The “Hack Back” Bill: What it is and Current Status

If your company is hacked, should you have the right to “hack back”? That’s what a recently introduced bill in Congress proposed.

Under the Computer Fraud and Abuse Act (“CFAA”), it is illegal to knowingly or intentionally access another computer without authorization or to exceed authorized access.

However, in 2017, Congressmen Tom Graves (R-GA) and Mark Warner (D-VA) introduced the Active Cyber Defense Certainty (ACDC) Act, dubbed the “hack back” bill by many. The 2017 version of the bill was not passed because of security concerns. The bill was reintroduced in 2019 by Graves and Josh Gottheimer (D-NJ).

The proposed hack back bill would change the CFAA by providing a “defender”—“a person or an entity that is a victim of a persistent unauthorized intrusion of the individual entity’s computer”—a defense to criminal prosecution under the CFAA when the defender takes active measures against an attacker.

These active measures can come in the form of “beacons,” which allow a defender to place hidden code on a hacker’s computer which, once activated, record identifying information about the hacker.  However, prior to taking any active defense measure, notification must be given FBI National Cyber Investigative Joint Task Force and authorization received for countermeasures.

The bill defines “active defense cyber measure” as:

“any measure—undertaken by, or at the direction of, a defender; and consisting of accessing without authorization the computer of the attacker to the defender’s own network to gather information in order to:

establish attribution of criminal activity to share with law enforcement and other United States Government agencies responsible for cybersecurity;

disrupt continued unauthorized activity against the defender’s own network; or

monitor the behavior of an attacker to assist in developing future intrusion prevention or cyber defense techniques; but does not include conduct that:

  • intentionally destroys or renders inoperable information that does not belong to the victim that is stored on another person or entity’s computer;
  • recklessly causes physical injury or financial loss as described under subsection (c)(4);
  • creates a threat to the public health or safety;
  • intentionally exceeds the level of activity required to perform reconnaissance on an intermediary computer to allow for attribution of the origin of the persistent cyber intrusion;
  • intentionally results in intrusive or remote access into an intermediary’s computer;
  • intentionally results in the persistent disruption to a person or entities internet connectivity resulting in damages defined under subsection (c)(4); or
  • impacts any computer described under subsection (a)(1) regarding access to national security information, subsection (a)(3) regarding government computers, or to subsection (c)(4)(A)(i)(V) regarding a computer system used by or for a Government entity for the furtherance of the administration of justice, national defense, or national security”.

 

Potential Pros of the Hack Back Bill

Advocates of the hack back bill point to the growing number of cyberattacks as evidence that something needs to be done to better protect private sector organizations. They argue that current law does not do enough to deter hackers and that organizations need to be empowered to take matters into their own hands. Furthermore, they argue that by allowing companies to fight back, we will be able to track down and prosecute more hackers than we currently do.

Hack back also could offer access to the attacker’s infrastructure, allowing organizations to recover encryption keys or disrupt the attack. It could also be used to collect cyber threat intelligence to learn the tools, techniques, and procedures hackers use. This valuable intelligence could help companies prevent potential attacks.

 

Potential Cons of the Hack Back Bill

Those opposing the hack back bill caution that it would lead to an escalation of hostilities leading to cyber wars between hackers and private companies. They argue that if hacking becomes a game of tit-for-tat, it will become increasingly difficult for law enforcement and intelligence agencies to track down those responsible for attacks. Furthermore, they warn that attackers could use somebody else’s computer to launch an attack, making it difficult to identify who is responsible. You don’t want private companies accidentally attacking victims of another hack, just because that victim’s system was used by the attacker.

There are also potential legal dilemmas to legalizing a response in the US that might not be considered legal internationally – not to mention the potential political nightmare of attacking a nation-state-sponsored cyberattack team from Russia or North Korea.

Think that couldn’t happen? Consider the SolarWinds Orion attack that came to light in December 2020 that potentially affected more than 425 of the Fortune 500 list of top companies; all of the top 10 telecommunications companies; all five branches of the military; and all of the top five accounting firms. The breach came to light in December 2020, but the Russian Foreign Intelligence Service wasn’t confirmed as the threat actor until the following April. If a hack back law was in place, companies could have proceeded with offensive security before realizing that it was a Russian state-sponsored attack.

 

Current Status of the Hack Back Bill

While the bill has been introduced in the House, the bill has not advanced from that point because of considerable concerns over the bill as proposed – not to mention that many of the conditions were not well defined, and far too many legal questions were left unanswered or remained ambiguous.

 

Study on Cyber-Attack Response Options Act

In June 2021, Senators Steve Daines (R- MT) and Sheldon Whitehouse (D – RI) introduced the Study on Cyber-Attack Response Options Act that instructs the Department of Homeland Security to study the “potential consequences and benefits” of allowing private companies to hack back following cyberattacks.

The Act called for the Secretary of Homeland Security, in consultation with other Federal agencies as appropriate, to conduct a study on the potential benefits and risks of amending section the CFAA, to allow private entities to take proportional actions in response to an unlawful network breach, subject to oversight and regulation by a designated Federal agency.

The report was to be completed “not later than 180 days after the date of enactment of this Act” and it was to:

Address any impact on national security and foreign affairs; and

Include recommendations for—

  • which Federal agency or agencies may authorize proportional actions by private entities;
  • what level of certainty regarding the identity of the attacker is needed before such actions would be authorized;
  • which entities would be allowed to take such actions and under what circumstances;
  • what actions would be permissible; and
  • what safeguards should be in place.

Even the study hasn’t been able to gain any traction in Congress as it hasn’t advanced past the “introduced” stage in the 15 months since it was introduced.

Currently, the idea of legalized offensive security measures to “hack back” at cyberhackers is no more than that – an idea that has generated some support in Congress, but clearly not enough to generate even close to what can be considered a groundswell of support.

 

Current Offensive Security Trends

However, that doesn’t mean that offensive security efforts are unprecedented. There have been some organizations and individuals that have taken offensive security action.

Google China Hack Back of 2010

For example, in late 2009/early 2010 Google discovered that it was the target of sophisticated cyber-espionage believed to be controlled or supported by the Chinese government.

In response, Google “began a secret counteroffensive,” breaking into a computer in Taiwan that it suspected of being the source of the attacks. Google engineers discovered evidence of the aftermath of the attacks, not only at Google, but also at least 33 other companies, including Adobe Systems, Northrop Grumman and Juniper Networks and determined that the sophistication of the attacks strongly suggested an operation run by Chinese government agencies, or at least approved by them.

In response, Google declared that it would no longer “self-censor” searches conducted on google.cn, its Chinese search engine. However, even then, Google company engineers could not definitively prove their case.

 

Scammer Payback (“Pierogi”)

Then there are people like “Pierogi” who have built a second career on hacking the hackers. “Pierogi” is the name he has given – his real name is undisclosed – and he claims to have a regular job in cybersecurity. But his stated “second job” is to ruin a scammer’s day by turning the tables on them, accessing their systems and deleting their files – all while those very scammers are trying to access his systems or install malware on his computer.

As he explained in this recent interview, the typical scam begins with a social engineering attack where the intended victim receives an email that prompts a phone call to address an issue (e.g., your account is suspended). The phone call takes the victim into the scammer’s call center where the scammer guides the victim through a process of logging into a bogus site which gives the scammer access to the victim’s computer. However, when Pierogi is the “victim”, he turns the tables and accesses the scammer’s computer instead, where he can access – and delete – their files.

How does he illustrate what he’s doing? Pierogi records the call in which he pretends to be a victim, typically elderly, that is falling for the scam. To that end, he has a series of voices he uses to lure the scammer into a false sense of security. He records both ends of the call and he also includes video of his accessing the scammer’s system and deleting files. When the scammer realizes what is happening, he naturally gets angry, and Pierogi typically continues to goad the scammer until he hangs up. The videos are entertaining, and Pierogi has built a huge following on Youtube – over 3.5 million subscribers to his channel on YouTube!

Here’s one of his videos, which has over 19 million views!

Scammer BEGS For His Deleted Files As I Drink His Tears (Ctrl+click on image to view video)

Many of these scammers are based in India and are often running legitimate organizations during the day, then scamming people at night (India time). Pierogi speaks Hindi and can communicate with the scammers in their native language once it’s clear he hacked them, where he can even identify the location where they work. If your organization is outsourcing services offshore – such as application development or managed IT – it could be using one of these companies.

So, who is Pierogi? He has taken great pains to keep his identity a secret and it’s virtually impossible to find out any details about his upbringing, educational background, his day job, or anything else. The level of secrecy is understandable, given that he doesn’t want to give the scammers any information that they can use against him. His hacking of scammers and deleting their files is technically a violation of the CFAA, so that’s likely another reason he is choosing to remain anonymous.

Scammer Payback also has a paid membership program available from his YouTube channel with certain perks available based on membership level – from $4.99 per month up to $99.99 per month. So, his activities are revenue generating, as well.

There are a few other individuals who are also conducting offensive security measures against hackers and scammers.

 

Conclusion

Aside from the occasional corporate exception or a handful of hackers who are fighting back with their own offensive security measures, the idea of hacking back against hackers has not gained any traction as a government-approved activity to date, even for a study to evaluate the potential consequences and benefits of hacking back. It may take a combination of significant cyberattacks plus a well defined program of hacking back that addresses concerns ranging from correctly identifying the hackers to avoiding political landmines to get Congress to act on any potential hack back legislation.

 

SCHEDULE YOUR FULL HALOCK SECURITY BRIEFING