New bill would allow hacking victims to 'hack back'

New bill would allow hacking victims to 'hack back'
© Greg Nash

Reps. Tom GravesJohn (Tom) Thomas GravesChances for government shutdown rising Controversial ‘hack back’ bill gains supporters despite critics Overnight Cybersecurity: Manafort, Gates to remain under house arrest | Mueller said to be closing in on Flynn | 'Hack back' bill gains steam | Election security gets attention from DHS MORE (R-Ga.) and Kyrsten Sinema (D-Ariz.) introduced a bill Friday that would allow hacking victims to "hack back" when attacked. 

The Active Cyber Defense Certainty Act allows individuals and companies to hack hackers if the goal is to disrupt, monitor or attribute the attack, or destroy stolen files. 

“While it doesn’t solve every problem, [the legislation] brings some light into the dark places where cybercriminals operate,” Graves said in a statement. 

“The certainty the bill provides will empower individuals and companies [to] use new defenses against cybercriminals," he said. "I also hope it spurs a new generation of tools and methods to level the lopsided cyber battlefield, if not give an edge to cyber defenders."

The bill does not allow counterattackers to destroy anything other than their own stolen files and requires that someone "hacking back" under the bill's provisions notify the FBI National Cyber Investigative Joint Task Force. 

Traditionally, the phrase "active defense" is used to describe measures that slow hackers through deception or movement of files — not hacking an attacker.  

Many people working in the cybersecurity field worry that hacking back will create more problems.

ADVERTISEMENT
"There's a very pragmatic question — can you reasonably expect someone to go guns blazing and not harm the wrong computers?" said Jen Ellis, vice president of community and public affairs at the security firm Rapid7. "It is easy to inadvertently damage systems, lots of attacks leverage third-party assets that were also hacked, and the vast majority of us don't have the resources to properly attribute a hacker and go after the correct system."  

Graves said he appreciated both sides being involved in the debate, but the bill was necessary to level the playing field in cyberattacks. 

"We must continue working toward the day when it’s the norm — not the exception — for criminal hackers to be identified and prosecuted," he said.