issue after Rep. Tom Graves, R-Ga., introduced the Active Cyber Defense Certainty Act (HR-4036) to allow such self-defense, said Red Branch Consulting founder Paul Rosenzweig. The former DHS deputy assistant secretary said it will be interesting to see if the concept gains momentum.
Subcommittee Chairman Lindsey Graham, R-S.C., told us he’s “fascinated about” the concept. “Hopefully, people will get back to us and give us their thoughts,” Graham said, saying he didn’t have an opinion. “I’m trying to learn as to what would be best.” DHS, DOJ and DNI didn’t comment.
Police are against the concept, Rosenzweig said, because law enforcement wants to maintain its “monopoly” on use of force. Steptoe & Johnson's Michael Vatis, founding director of the FBI National Infrastructure Protection Center cyber response authority, said he has never met a law enforcement official who supports the idea.
Police know it’s difficult to trace hackers, and more likely than not, a counterattack will strike an innocent website the hacker manipulated, Vatis said. There are varying definitions for “hacking back,” he said, and police might be more open to industry tools that trace hackers when information is stolen, which could aid investigations. “That seems less controversial,” he said. Vatis doubts many in industry are willing to stage offensive campaigns against attackers.
Rosenzweig suggested the private sector mightn't want to devote resources to something that's the responsibility of law enforcement. Southern Co. CEO Thomas Fanning told Whitehouse and the subcommittee as much during the hearing.
CyberVista Chief Cybersecurity Officer Simone Petrella said it’s important there's bipartisan, bicameral interest in cyber issues. She said hacking back mightn't be the best reason for stakeholders to come together, calling it an “ill-advised” idea. The security community is hesitant to back the concept because it could lead to companies inadvertently creating larger issues with counterattacks, she said. It could create more opportunity for bad actors to operate in darkness, using immunity under false pretenses. But she applauded that lawmakers are raising awareness on cyber issues.