As part of the cybersecurity awareness month, the US Congress has reportedly introduced a ‘hack back’ revenge law. As its name suggests, the new bill would allow hacking victims to seek revenge and hack the hackers who hacked them.
A press release said two members of the US House of Representatives, Republican Tom Graves from Georgia and Republican Kyrsten Sinema from Arizona announced the formal introduction of the law on October 13, 2017.
For the first time in history, the Active Cyber Defense Certainty Act (ACDC) has amended the Computer Fraud and Abuse Act (CFAA), which was enacted in 1986, to make limited retaliatory strikes against cyber-miscreants legal.
The amended bill allows hacked organizations to venture outside their networks to identify an intruder and infiltrate their systems, destroy stolen data, and deploy a technology to trace the physical location of the perpetrator.
Republican Tom Graves said “While it doesn’t solve every problem, ACDC brings some light into the dark places where cybercriminals operate.”
“The certainty the bill provides will empower individuals and companies use new defenses against cybercriminals. I also hope it spurs a new generation of tools and methods to level the lopsided cyber battlefield, if not give an edge to cyber defenders. We must continue working toward the day when it’s the norm – not the exception – for criminal hackers to be identified and prosecuted.”
The lengthy process began on March 3 this year when Republican Graves introduced the first ACDC discussion draft, after which it was updated on May 25. After soliciting lot of feedbacks and suggestions with the business community, academia and cybersecurity policy experts, the final version of the bill was introduced on October 13, 2017.
Meanwhile, the amended bill has put Information Technology experts into a tizzy as they are worried about consequences of “collateral damage”.
At the same time, the sponsors of the bill have assured that additional safeguards have built in, such as:
- the legislation only allows hacking of computers on American soil, which instantly limits its usefulness
- the legislation is time limited and will expire after two years
The IT department would have to inform the FBI’s National Cyber Investigative Joint Task Force before hacking back any attacker.
Republican Representative Kyrsten Sinema said “The Active Cyber Defense Certainty Act gives specific, useful tools to identify and stop cyberattacks that have upended the lives of hundreds of millions of Americans.”
Currently, the proposed act is on a pilot basis, that has to cross various hurdles. If enacted, the US Department of Justice would have to address Congress once a year to keep them updated on cyber-sorties carried out under the law.