topic Re: H.R. 4036: Active Cyber Defense Certainty Act in Industry News

H.R. 4036: Active Cyber Defense Certainty Act

rslade — Mon, 09 Oct 2023 08:48:49 GMT

OK, USians, possibly time to talk to your Congresscritters.

Govtrack gives H.R. 4036, aka the Active Cyber Defense Certainty Act, only about a 12% chance of succeeding. Which is probably a good thing.

"Congress determines that the use of active cyber defense techniques, when properly applied, can also assist in improving defenses and deterring cybercrimes."

Oh, really?

The rest of the rationale seems to be that attackers are dangerous and fast, and waiting around for law enforcement to help you is just going to give the bad guys time to destroy your systems and get away.

OK, I don't understand all of the wording in this bill. (I rather suspect that the author isn't entirely certain of it, either.) But the overall upshot seems to be that, yes, you can attack anyone who is attacking you (or who you think is attacking you) if you tell the FBI you are going to do it.

Come to think of it, good luck with finding, before the bad guys destroy your systems and get away, someone in the FBI who understands the situation and will give you official permission to mount an active defence attack.

Re: H.R. 4036: Active Cyber Defense Certainty Act

JayCee — Mon, 11 Jun 2018 07:37:25 GMT

(10) Congress holds that active cyber defense techniques should only be used by qualified defenders with a high degree of confidence in attribution, and that extreme caution should be taken to avoid impacting intermediary computers or resulting in an escalatory cycle of cyber activity.

Hmmm....

No chance of them being explicit with who they feel are qualified then? And attribution is always easy, isn't it?!

Re: H.R. 4036: Active Cyber Defense Certainty Act

HTCPCP-TEA — Mon, 11 Jun 2018 13:19:33 GMT

Agreed.

It's been a much discussed issue here too (UK) in terms of "Attacking the Attackers". While it seems to be a great idea at first, there are so many inherent issues to consider that it becomes problematic to even consider.

While the merits and pitfalls of such activities could be argued for years to come, there will inevitably be more and more reasons to sanction such activities. However, careful consideration would be needed in terms of where lines of remit, boundaries of responsibility and where the law sits in regards to it all.

Reporting into someone prior to taking action is likely the bet course of action, if it was at all feasible... but as you rightly point out, there is no guarantee that the person you report into would have any idea what you were about to do anyway, let alone have the power to critique or monitor it....

As you rightly point out, at this moment, it is unlikely that any such legislation will come to pass....but maybe one day..........

Re: H.R. 4036: Active Cyber Defense Certainty Act

Beads — Mon, 11 Jun 2018 14:20:02 GMT

Imagine the future history book describing the early beginnings of World War III being started by a well meaning intern attacking and hacking back an unknown adversary. Setting off a chain of continuing chain of events that quickly escalates to the government level with all parties reacting accordingly. Hack, counter-hack and attack. Rinse and repeat.

All we need is an electronic version of Gavrilo Princip to assassinate the next Franz Ferdinand. This bill needs to die quietly and never see the light of day or committee - whichever comes first.

Re: H.R. 4036: Active Cyber Defense Certainty Act

Flyslinger2 — Mon, 11 Jun 2018 15:15:03 GMT

It's the modern version of a shoot out in front of the saloon-whoever has the quicker draw (compute power), better aim (strategy), and ability to dodge the bullet (think Neo in Matrix), would win the battle.

Beyond a few nation states, and some large corporations, namely Apple, IBM, Dell, HP, etc. that does have the compute power to execute a counter attack, the little guy has no chance.

I agree with @Beads that this is silly at best and demonstrates a complete lack of understanding of the dark web. This bill is a waste of time.

Re: H.R. 4036: Active Cyber Defense Certainty Act

rslade — Mon, 11 Jun 2018 16:52:42 GMT

A friend (who is just finishing up his PhD on the topic) and I are working on a presentation on "Ethics of Active Defence," and looking for conferences to present it at.

Re: H.R. 4036: Active Cyber Defense Certainty Act

HTCPCP-TEA — Tue, 12 Jun 2018 07:39:44 GMT

Let us know where you do get to present.

It would be of high interest to many I'm sure! If I see any call for such things I will pass details on to you.

Cheers

Re: H.R. 4036: Active Cyber Defense Certainty Act

rslade — Tue, 12 Jun 2018 21:43:28 GMT

@HTCPCP-TEA wrote:
Let us know where you do get to present.

Thanks, I'll try to remember to stick it in here. (I've spent most of the morning reading my co-presenter's draft dissertation on "ACD" [during a boring vendor seminar] [for which I'll have to remember to submit CPEs] and making notes for him to address issues there.)

@HTCPCP-TEA wrote:
It would be of high interest to many I'm sure! If I see any call for such things I will pass details on to you.

Thanks much. I've done a number of presentations on ethics over the years, and this makes a really interesting case study. I also think it is an area that a lot more people should be thinking about, with implications for a wide range, such as artificial intelligence, network design, forensics, etc.

(The vendor this morning works in the network security space. We had a VP giving us top secret information about future product lines. I asked a question about active defence, and expected he wouldn't answer because it might be too political/controversial even for a closed group like this one. I didn't get an answer--because he didn't understand the question ...)

Re: H.R. 4036: Active Cyber Defense Certainty Act

rslade — Wed, 13 Jun 2018 01:23:54 GMT

Hey, admins and ISC2 HQ type people: you guys interested in a Webinar on the Ethics of Active Defence?

Re: H.R. 4036: Active Cyber Defense Certainty Act

rslade — Thu, 01 Nov 2018 13:59:25 GMT

@HTCPCP-TEA wrote:
Let us know where you do get to present.

Well, we are doing it in about four hours at Infowarcon. Not my favourite situation for a first time out, since Patrick is in Virginia and I'm about 3,000 miles away leading off the pres via Skype.

(We still haven't tested the connection to the conference venue ...)

Re: H.R. 4036: Active Cyber Defense Certainty Act

rslade — Fri, 01 Feb 2019 17:43:08 GMT

@HTCPCP-TEA wrote:
Let us know where you do get to present.

OK, the Vancouver Chapter is doing it next week, Feb. 8, 2-4 pm, PST.

For those of you who aren't in Vancouver (poor you), we will be broadcasting this meeting
and may post it later on YouTube. Please register by sending an email to van.secsig@gmail.com with the Subject line: February 8th, 2019 + Your Name. You will get an email with the YouTube URL just before the meeting. (It might start a little after 2 pm.) While you are welcome to share your display with colleagues (but remind them to abide by the confidentiality rules set by the speaker for the meeting), please do not forward the URL to others (instead, ask them to join VanSecSIG and register directly for the video broadcast). Please also note that the (ISC)Â² Vancouver Chapter will only submit CPE credits for those who attend the meeting in person and sign the attendance sheet. (You can still submit for your own CPEs, but we can't prove anything about your attendance.)

Re: H.R. 4036: Active Cyber Defense Certainty Act

Flyslinger2 — Fri, 01 Feb 2019 18:37:36 GMT

Here on the East Coast in DC that is Happy Hour and Mrs. Fly doesn't like her date night messed with. So, I will wait for the Youtube link so I can watch it at a later time. Hope it goes well!