Hacking the hackers: Draft US bill would allow hacking victims to hack back

But only to a certain extent…

Hacking the hackers

A United States representative has proposed a bill that would allow hacking victims to hack back their attackers.

Tom gravesOn 3 March, Representative Tom Graves (R-Georgia) proposed a discussion draft of what he's calling "ACDC".

No, the bill has nothing to do with the "Thunderstruck" Australian rock band. ACDC in this case stands for "Active Cyber Defense Certainty." It's a term that empowers hacking victims to use "limited defensive measures that exceed the boundaries of one's network" to stop and/or identify digital attackers.

Essentially, ACDC empowers companies that have experienced digital intrusions to hack back their attackers. But it's important to note there are some limitations. Indeed, the bill limits victims' defensive measures to gathering data about their attackers and sharing that information with law enforcement. It does not allow other activities such as destroying information, causing physical injury to another person, or creating a threat to public safety and/or health.

Screen shot 2017 03 07 at 9.02.50 am

That's all well and good. I commend Representative Graves for including those provisions in the bill.

However, even "gathering information" can be a slippery slope when it comes to digital attackers that use compromised machines to carry out their dirty work.

A hacking victim might endeavor to identify to whom an infected computer belongs, for example. In so doing, there's a strong possibility they could violate the computer owner's privacy. Worse, they might discover the machine belongs to a company that stores the personal and/or financial information of customers. By viewing that information without authorization, the victim would inadvertently compromise the confidentiality of that company's data.

Representative Graves recognizes there are concerns his bill doesn't address. But it's a start. As he explains on his website:

"This bill is about empowering individuals to defend themselves online, just as they have the legal authority to do during a physical assault. While the bill doesn’t solve every problem, it’s an important first step. I hope my bill helps individuals defend themselves against cybercriminals while igniting a conversation that leads to more ideas and solutions that address this growing threat."

At this time, interested parties have a chance to provide feedback and make recommendations for the bill. Once they have done so, Representative Graves can move forward and formally introduce the bill to the U.S. House of Representatives.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

2 Responses

  1. Bob

    March 8, 2017 at 12:30 am #

    And what if the originating hackers happen to be a government / state department surveilling the 'victim'? The victim would be given full authorisation to hack back.

    • Mark Jacobs in reply to Bob.

      March 8, 2017 at 12:43 pm #

      Or someone forges evidence of a hack from organisation X, so that they can launch a full-scale hacking attack on organisation X.

Leave a Reply