Sen. Sheldon Whitehouse (D-R.I.) on Tuesday is expected to propose that Congress should consider allowing companies to “hack back” at digital attackers following a cyberattack, a divisive concept in the cybersecurity community.
Whitehouse, the top Democrat on the Senate Judiciary Subcommittee on Crime and Terrorism, says the idea is worth considering because hacking back can help prevent foreign actors from carrying out cyberattacks against U.S. entities.
“We ought to think hard about how and when to license hack-back authority so capable, responsible private-sector actors can deter foreign aggression,” according to Whitehouse’s prepared opening remarks, which he is expected to deliver Tuesday afternoon during at a cyber-focused subcommittee hearing.
{mosads}
“Active cyber defense” would involve organizations using a variety of techniques to prevent cyber breaches, as well as allowing them to track down perpetrators in the event that their systems come under attack.
Supporters of hacking back say that approach would allow companies to safeguard their networks from attacks while also identifying the hackers.
However, many people working in the cybersecurity field worry that hacking back would create more problems, such as harming unintended victims and escalating cyber feuds among companies and their attackers.
House lawmakers have previously introduced legislation that would allow victims to hack back.
Reps. Tom Graves (R-Ga.) and Kyrsten Sinema (D-Ariz.) introduced legislation last year that would authorize companies and private citizens to engage in some “active defense measures” against hackers.
Georgia Gov. Nathan Deal (R) vetoed legislation earlier this year that would allow companies to take similar hack-back actions.
Major technology companies like Google and Microsoft mounted a campaign against the Georgia bill, warning of the potential ramifications for a policy that does not have “statutory criteria.”
“Provisions such as this could easily lead to abuse and be deployed for anticompetitive, not protective purposes,” the companies wrote in a letter to Deal, before he vetoed the measure.
Whitehouse will also propose several other cyber provisions, including creating a new role for a cybersecurity “storyteller-in-chief” who can “declassify information” and inform the public about digital threats.
He said that would help the “public understand our vulnerability to the wide range of cyber threats, from hacking and the theft of private data to cyberattacks on critical infrastructure.”
The Rhode Island senator also will call for a “stress test” of the National Institute of Standards and Technology Cybersecurity framework, a guide that aims to create a cybersecurity game plan for companies that includes best practices and industry standards. Whitehouse says stress tests are needed “to improve cybersecurity outcomes.”
Tuesday’s hearing is slated to take place one day after Microsoft announced that it had shut down six websites created by hackers linked to Russia’s military that were targeting conservative think tanks.