Congressman Introduces Bill That Would Allow People And Companies To 'Hack Back' After Attacks

from the a-limited-offensive-weapon-that-can-only-be-raised-as-a-defense dept

Probably not the best idea, but it’s something some legislators and private companies have been looking to do for years: hack back. Now there’s very, very, very nascent federal legislation in the works that would give hacking victims a chance to jab a stick in the hornet’s nest or work on their attribution theories or whatever.

A new bill intended to update the Computer Fraud and Abuse Act would allow victims of computer attacks to engage in active defense measures to identify the attacker and disrupt the attack.

Proposed by Rep. Tom Graves (R-Ga.), the bill would grant victims of computer intrusions unprecedented rights. Known as the Active Cyber Defense Certainty Act, the legislation seeks to amend the CFAA, the much-maligned 1986 law that is used in most computer crime prosecutions.

The CFAA amendment [PDF] would (sort of) authorize very limited “hack back” permissions. The powers can only be used for good, so to speak. The attacked can turn the tables slightly by invading the attacker’s domain solely for the purpose of determining the person/group behind the attack.

What it won’t allow is retribution and revenge, which may come as a disappointment to those who have been brutally breached.

(ii) does not include conduct that—

(I) destroys the information stored on a computers of another;

(II) causes physical injury to another person; or

(III) creates a threat to the public health or safety

That may temper the enthusiasm of supporters, but it’s best the victims don’t stoop to the level of their attackers, if only because the CFAA is already a hideously out-of-date mess that would be helped NOT AT ALL by endorsing the same behavior it criminalizes elsewhere.

The bill is only a “discussion draft” at this point, so by the time it reaches a vote, it may bear little to no resemblance to this embryo of an idea.

While it may be tempting to give private companies the power to hack attackers, there’s always the chance mission creep will turn these permissions into violations. A few years ago, the IP Commission suggested it might be a good idea to allow software companies to “hack” computers owned by those suspected of infringement in order to uncover their identities and the location of the purloined software. The commission suggested the deployment of malware — something more aligned with the FBI’s child porn investigation tactics (which themselves have been found to be of dubious legality) than with what’s being suggested here.

But this is only a suggestion. There’s still a lot of legislative meat to be put on these bones and it’s unlikely the same companies who thought it would be a fine idea to deploy malware against suspected pirates have changed their opinion over the last four years.

Rep. Tom Graves is the person behind the bill and had this to say about it — part of which is pretty much dead on.

“This bill is about empowering individuals to defend themselves online, just as they have the legal authority to do during a physical assault,” said Graves. “While the bill doesn’t solve every problem, it’s an important first step. I hope my bill helps individuals defend themselves against cybercriminals while igniting a conversation that leads to more ideas and solutions that address this growing threat.”

“Empowering individuals” through federal law can go sideways in a flash. The second half of Graves’ statement is better. A conversation does need to take place about responses to security breaches and attacks. But that conversation shouldn’t start until those wishing to speak up start doing a much better job locking down their digital valuables. Offense is more fun to play than defense, but defense is where it all should start.

It also should be pointed out this bill is not open season on hackers. It doesn’t give companies or individuals explicit permission to hack back, but rather provides them with a defense should they happen to be sued or prosecuted for engaging in this behavior. An affirmative defense is rarely as useful as explicit permission, as anyone who’s argued fair use in court can attest. The DOJ has engaged in some very creative readings of the CFAA over the years, and an affirmative defense is only going to go so far in preventing bogus prosecutions.

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Congressman Introduces Bill That Would Allow People And Companies To 'Hack Back' After Attacks”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Sounds good - until...

This sounds good, sort of like “Black ICE” in Neuromancer. However, one cannot know if the counter hack is against something that would endanger the public health or safety.

For instance, a while back a dam control system was being used as a anonymous proxy to launch penetration attacks against other systems. There was no rDNS to give a clue as to who this was, and the ARIN allocation was for a telecom with no suballocation.

Now, imagine the fun that would happen with a counter hack should they accidentally do something like, oh, command the floodgates to open past the point where the pinions could engage the rack on the mechanics of the gates, thus making it impossible to close them until all the water has been released.

This would first cause uncontrolled flooding, destroying property down stream. Next, since dams are usually there for water impoundment, no drinking or irrigation water, usually for 2 years (average impoundment reserve).

One of the things I pass time with is just passive network inspection in data centers. I don’t probe, just listen to what is present on my own network port. Some of the things you see (generally broadcasts since switches are not promiscuous – or at least, shouldn’t be) is kinda eye opening. For instance, you can tell a lot about what is around you network wise just by the ARP broadcasts and the MAC.

It sounds good to be able to “hit back”, but target selection is not guaranteed to be safe, thus making it impossible to know if you are causing more damage than the system trying to hack you.

Anonymous Coward says:

Re: Re: Sounds good - until...

The post below brought to you by Michael Masnick, Inventor of Techdirt, The Place Good Ideas Go To Get Buried, Anonymously and Shamefully

  1. I don’t write as artfully as Mr. Masnick
  2. I’m not Mr. Masnick.
  3. Mr. Masnick has no problem putting his name on his opinions that I’ve seen.
  4. If you object to anonymity, why are you posting anonymously?
  5. If you hate TechDirt so much, why are you here?
  6. Did your Seroquel prescription get cancelled due to DrumphDon’tCare? Oh, I’m sorry, obviously you don’t take Seroquel – it’s contra-indicated for elderly patients with dementia-related psychosis.

Now that we have the argumentum ad hominem out of the way, did you wish to make a point using logic, facts, and examples? Because that’s why I come here. I’m perfectly willing to listen to conservative talking points if you are prepared to defend and argue them using some semblance of common courtesy and intelligence.

That’s what grown ups do. Children just yell "neener! neener! neener!" and run away. So the question is: "Are you a adult, or a child?"

Bergman (profile) says:

Re: Re:

It could actually be worse than that.

If you are unaware your computer’s spare CPU cycles are being co-opted by a botnet, the first sign of trouble could be what looks like a hack attack on your system.

So, under the hack-back law, you take down the computers of the people hacking your computers. So they hack you back, and so on.

It could wind up like a peculiarly digital version of the Hatfields & McCoys.

The Wanderer (profile) says:

Re: Re: Re:

Theoretically, that should be prevented by the “only hacking to identify the people responsible for hacking you” clause(s), which would make any given hack-back much less likely to be noticed than an “original” (and not-permitted-by-this-law) hacking attempt would be.

There’s considerable difference between theory and practice, however.

Anonymous Coward says:

Re: Bad idea!

Exactly, It’s it’s not like it hasn’t happened before:

So here we have a DDoS protection service hijacking IP space from other providers. In the meantime, legitimate traffic is being redirected to an unknown location. Imagine this is your service provider being hijacked, so all your information to being forwarded to them to save flows and possibly data. Hell, a few high speed links and DAC cards aren’t that expensive when you are talking about commercial espionage. Once you have the data you can spend as much time on it as required, so it’s not a loss. Sadly, RPKI should help, but it’s still tied down, and hell I haven’t even implemented it.

PRoMetHEUz says:

HI america

id like to tell you that one time long ago someone attacked me

they didnt stop and your nation ( which was where i was hosting did shit)

I TOOK care not only of said problem without any need of law i took the entire offending nation off the internet….


THIS IS YOUR ONLY WARNING ON THIS SUBJECT …pass along to the people that need too.

signed ..


oh and does this mean hollywood will attack everyone downloading a music tune cause they think that copying there music is an attack?

WILL THEY DOS ME FOR SUCH and do you think this will lead anywhere healthy

Sok Puppette (profile) says:

Not ONLY for purposes of identification.

It also says “or to disrupt continued unauthorized access”.

So DoS attacks are fine as long as you don’t actually delete any files on their machine or create a threat to public safety.

The whole “hacking back” concept is idiotic, anyway. You’re giving your enemy control over your targeting. If this happens, Joe jobs will become even more popular than they are now.

Anonymous Coward says:

They will have to specify what kinds of attacks are allowed. When I was in high school, in the 80s, one kid who broke into a computer literally got some shocking results. The owners of the computer he broke into sent a high voltage current down the phone line and fried his computer, and also killed every phone in the house, and tripped a few circuit breakers in the phone company exchange

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...