The US is discussing new legislation that will allow victims of ongoing cyber-attacks to fight back against hackers by granting more powers to entities under attack in regards to the defensive measures they can take.
The new bill, if approved, will allow victims of cyber-attacks to "access without authorization the computer of the attacker [...] to gather information in order to establish attribution of criminal activity to share with law enforcement or to disrupt continued unauthorized activity against the victim's own network."
Proposed by Rep. Tom Graves of Georgia, the new bill is named the Active Cyber Defense Certainty Act (ACDC) and, if approved, will amend the Computer Fraud and Abuse Act (CFAA), the de-facto legislation that governs cyber-related crimes.
But the ACDC proposed bill is not a wildcard to online vigilantism. The proposed bill makes it very clear that victims can't destroy any information stored on the attacker's computers, can't take actions that cause physical damage to another person, or any action that creates a threat to public health or safety.
The reason behind this limitation is that hackers might be using botnets to carry out malicious attacks, meaning they might be using computers infected with malware, belonging to innocent users.
A company that detects a security breach or is under a DDoS attack may access the attacking computers/devices only for reconnaissance or to take non-invasive actions that stop the ongoing attack.
"This bill is about empowering individuals to defend themselves online, just as they have the legal authority to do during a physical assault," said Rep. Graves. "While the bill doesn’t solve every problem, it’s an important first step. I hope my bill helps individuals defend themselves against cybercriminals while igniting a conversation that leads to more ideas and solutions that address this growing threat."
Back in May 2016, Senators Whitehouse (D-RI), Graham (R-SC), and Blumenthal (D-CT) introduced the Botnet Prevention Act, which granted law enforcement the power to access any device part of criminal botnet without a warrant signed by a judge.
The Botnet Prevention Act was shot down following intense pressure from the public and privacy groups, who argued that the proposed bill could be abused by intelligence agencies to spy on US citizens without a warrant.
On the other hand, the ACDC grants limited intrusion rights, but to victims, not law enforcement. Current CFAA legislation prevents any type of active defense, and victims can only take passive defensive measures, such as using firewalls or antivirus software.
The ACDC proposed bill is currently undergoing a phase of public discussion. A draft of the proposed ACDC act is available below.