There’s an expression that “two wrongs don’t make a right.” However, U.S. lawmakers may not be following that old saying when it comes to “revenge hacking.”
Congressman Tom Graves (R-GA) and Congresswoman Kyrsten Sinema (D-AZ) have co-sponsored the Active Cyber Defense Security Act (ACDC), which would essentially allow people or companies who have been hacked for data to “hack back” the hacker.
What are “Hack Back Laws?”
This proposed law would allow companies or individuals who have been subject to a data breach (“hack”) to launch a counterattack against the hacker without fear of criminal or civil punishment.
The law would legalize “active cyber defense measures,” which include venturing outside your network to identify the hackers, destroying the data hackers have stolen, and deploying technology that could pinpoint the physical location of the hacker.
The proposed law is similar to federal and state laws that allow you to use a limited amount of force to defend your property from theft or invasion. Like those laws, showing that your act of hacking was a response to an attack on your own computer systems would be an affirmative legal defense to hacking charges. The same defense would also apply in a civil lawsuit. However, the burden will be on your defense lawyer to show that your hacking was in response to a “persistent unauthorized intrusion” into your computer systems.
Under the proposed hack back laws, you will be able to ask the FBI for approval before launching a counterattack. This step is voluntary, but you must at least notify the FBI of your planned cyber attack in order to be protected under the proposed law.
Do Hack Back Laws Authorize Collateral Damage?
In many cybersecurity breaches, an uninvolved person’s computer is used as a node in a network to disguise the origin of the hacking. This is one of the reasons that cybersecurity is difficult. Identifying those truly responsible for a sophisticated cyberattack can be extremely difficult. Critics of the ACDC point out that there is significant potential for innocent people whose computers were unknowingly used as a conduit for a cyberattack to become swept up in a hacking war.
Additionally, the ACDC could lead to foreign policy problems for the U.S. The FBI’s participation in the review process could be seen as an implied approval for private citizens to attack systems that could be located in foreign nations. To the governments of those nations, the U.S. might then be viewed as an accomplice in those attacks. This could lead to an escalation in counter attacks against other targets in the U.S. by persons (or governments) in other nations.
Should the U.S. Create Hack Back Laws?
At Wallin & Klarich, we value your opinion and we would like to hear what you think about laws like the ACDC Act.
Do you agree that the U.S. should allow persons and businesses to counterattack against cyber intruders? Do you think that there is too much potential for abuse if the federal and state governments allow private individuals to take the law into their own hands and seek revenge?
Please leave your thoughts in the comments section below.