Hacking the hackers: Draft US bill would allow hacking victims to hack back

But only to a certain extent…

David bisson
David Bisson
@
@DMBisson

Hacking the hackers

A United States representative has proposed a bill that would allow hacking victims to hack back their attackers.

Tom gravesOn 3 March, Representative Tom Graves (R-Georgia) proposed a discussion draft of what he’s calling “ACDC”.

No, the bill has nothing to do with the “Thunderstruck” Australian rock band. ACDC in this case stands for “Active Cyber Defense Certainty.” It’s a term that empowers hacking victims to use “limited defensive measures that exceed the boundaries of one’s network” to stop and/or identify digital attackers.

Sign up to our free newsletter.
Security news, advice, and tips.

Essentially, ACDC empowers companies that have experienced digital intrusions to hack back their attackers. But it’s important to note there are some limitations. Indeed, the bill limits victims’ defensive measures to gathering data about their attackers and sharing that information with law enforcement. It does not allow other activities such as destroying information, causing physical injury to another person, or creating a threat to public safety and/or health.

Screen shot 2017 03 07 at 9.02.50 am

That’s all well and good. I commend Representative Graves for including those provisions in the bill.

However, even “gathering information” can be a slippery slope when it comes to digital attackers that use compromised machines to carry out their dirty work.

A hacking victim might endeavor to identify to whom an infected computer belongs, for example. In so doing, there’s a strong possibility they could violate the computer owner’s privacy. Worse, they might discover the machine belongs to a company that stores the personal and/or financial information of customers. By viewing that information without authorization, the victim would inadvertently compromise the confidentiality of that company’s data.

Representative Graves recognizes there are concerns his bill doesn’t address. But it’s a start. As he explains on his website:

“This bill is about empowering individuals to defend themselves online, just as they have the legal authority to do during a physical assault. While the bill doesn’t solve every problem, it’s an important first step. I hope my bill helps individuals defend themselves against cybercriminals while igniting a conversation that leads to more ideas and solutions that address this growing threat.”

At this time, interested parties have a chance to provide feedback and make recommendations for the bill. Once they have done so, Representative Graves can move forward and formally introduce the bill to the U.S. House of Representatives.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

2 comments on “Hacking the hackers: Draft US bill would allow hacking victims to hack back”

  1. Bob

    And what if the originating hackers happen to be a government / state department surveilling the 'victim'? The victim would be given full authorisation to hack back.

    1. Mark Jacobs · in reply to Bob

      Or someone forges evidence of a hack from organisation X, so that they can launch a full-scale hacking attack on organisation X.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.