A US congressman is currently tinkering away at a proposed bill that will legalize some "hack back" counter-measures that breached companies can take to stop and identify ongoing cyber-attacks, and recover their data.
Called the Active Cyber Defense Certainty Act (ACDC), this bill will bring amendments to the Computer Fraud and Abuse Act (CFAA), the US law that governs cyber-related crimes.
Rep. Tom Graves of Georgia proposed a first version of the ACDC bill back in March. That version of the bill would have allowed victims of cyber-attacks to hack their attacker for the sole purpose of collecting information that could help in identifying the culprit.
After public meetings and feedback from the business community, academia, and cybersecurity policy experts, Rep. Graves has made some important modifications to the ACDC bill.
The most important of these is that the ACDC bill would allow a victim to take aggressive countermeasures against an attacker to protect its data, meaning a victim would be able to delete its own information, if it finds it on the attacker's system.
This provision was made for victims of data breaches and data theft, in order to allow them to delete stolen company data present on an attacker's web or FTP servers. This could be useful to prevent the spread of stolen data, if the breach is discovered shortly after it happened.
Furthermore, a victim carrying out a "hack back" attack cannot destroy any data belonging to another person, including the attacker, or cause damage or impairment of the attacker's machine.
This provision is present in the ACDC bill to protect shared hosting providers or the property of users whose computers were infected with malware, and which are used without their knowledge or consent.
Furthermore, to bypass proxies and other anonymizing services, and aid in identifying an attacker's actual location, ACDC authors also amended the bill to include the usage of beaconing technology, not included in the ACDC's first version.
To curtail any abuse of "hack back" actions, legislators are also proposing that victims who want to engage in such a endeavors first report to authorities.
The ACDC 2.0 bill describes the following actions as "active cyber defense measures:"
On the other hand, the ACDC 2.0 bill specifically prohibits any action that: