Rep. Tom Graves, R-Ga., introduced a bill as a discussion draft that would allow a victim of a cyberattack to access the attacker's computer in order to gather information about the attack to share with law enforcement or to stop the hacker from continuing to access their network.
The Active Cyber Defense Certainty Act would not allow cyberattack victims to destroy any information on their attacker's network or to otherwise cause a threat to public safety. The proposed amendment has not been formally introduced yet.
“This bill is about empowering individuals to defend themselves online, just as they have the legal authority to do during a physical assault,” Graves said in a statement on March 3 announcing the proposal. “While the bill doesn't solve every problem, it's an important first step. I hope my bill helps individuals defend themselves against cybercriminals while igniting a conversation that leads to more ideas and solutions that address this growing threat.”
Conversation is all that Justin Kapahi, vice president of solutions and security for External IT, expects to come from the proposed bill. He said that the proposal was likely “meant to provoke discussion” rather than to actually become law.
“It's good to create a discussion around 'why do we have to play defense? Why can't we play offense?'” he said. Ultimately, though, he said advisors could take the proposal as “entertainment,” and to continue focusing their cybersecurity efforts on what regulators are looking for now.
He pointed out that most breaches are from users inadvertently giving their passwords to hackers. He recommended financial firms strengthen their cybersecurity programs with training and two-factor authentication.
Under the Computer Fraud and Abuse Act, victims of cyberattacks may not retaliate against their hackers by accessing their networks without authorization.
“I think it's kind of symptomatic of the whole state of cybersecurity that most people, me included, didn't even know that there were limits to what you can do to defend yourself,” said Tim Welsh, president and founder of Nexus Strategy.
Advisors are already struggling to keep up with cybersecurity demands. “I highly doubt that advisors are pondering this stuff at all,” Welsh said.
Cary Kvitka, a shareholder and member of Stark & Stark's securities practice, raised concerns about the ethical implications of allowing advisors to “fight back using similar or otherwise illegal tactics.”
“That's a little dicey for me,” he said in an interview. “When you're relying on self-defense, that typically involves a contemporaneous element so that if you're employing defensive measure, you're doing so at the actual time of the attack.”
However, Kvitka said allowing retaliatory hacking could be a disincentive to cyberattackers trying to breach financial firms' networks.
Scott MacKillop, CEO of First Ascent Asset Management, who has a JD from George Washington University, was similarly skeptical.
“You wonder exactly what they have in mind,” MacKillop said. “I suspect it's one of these proposals that wasn't even intended to go very far but is just there to make a statement.”
Read the full article in the March 29 issue of CU Times.
Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.
Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
- Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
