jump to navigation

HR 4036, the “Hack Back Bill”; Understanding Active & Passive Deterrence and the Escalation of Force Continuum. October 22, 2017

Posted by Chris Mark in cybersecurity, Uncategorized.
Tags: , , , , , , , , , ,
2 comments

SMallPirI wrote this original post several years ago but it seems to be more relevant now.   As CNN reports HR4036…”…formerly called the Active Cyber Defense Certainty (ACDC) Act and informally called the hack-back bill – was introduced as an amendment to the Computer Fraud and Abuse Act (CFAA) last week. Its backers are US Representatives Tom Graves, a Georgia Republican, and Kyrsten Sinema, an Arizona Democrat.”

This is a bill that is sound in theory and terrible in practice.  According to the Bill, (named ACDC) it would enable a company to take “..active defensive measures..” to access an attacker’s computer.  This is only applicable in the US…Think about this for a minute.  What is the evidence that I was the attacker of company A?  Maybe (quite possibly…almost certainly) a hackers is using my system as a proxy.  So some company can now attack my personal computer?  What happened to “due process”?.  If company X simply believes I am a hacker, they can access my personal data without a court order or any due process.  More profoundly, the issues it raises pose very real and very direct risks to employees of the company who ‘hacks back’.  This, I think, is unacceptable.

Having performed physical security in very real and very dangerous environments, I can personally attest to the fact that physical threats are real and difficult to prevent.  By allowing a ‘hack back’ the company faces a very real risk of escalating the situation from the cyber domain into the physical domain.  There is NO corporate data that is worth risking a human life.

Too often cybersecurity professionals forget that they are SECURITY professionals first and the  same rules of deterrence, escalation of force and other aspects apply.  Given this new Bill,  I felt this was a good time to again discuss deterrence (active and passive) and once again talk about the Escalation of Force Cycle.  So, what is deterrence? (warning…long post)..pic of the author off the cost of Somalia doing anti-piracy operations)

The History of Deterrence Theory:

The concept of deterrence is relatively easy to understand and likely extends to the earliest human activities in which one early human dissuaded another from stealing food by employing the threat of violence against the interloper.  Written examples of deterrence can be attributed as far back as the Peloponnesian War, when Thucydides wrote that there were many conflicts in which one army maneuvered in a manner that convinced the opponent that beginning or escalating a war would not be worth the risk.[1]  In the 4th Century BC, Sun Tzu wrote: “When opponents are unwilling to fight with you, it is because they think it is contrary to their interests, or because you have misled them in to thinking so.”[2]  While most people seem to instinctively understand the concept at the individual level, contemporary deterrence theory was brought to the forefront of political and military affairs during the Second World War with the deployment of nuclear weapons against Nagasaki and Hiroshima.[3]

The application of deterrence during WWII was the beginning of understanding that an internal value calculus drives human behavior and that behavior could be formally modeled and predicted with some degree of accuracy.  (more…)