New bill would allow hacking victims to 'hack back'

New bill would allow hacking victims to 'hack back'
© Greg Nash

Reps. Tom GravesJohn (Tom) Thomas GravesMnuchin tells Congress it's 'premature' to talk about Trump tax returns decision Live coverage: Barr faces House panel amid questions over Mueller report Overnight Defense: Dem chair rejects Pentagon request to use B for border wall | House fails to override Trump veto | Pelosi at AIPAC vows Israel won't be 'wedge issue' MORE (R-Ga.) and Kyrsten Sinema (D-Ariz.) introduced a bill Friday that would allow hacking victims to "hack back" when attacked. 

The Active Cyber Defense Certainty Act allows individuals and companies to hack hackers if the goal is to disrupt, monitor or attribute the attack, or destroy stolen files. 

“While it doesn’t solve every problem, [the legislation] brings some light into the dark places where cybercriminals operate,” Graves said in a statement. 

“The certainty the bill provides will empower individuals and companies [to] use new defenses against cybercriminals," he said. "I also hope it spurs a new generation of tools and methods to level the lopsided cyber battlefield, if not give an edge to cyber defenders."

The bill does not allow counterattackers to destroy anything other than their own stolen files and requires that someone "hacking back" under the bill's provisions notify the FBI National Cyber Investigative Joint Task Force. 

Traditionally, the phrase "active defense" is used to describe measures that slow hackers through deception or movement of files — not hacking an attacker.  

Many people working in the cybersecurity field worry that hacking back will create more problems.

ADVERTISEMENT

"There's a very pragmatic question — can you reasonably expect someone to go guns blazing and not harm the wrong computers?" said Jen Ellis, vice president of community and public affairs at the security firm Rapid7. "It is easy to inadvertently damage systems, lots of attacks leverage third-party assets that were also hacked, and the vast majority of us don't have the resources to properly attribute a hacker and go after the correct system."  

Graves said he appreciated both sides being involved in the debate, but the bill was necessary to level the playing field in cyberattacks. 

"We must continue working toward the day when it’s the norm — not the exception — for criminal hackers to be identified and prosecuted," he said.