US Capitol building

A US congressman is currently tinkering away at a proposed bill that will legalize some "hack back" counter-measures that breached companies can take to stop and identify ongoing cyber-attacks, and recover their data.

Called the Active Cyber Defense Certainty Act (ACDC), this bill will bring amendments to the Computer Fraud and Abuse Act (CFAA), the US law that governs cyber-related crimes.

Rep. Tom Graves of Georgia proposed a first version of the ACDC bill back in March. That version of the bill would have allowed victims of cyber-attacks to hack their attacker for the sole purpose of collecting information that could help in identifying the culprit.

ACDC 2.0 lets victims be more aggressive

After public meetings and feedback from the business community, academia, and cybersecurity policy experts, Rep. Graves has made some important modifications to the ACDC bill.

The most important of these is that the ACDC bill would allow a victim to take aggressive countermeasures against an attacker to protect its data, meaning a victim would be able to delete its own information, if it finds it on the attacker's system.

This provision was made for victims of data breaches and data theft, in order to allow them to delete stolen company data present on an attacker's web or FTP servers. This could be useful to prevent the spread of stolen data, if the breach is discovered shortly after it happened.

Victims can destroy "their" data, but not the attacker's data

Furthermore, a victim carrying out a "hack back" attack cannot destroy any data belonging to another person, including the attacker, or cause damage or impairment of the attacker's machine.

This provision is present in the ACDC bill to protect shared hosting providers or the property of users whose computers were infected with malware, and which are used without their knowledge or consent.

Furthermore, to bypass proxies and other anonymizing services, and aid in identifying an attacker's actual location, ACDC authors also amended the bill to include the usage of beaconing technology, not included in the ACDC's first version.

Victims must notify the FBI before "hack back" attacks

To curtail any abuse of "hack back" actions, legislators are also proposing that victims who want to engage in such a endeavors first report to authorities.

A victim who uses an active cyber defense measure under this section must notify the FBI National Cyber Investigative Joint Task Force prior to using the measure.

Notification must include the type of cyber breach that the person or entity was a victim of, the intended target of the active cyber defense measure, the steps taken to preserve evidence of the attacker's criminal cyber intrusion, as well as steps taken to prevent damage to intermediary computers not under the ownership of the attacker.

The ACDC 2.0 bill describes the following actions as "active cyber defense measures:"

➔ Establish attribution of criminal activity to share with law enforcement and other United States Government agencies responsible for cybersecurity;
➔ Disrupt continued unauthorized activity against the victim's own network
➔ Monitor the behavior of an attacker to assist in the developing of future intrusion prevention of cyber defense techniques.

On the other hand, the ACDC 2.0 bill specifically prohibits any action that:

➔ Destroys or renders inoperable information that does not belong to the victim that is stored on computers of another
➔ Causes physical or financial injury to another person
➔ Creates a threat to the public health or safety
➔ Exceeds the level of activity required to perform reconnaissance on an intermediary computer to allow for attribution of the origin of the persistent cyber intrusion.