Security Researchers Say Revised 'Defensive Hacking' Bill Still Flawed | eWeek

Proposed ‘Hack Back’ Bill Still in the Works, but Remains Contentious

Hack Back Bill
Written By
Robert Lemos
Robert Lemos
May 31, 2017
3 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

A Georgia congressman has made a second attempt to craft legislation that carves out legal exemptions for companies that ‘hack back’ at attackers, posting a revised draft on May 25 that allows for beaconing technology, creates a mandatory reporting requirement and additional attempts to limit collateral damage.

The draft of the legislation, known as the Active Cyber Defense Certainty (ACDC) Act, aims to allow companies to identify and take steps against online attackers. A variety of online actors—from cyber-criminals to nation-state agents—usually launch attacks through compromised private servers to shield their identity and activity, preventing prosecutors from pursuing charges and companies from filing lawsuits.

The legislation, which has not yet been formally introduced in the U.S. House of Representatives, would allow organizations to create software that would ‘beacon out’ and identify the IP address of the potential location of the attacker and would allow the destruction of stolen data on a compromised system not actually owned by its operator.

The draft legislation “allow(s) the use of limited defensive measures that exceed the boundaries of one’s network in an attempt to identify and stop attackers,” according to a statement released by the office of Rep. Tom Graves, R-GA, who is working on the bill.

“These changes reflect careful analysis and many thoughtful suggestions from a broad spectrum of industries and viewpoints,” Rep. Tom Graves, (R-GA), said in a statement referring to version 2 of the legislative draft. “I look forward to continuing the conversation and formally introducing ACDC in the next few weeks.”

Hacking back, however, has always sounded a note of caution for security professionals, who worry that companies will not be able to limit the impact of software running on a server that has been compromised by cyber-attackers.

“How do you realistically apply oversight to whether a company is sophisticated enough to take action on another’s system,” said Jen Ellis, vice president of community and public affairs for Rapid7. “None of these questions have been answered in any meaningful or realistic way.”

In addition, only certain companies—those with a high degree of technical knowledge—will be able to take advantage of more active defenses. Some may be able to hire a private firm to pursue attackers on their behalf, but the creation of technical haves and have-nots will likely mean that attackers will focus more efforts on the less tech-savvy companies, she said.

“Over time, the profit model will evolve, and the attackers will go for the targets with less defenses, so you are increasing the vulnerability of the most vulnerable organizations and you are widening the security-poverty gap,” Ellis said.

Yet, the legislation taps into the frustration felt by many in business, that attackers are getting away with disrupting systems and causing damage without fear of punishment.

“I think the general goal is very worthy,” Robert Chesney, professor of law and associate dean for academic affairs at the University of Texas School of Law, wrote of the original March draft of the legislation. “Yet the draft illustrates that it is really hard to frame the precise language needed to obtain greater legal space for active defense while still preserving reasonable — and reasonably clear — boundaries.”

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.