Should private, non-governmental companies be able to weaponize sophisticated, well-developed cybersecurity defenses to counter the cause of their own cyberattack? A cyber counterpunch of sorts, or “hack back,” continues to raise all sorts of layered ethical and legal questions for technologists and cybersecurity professionals alike. It is also an especially complicated question for governments with no direct answer yet. Insert artificial intelligence (AI) into the equation and the complications increase exponentially. The keyword for lawmakers is of course cause. Something that if poorly understood ends up often being undefinable, unidentifiable, and largely consequential.
The Study on Cyber-Attack Response Options Act
Introduced last year, the Study on Cyber-Attack Response Options Act is a bill directing the Department of Homeland Security to study and report on its findings of potential benefits and risks of amending “the Computer Fraud and Abuse Act to allow private entities to respond to an unlawful network breach, subject to federal regulation and oversight.” Many industry analysts and observers have derided the acceptance of the private sector onto the cyberwarfare stage as too risky while still some maintain such an introduction should be at least studied, particularly in light of the well-publicized ransomware cyberattacks of industry giants like SolarWinds, Colonial Pipeline, and JBS Foods. SolarWinds garnered added attention from legal watchers in the months following its cyberattack as a result of a group of investors filing a lawsuit that specifically named its former CEO and also its CISO at the time.