Two members of the US House of Representatives today introduced a law bill that would allow hacking victims to seek revenge and hack the hackers who hacked them.
The Active Cyber Defense Certainty Act (ACDC) [PDF] amends the Computer Fraud and Abuse Act to make limited retaliatory strikes against cyber-miscreants legal in America for the first time. The bill would allow hacked organizations to venture outside their networks to identify an intruder and infiltrate their systems, destroy any data that had been stolen, and deploy "beaconing technology" to trace the physical location of the attacker.
"While it doesn't solve every problem, ACDC brings some light into the dark places where cybercriminals operate," said co-sponsor Representative Tom Graves (R-GA).
"The certainty the bill provides will empower individuals and companies use new defenses against cybercriminals. I also hope it spurs a new generation of tools and methods to level the lopsided cyber battlefield, if not give an edge to cyber defenders. We must continue working toward the day when it's the norm – not the exception – for criminal hackers to be identified and prosecuted."
I never thought of it this way. It's basically the cyber version of being allowed to murder someone for entering your property. https://t.co/vu1TxqQIMK— MalwareTech (@MalwareTechBlog) October 13, 2017
Congress has been mulling such laws for a while but many security professionals are worried that such legislation will lead to IT departments and individuals going into full vigilante mode, and causing massive collateral damage. But the bill's sponsors say that safeguards have been built in.
For a start, the legislation only allows hacking of computers on American soil, which instantly limits its usefulness given that even domestic hacking attacks typically route through overseas servers. In other words, you could be hacked in California by someone, possibly in America, using a system in France, and you wouldn't be able to retaliate under the law.
Companies are also financially liable for any damage they cause to innocent computer users, providing those users can find out who borked their systems.
This is a classic example. Oracle accused SAP of exporting their support database. In theory they could hack in and destroy it. 🐿🐿🐿 https://t.co/mG71AtK2VQ— Beaumont Porg, Esq. (@GossiTheDog) October 13, 2017
Before hacking back, the IT department would have to submit some homework to the FBI's National Cyber Investigative Joint Task Force so the Feds can make sure national boundaries are being respected and that any action wouldn't interfere with an ongoing investigation.
"The Active Cyber Defense Certainty Act gives specific, useful tools to identify and stop cyberattacks that have upended the lives of hundreds of millions of Americans," said cosponsor Representative Kyrsten Sinema (D-AZ).
"The recent Equifax data breach shows that cyber vulnerabilities can have real financial and personal implications for Arizona families and businesses. It is our responsibility to find and advance solutions that safeguard the privacy of Arizonans while protecting the security of their data. I look forward to continuing thoughtful conversations as we move forward."
As an additional safeguard, the legislation is time limited and will expire after two years. If enacted, the US Department of Justice would have to address Congress once a year to keep them updated on cyber-sorties carried out under the law.
The proposed act is in its early stages, and it must jump over various hurdles and survive the committee stages to make it onto the law books. ®