‘Hack back’ law introduced to Congress

Updated: October 19, 2017

Rep. Tom Graves (R-GA) and Rep. Krysten Sinema (D-AZ) have introduced a new version of the controversial Active Cyber Defense Certainty (ACDC) Act to Congress.

If enacted, it would allow organizations that are victims of hacks to conduct ‘hack backs’ to attempt to identify their assailants, stop the attacks, and retrieve stolen files.

The revised bill addresses some of the ambiguities of the original proposal, but many have claimed that it’s still fundamentally flawed. Security experts and critics of the bill have described it as “ridiculous”, “incredibly dangerous”, and “smarmy and conceited.”

Levelling the “lopsided cyber battlefield”

In a statement announcing the bill’s introduction, Graves said: “While it doesn’t solve every problem, ACDC brings some light into the dark places where cybercriminals operate. The certainty the bill provides will empower individuals and companies to use new defences against cybercriminals.

“I also hope it spurs a new generation of tools and methods to level the lopsided cyber battlefield, if not give an edge to cyber defenders. We must continue working toward the day when it’s the norm – not the exception – for cyber criminals to be identified and prosecuted.”

Collateral damage

The number of provisos Graves and Sinema lay out evidences how easy it would be to misinterpret the ACDC Act and how impractical it would be to implement it.

For instance, the bill states that before any return hack can take place, organizations must notify the FBI’s National Cyber Investigative Joint Task Force (NCIJTF) of their actions. Given that there have been 1,103 data breaches in the US so far this year, the NCIJTF would surely be overwhelmed with notifications.

The bill also prohibits counter-hackers from:

  • Destroying or rendering inoperable systems that don’t belong to the attacker;
  • Causing physical or financial injury to another person;
  • Creating a threat to public health or safety; and
  • Exceeding the level of activity needed to perform reconnaissance in order to attribute the attack.

Most confusingly, the bill also intends to prohibit vigilantism and protect against collateral damage, two things that legalizing counter-hacks all but guarantees. This is why the Computer Fraud and Abuse Act (CFAA) restricts hack backs. Cyber criminals often hijack third-party computers to do their deeds for them, so authorizing counter-hacks would only lead to more hacking and more innocent parties being targeted.

There are also ethical and legal questions. Security analyst Graham Cluley writes: “If your counterattack disrupts or wipes data on someone else’s computer, then how are you any better than those people who attacked you?”

Meanwhile, CSO Online’s Ira Winkler (who called the bill “ridiculous”) asks, in the event of a third party being hacked, “would the [original] victim be liable for damages suffered? If the third party doesn’t suffer direct damages, but they are subject to data breach notification requirements, would the hacking by the victim result in a situation requiring notification?”

The general consensus is that, although the ACDC Act is right to acknowledge that government needs to address the rise in cyber attacks, this isn’t the way to do it. “[A] better approach,” writes Winkler, “would be for the handful of organizations that may be capable of hacking back to actively engage with law enforcement.”

Subscribe to our Daily Sentinel for updates on this story and all the latest cybersecurity news.