Rep. Tom Graves, R-Ga., introduced a bill as a discussion draft that would allow a victim of a cyberattack to access the attacker’s computer in order to gather information about the attack to share with law enforcement or to stop the hacker from continuing to access their network.
The Active Cyber Defense Certainty Act would not allow cyberattack victims to destroy any information on their attacker’s network or to otherwise cause a threat to public safety. The proposed amendment has not been formally introduced yet.
“This bill is about empowering individuals to defend themselves online, just as they have the legal authority to do during a physical assault,” Graves said in a statement on March 3 announcing the proposal. “While the bill doesn’t solve every problem, it’s an important first step. I hope my bill helps individuals defend themselves against cybercriminals while igniting a conversation that leads to more ideas and solutions that address this growing threat.”
Conversation is all that Justin Kapahi, vice president of solutions and security for External IT, expects to come from the proposed bill. He told ThinkAdvisor that the proposal was likely “meant to provoke discussion” rather than to actually become law.
“It’s good to create a discussion around ‘why do we have to play defense? Why can’t we play offense?’” he said. Ultimately, though, he said advisors could take the proposal as “entertainment,” and to continue focusing their cybersecurity efforts on what regulators are looking for now.
He pointed out that most breaches are from users inadvertently giving their passwords to hackers. He recommended financial firms strengthen their cybersecurity programs with training and two-factor authentication.
Under the Computer Fraud and Abuse Act, victims of cyberattacks may not retaliate against their hackers by accessing their networks without authorization.
“I think it’s kind of symptomatic of the whole state of cybersecurity that most people, me included, didn’t even know that there were limits to what you can do to defend yourself,” said Tim Welsh, president and founder of Nexus Strategy.
Advisors are already struggling to keep up with cybersecurity demands. “I highly doubt that advisors are pondering this stuff at all,” Welsh said.
Cary Kvitka, a shareholder and member of Stark & Stark’s securities practice, raised concerns about the ethical implications of allowing advisors to “fight back using similar or otherwise illegal tactics.”
“That’s a little dicey for me,” he said in an interview. “When you’re relying on self-defense, that typically involves a contemporaneous element so that if you’re employing defensive measure, you’re doing so at the actual time of the attack.”
However, Kvitka said allowing retaliatory hacking could be a disincentive to cyberattackers trying to breach financial firms’ networks.
Scott MacKillop, CEO of First Ascent Asset Management, who has a JD from George Washington University, was similarly skeptical.
“You wonder exactly what they have in mind,” MacKillop told ThinkAdvisor. “I suspect it’s one of these proposals that wasn’t even intended to go very far but is just there to make a statement.”
Future Impact of Cyber Counterstrikes
Kvitka wondered if the proposal could pave the way for the Financial Industry Regulatory Authority and the Securities and Exchange Commission to require advisory firms to take more aggressive tactics against entities that breach their cybersecurity defenses.
“If you’re breached, do you have to go after the guy who breached you? Do you have to have the means, policies and procedures in place to go after that data and assist in the prosecution of the person who breached you?” he said.
Kvitka doubts regulators would go that far, but “I think they would say, especially the SEC, [that firms should] consider those options when they’re drafting their policies and procedures and leave it open.”
If a bill like this were to pass and financial advisors could respond in kind to cyberattacks, Kvitka suggested they consult with their legal counsel before undertaking their own cyberattack, “not only to assess criminal liability or civil liability, but also whether their actions could breach regulatory authority from FINRA, the SEC or any other applicable regulatory bodies.”
He acknowledged that it might be hard for advisors who have just discovered malware on their network to refrain from retaliating until they get the go-ahead from their attorney.
“Firms might consider adopting polices that identify specific actions and designated reactions if this were to happen,” he suggested.
Even in that case, firms would need to keep up with changing regulations and make sure those pre-approved responses are still allowed when an attack happens.
For example, if a firm gets its attorney’s blessing on a cyber counterstrike policy, then “two years later something happens but the regulatory landscape has changed, that advisor or that affected firm is exposed” to liability, he said. “By adding another arrow to your quiver, you also have all the commensurate obligations that go along with it.”
MacKillop noted that if a proposal like Graves’ passed, taking advantage of it “would require a lot of education on everybody’s part because nobody has that kind of software today.”
“It reminds me of the reason why citizens on the street aren’t allowed to just pull guns and shoot people when they see crimes being committed. There’s a certain level of restraint and discretion in order to police these kinds of things,” MacKillop said. “Loosing the world of financial advisors and others on the world with aggressive software doesn’t really seem like a very good idea.”
As for whether any information gathered could be later used against the hacker in court, Kvitka pointed out that the proposal is just for “an amendment to a particular statute that holds somebody liable for this type of fraud. The person would not be liable criminally for engaging in this activity.”
However, “outside of this particular statute, what if that person has a civil case: Somebody hacks the firm, the firm retaliates and destroys the hacker’s hardware in the process, and the hacker sues the firm? There’s a certain element of fundamental fairness in everything, but when you’re looking at a strict statutory or civil law interpretation of a particular cause of action, sometimes that doesn’t factor in.”
— Check out 5 Cybersecurity Trends Dominating the Early 2017 Discourse on ThinkAdvisor.