FBI Director Tells Companies Not to 'Hack Back' Against Hackers
Last week, a congressman proposed a bill that would allow companies to legally counterattack against hackers. But it's not just the law that companies should take note of, Comey suggests.
Last week, a Republican congressman proposed a "cyber self defense" bill, which would allow companies to counterattack against hackers. The Active Cyber Defense Certainty Act (ACDC) would make changes to the infamous Computer Fraud and Abuse Act (CFAA), giving room to private actors to collect information about hackers in an attempt to identify them—in other words, hacking back.
But FBI Director James Comey is against this general idea, and not just out of legal concern. In a speech and Q&A session at the Boston Conference on Cyber Security on Wednesday, Comey said this sort of hacking back could disrupt the FBI's own work when trying to apprehend criminal hackers.
"It runs a risk of tremendous confusion in a crowded space," Comey said in response to a question at the end of his talk.
"And I know that's a frustrating answer often, and it maybe some day our country will change the law, but the hacking back could cause all kinds of complications for things we're trying to do to protect you," he added.
Victims may have all sorts of motivations to hack back—maybe they want to uncover the attacker's identity, find out what country they are based in, or perhaps even remotely hack into the attacker's own servers to wipe any stolen data.
According to a 2015 Financial Times article, a Malaysian bank asked a security researcher to help to do this (he turned down the job). In 2014 after the massive Sony data breach, Bloomberg reported that the FBI looked into whether hackers working on behalf of US financial institutions disabled servers used by Iran to attack the websites of major banks.
This week, Motherboard contacted a slew of high profile Silicon Valley companies and banks—some organizations which could benefit from hack-back legislation in some way—and asked if they would welcome the proposed bill. The vast majority did not reply, but Twitter said it did not have a statement, and Wells Fargo also declined to comment.
JPMorgan Chase & Co. was one of the companies that did not respond to Motherboard. But the company advocated for hacking back in a closed meeting in 2013, according to Bloomberg .
The ACDC would allow a cyberattack victim to access "without authorization the computer of the attacker to the victim' [sic] own network to gather information in order to establish attribution of criminal activity to share with law enforcement or to disrupt continued unauthorized activity against the victim's own network," according to a copy of the proposed bill. It would not allow hacking that destroys data stored on another computer, however, or causes any physical injury.
"Before you consider it, you should talk to us and see what we might be able to do to help," Comey continued.
"Don't do it. It's a crime. Don't do it."
Subscribe to pluspluspodcast , Motherboard's new show about the people and machines that are building our future.