A United States representative has proposed a bill that would allow hacking victims to hack back their attackers.
On 3 March, Representative Tom Graves (R-Georgia) proposed a discussion draft of what he’s calling “ACDC”.
No, the bill has nothing to do with the “Thunderstruck” Australian rock band. ACDC in this case stands for “Active Cyber Defense Certainty.” It’s a term that empowers hacking victims to use “limited defensive measures that exceed the boundaries of one’s network” to stop and/or identify digital attackers.
Essentially, ACDC empowers companies that have experienced digital intrusions to hack back their attackers. But it’s important to note there are some limitations. Indeed, the bill limits victims’ defensive measures to gathering data about their attackers and sharing that information with law enforcement. It does not allow other activities such as destroying information, causing physical injury to another person, or creating a threat to public safety and/or health.
That’s all well and good. I commend Representative Graves for including those provisions in the bill.
However, even “gathering information” can be a slippery slope when it comes to digital attackers that use compromised machines to carry out their dirty work.
A hacking victim might endeavor to identify to whom an infected computer belongs, for example. In so doing, there’s a strong possibility they could violate the computer owner’s privacy. Worse, they might discover the machine belongs to a company that stores the personal and/or financial information of customers. By viewing that information without authorization, the victim would inadvertently compromise the confidentiality of that company’s data.
Representative Graves recognizes there are concerns his bill doesn’t address. But it’s a start. As he explains on his website:
“This bill is about empowering individuals to defend themselves online, just as they have the legal authority to do during a physical assault. While the bill doesn’t solve every problem, it’s an important first step. I hope my bill helps individuals defend themselves against cybercriminals while igniting a conversation that leads to more ideas and solutions that address this growing threat.”
At this time, interested parties have a chance to provide feedback and make recommendations for the bill. Once they have done so, Representative Graves can move forward and formally introduce the bill to the U.S. House of Representatives.
And what if the originating hackers happen to be a government / state department surveilling the 'victim'? The victim would be given full authorisation to hack back.
Or someone forges evidence of a hack from organisation X, so that they can launch a full-scale hacking attack on organisation X.