Written byPatrick Howell O'Neill
A bill legalizing companies’ ability to “hack back” after they’ve been attacked is back on track after months of feedback. Let’s unpack.
Reps. Tom Graves, R-Ga., and Kyrsten Sinema, D-Ariz., introduced a modified Active Cyber Defence Certainty (ACDC) Act on Friday allowing companies to “hack back” against hackers in an effort to identify and stop cyberattacks.
The ACDC amends the Computer Fraud and Abuse Act (CFAA), which makes it illegal to access computers without authorization. Companies and individuals would be granted the right to “active defense” using various ways to identify, disrupt and possibly even destroy data in the name of “hacking back.”
“These changes reflect careful analysis and many thoughtful suggestions from a broad spectrum of industries and viewpoints,” Graves said in a statement. “I thank everyone who helped sharpen this idea and improve the legislation. I look forward to continuing the conversation and formally introducing ACDC in the next few weeks.”
The bill allows hacking victims to retaliate and destroy stolen data “if it’s located using the active-defense techniques permitted by this bill and does not result in the destruction of data belonging to another person,” a press release from Graves explained.
Any attack resulting in financial harm or other collateral damage is forbidden.
The newest version of the bill also requires reporting “for entities that use active-defense techniques,” Graves said, except for “beaconing technology” that helps physically locate an attacker.
A sunset clause of two years was also added, meaning that even if ACDC becomes law, this issue is going to be taken up in Congress at least once more.
“The catch is that it is hard to open the door wide enough to make a genuine difference for victims, without opening the door to a host of unintended problems under two big headings: mistaken attribution and unintended collateral impacts,” Bobby Chesney, a professor at the University of Texas School of Law, wrote earlier this year. ” Put more directly, it is not hard to see how the more aggressive forms of active defense might result in harms to innocent parties. Some amount of risk along those lines may be worth it, depending on the benefits also obtained; it’s just awfully hard to know for sure.”
The sunset and reporting requirements are an attempt to meet recommendations from Chesney and others for oversight and re-examination.
Graves urged passing the bill to develop and use new tools that are currently illegal under the CFAA and to disincentivize criminal hacking.
You can read the full bill here.