US Congress mulls first 'hack back' revenge law. And yup, you can guess what it'll let people do

Can you say 'collateral damage'?


Two members of the US House of Representatives today introduced a law bill that would allow hacking victims to seek revenge and hack the hackers who hacked them.

The Active Cyber Defense Certainty Act (ACDC) [PDF] amends the Computer Fraud and Abuse Act to make limited retaliatory strikes against cyber-miscreants legal in America for the first time. The bill would allow hacked organizations to venture outside their networks to identify an intruder and infiltrate their systems, destroy any data that had been stolen, and deploy "beaconing technology" to trace the physical location of the attacker.

"While it doesn't solve every problem, ACDC brings some light into the dark places where cybercriminals operate," said co-sponsor Representative Tom Graves (R-GA).

"The certainty the bill provides will empower individuals and companies use new defenses against cybercriminals. I also hope it spurs a new generation of tools and methods to level the lopsided cyber battlefield, if not give an edge to cyber defenders. We must continue working toward the day when it's the norm – not the exception – for criminal hackers to be identified and prosecuted."

Congress has been mulling such laws for a while but many security professionals are worried that such legislation will lead to IT departments and individuals going into full vigilante mode, and causing massive collateral damage. But the bill's sponsors say that safeguards have been built in.

For a start, the legislation only allows hacking of computers on American soil, which instantly limits its usefulness given that even domestic hacking attacks typically route through overseas servers. In other words, you could be hacked in California by someone, possibly in America, using a system in France, and you wouldn't be able to retaliate under the law.

Companies are also financially liable for any damage they cause to innocent computer users, providing those users can find out who borked their systems.

Before hacking back, the IT department would have to submit some homework to the FBI's National Cyber Investigative Joint Task Force so the Feds can make sure national boundaries are being respected and that any action wouldn't interfere with an ongoing investigation.

"The Active Cyber Defense Certainty Act gives specific, useful tools to identify and stop cyberattacks that have upended the lives of hundreds of millions of Americans," said cosponsor Representative Kyrsten Sinema (D-AZ).

"The recent Equifax data breach shows that cyber vulnerabilities can have real financial and personal implications for Arizona families and businesses. It is our responsibility to find and advance solutions that safeguard the privacy of Arizonans while protecting the security of their data. I look forward to continuing thoughtful conversations as we move forward."

As an additional safeguard, the legislation is time limited and will expire after two years. If enacted, the US Department of Justice would have to address Congress once a year to keep them updated on cyber-sorties carried out under the law.

The proposed act is in its early stages, and it must jump over various hurdles and survive the committee stages to make it onto the law books. ®

Similar topics

Broader topics


Other stories you might like

  • Hackers weigh in on programming languages of choice
    Small, self-described sample, sure. But results show shifts over time

    Never mind what enterprise programmers are trained to do, a self-defined set of hackers has its own programming language zeitgeist, one that apparently changes with the wind, at least according to the relatively small set surveyed.

    Members of Europe's Chaos Computer Club, which calls itself "Europe's largest association of hackers" were part of a pool for German researchers to poll. The goal of the study was to discover what tools and languages hackers prefer, a mission that sparked some unexpected results.

    The researchers were interested in understanding what languages self-described hackers use, and also asked about OS and IDE choice, whether or not an individual considered their choice important for hacking and how much experience they had as a programmer and hacker.

    Continue reading
  • Stolen-data market RaidForums taken down in domain seizure
    Suspected admin who went by 'Omnipotent' awaits UK decision on extradition to US

    After at least six years of peddling pilfered personal information, the infamous stolen-data market RaidForums has been shut down following the arrest of suspected founder and admin Diogo Santos Coelho in the UK earlier this year.

    Coelho, 21, who allegedly used the mistaken moniker "Omnipotent" among others, according to the US indictment unsealed on Monday in the Eastern District of Virginia, is currently awaiting the outcome of UK legal proceedings to extradite him to the United States.

    The six-count US indictment [PDF] charges Coelho with conspiracy, access device fraud, and aggravated identity theft following from his alleged activities as the chief administrator of RaidForums, an online market for compromised or stolen databases containing personal and financial information.

    Continue reading
  • Devil-may-care Lapsus$ gang is not the aspirational brand infosec needs
    Hitting big targets, untouchable, technically proficient. Who will it inspire next?

    Analysis The Lapsus$ cyber-crime gang, believed to be based in Brazil, until recently was best known for attacks on that country's Ministry of Health and Portuguese media outlets SIC Noticias and Expresso.

    However, the gang is climbing up the ladder, swinging at larger targets in the tech industry. Over the past few weeks, those have included Nvidia, Samsung, and Argentine online marketplace operator Mercado Libre. Now, Lapsus$ is suspected of attacking game developer Ubisoft.

    Lapsus$ in February compromised Nvidia, stealing a terabyte of data that included proprietary information and employee credentials, and dumping some of the data online. The crew also demanded the GPU giant remove limits on crypto-coin mining from its graphics cards, and open-source its drivers.

    Continue reading

Biting the hand that feeds IT © 1998–2022