Following widespread criticism of the proposed Active Cyber Defense Certainty (ACDC) Act earlier this year, Tom Graves (R-GA), who introduced the bill, has released an updated proposal. If enacted, it will allow organizations that are victims of hacks to conduct their own attacks to attempt to identify their assailants, stop the attacks, and retrieve stolen files.
The revised bill addresses some of the ambiguities of the original, but many have claimed that it is still fundamentally flawed. Security experts and critics of Graves’s proposal have described it as “ridiculous”, “incredibly dangerous”, and “smarmy and conceited.”
The number of provisos Graves has laid out evidences how easy it would be to misinterpret the ACDC Act and how impractical it would be to implement it.
For instance, the bill states that before any return hack can take place, organizations must notify the FBI’s National Cyber Investigative Joint Task Force (NCIJTF) of their actions. Given that there have been 724 data breaches in the US so far this year, the NCIJTF would surely be overwhelmed with notifications.
The bill also prohibits counter-hackers from:
- Destroying or rendering inoperable systems that don’t belong to the attacker
- Causing physical or financial injury to another person
- Creating a threat to public health or safety
- Exceeding the level of activity needed to perform reconnaissance in order to attribute the attack
Most confusingly, the bill also intends to prohibit vigilantism and protect against collateral damage, two things that legalizing counter-hacks all but guarantees. This is why the Computer Fraud and Abuse Act (CFAA) restricts hack backs. Authorizing them would only encourage more hacking from both sides at the expense of active defense, and counter-hackers couldn’t be sure they were targeting their attacks at the original perpetrators. Cyber criminals often hijack third-party computers to do their deeds for them, meaning innocent third parties would become targets.
As a result, CSO Online’s Ira Winkler (who called the bill “ridiculous”) asks, in the event of a third party being attacked, “would the victim be liable for damages suffered? If the third party doesn’t suffer direct damages, but they are subject to data breach notification requirements, would the hacking by the victim result in a situation requiring notification?”
However, in addition to these concerns, there are also ethical ones. Security analyst Graham Cluley writes: “If your counterattack disrupts or wipes data on someone else’s computer, then how are you any better than those people who attacked you?”
The general consensus is that, although the ACDC Act is right to acknowledge that the rise in cyber attacks needs to be addressed by government, this isn’t the way to do it. Winkler writes that “a better approach would be for the handful of organizations that may be capable of hacking back to actively engage with law enforcement.”
Subscribe to our Daily Sentinel for all the latest cybersecurity news and advice.