A Georgia congressman has made a second attempt to craft legislation that carves out legal exemptions for companies that ‘hack back’ at attackers, posting a revised draft on May 25 that allows for beaconing technology, creates a mandatory reporting requirement and additional attempts to limit collateral damage.
The draft of the legislation, known as the Active Cyber Defense Certainty (ACDC) Act, aims to allow companies to identify and take steps against online attackers. A variety of online actors—from cyber-criminals to nation-state agents—usually launch attacks through compromised private servers to shield their identity and activity, preventing prosecutors from pursuing charges and companies from filing lawsuits.
The legislation, which has not yet been formally introduced in the U.S. House of Representatives, would allow organizations to create software that would ‘beacon out’ and identify the IP address of the potential location of the attacker and would allow the destruction of stolen data on a compromised system not actually owned by its operator.
The draft legislation “allow(s) the use of limited defensive measures that exceed the boundaries of one’s network in an attempt to identify and stop attackers,” according to a statement released by the office of Rep. Tom Graves, R-GA, who is working on the bill.
“These changes reflect careful analysis and many thoughtful suggestions from a broad spectrum of industries and viewpoints,” Rep. Tom Graves, (R-GA), said in a statement referring to version 2 of the legislative draft. “I look forward to continuing the conversation and formally introducing ACDC in the next few weeks.”
Hacking back, however, has always sounded a note of caution for security professionals, who worry that companies will not be able to limit the impact of software running on a server that has been compromised by cyber-attackers.
“How do you realistically apply oversight to whether a company is sophisticated enough to take action on another’s system,” said Jen Ellis, vice president of community and public affairs for Rapid7. “None of these questions have been answered in any meaningful or realistic way.”
In addition, only certain companies—those with a high degree of technical knowledge—will be able to take advantage of more active defenses. Some may be able to hire a private firm to pursue attackers on their behalf, but the creation of technical haves and have-nots will likely mean that attackers will focus more efforts on the less tech-savvy companies, she said.
“Over time, the profit model will evolve, and the attackers will go for the targets with less defenses, so you are increasing the vulnerability of the most vulnerable organizations and you are widening the security-poverty gap,” Ellis said.
Yet, the legislation taps into the frustration felt by many in business, that attackers are getting away with disrupting systems and causing damage without fear of punishment.
“I think the general goal is very worthy,” Robert Chesney, professor of law and associate dean for academic affairs at the University of Texas School of Law, wrote of the original March draft of the legislation. “Yet the draft illustrates that it is really hard to frame the precise language needed to obtain greater legal space for active defense while still preserving reasonable — and reasonably clear — boundaries.”