Rep. Tom Graves, R-Ga., introduced a bill as a discussion draft that would allow a victim of a cyberattack to access the attacker’s computer in order to gather information about the attack to share with law enforcement or to stop the hacker from continuing to access their network.
The Active Cyber Defense Certainty Act would not allow cyberattack victims to destroy any information on their attacker’s network or to otherwise cause a threat to public safety. The proposed amendment has not been formally introduced yet.
“This bill is about empowering individuals to defend themselves online, just as they have the legal authority to do during a physical assault,” Graves said in a statement on March 3 announcing the proposal. “While the bill doesn’t solve every problem, it’s an important first step. I hope my bill helps individuals defend themselves against cybercriminals while igniting a conversation that leads to more ideas and solutions that address this growing threat.”
Conversation is all that Justin Kapahi, vice president of solutions and security for External IT, expects to come from the proposed bill. He told ThinkAdvisor that the proposal was likely “meant to provoke discussion” rather than to actually become law.
“It’s good to create a discussion around ‘why do we have to play defense? Why can’t we play offense?’” he said. Ultimately, though, he said advisors could take the proposal as “entertainment,” and to continue focusing their cybersecurity efforts on what regulators are looking for now.
He pointed out that most breaches are from users inadvertently giving their passwords to hackers. He recommended financial firms strengthen their cybersecurity programs with training and two-factor authentication.
Under the Computer Fraud and Abuse Act, victims of cyberattacks may not retaliate against their hackers by accessing their networks without authorization.
“I think it’s kind of symptomatic of the whole state of cybersecurity that most people, me included, didn’t even know that there were limits to what you can do to defend yourself,” said Tim Welsh, president and founder of Nexus Strategy.
Advisors are already struggling to keep up with cybersecurity demands. “I highly doubt that advisors are pondering this stuff at all,” Welsh said.
Cary Kvitka, a shareholder and member of Stark & Stark’s securities practice, raised concerns about the ethical implications of allowing advisors to “fight back using similar or otherwise illegal tactics.”
“That’s a little dicey for me,” he said in an interview. “When you’re relying on self-defense, that typically involves a contemporaneous element so that if you’re employing defensive measure, you’re doing so at the actual time of the attack.”
However, Kvitka said allowing retaliatory hacking could be a disincentive to cyberattackers trying to breach financial firms’ networks.
Scott MacKillop, CEO of First Ascent Asset Management, who has a JD from George Washington University, was similarly skeptical.
“You wonder exactly what they have in mind,” MacKillop told ThinkAdvisor. “I suspect it’s one of these proposals that wasn’t even intended to go very far but is just there to make a statement.”
Future Impact of Cyber Counterstrikes