A topic that has been revitalized recently is a concept colloquially termed “hacking back,” that essentially means the victim of an attempted or successful hack would legally be able to use their own tools to identify the culprit, and possibly retrieve any stolen data and even disrupt the attacker’s network. The idea has been around for quite some time, but in 2017, Rep. Tom Graves (R-GA) and Rep. Krysten Sinema (D-AZ) put forward a bill that would make hacking back a possibility. Labeled the Active Cyber Defense Certainty Act (ACDC), it would fundamentally alter the Computer Fraud and Abuse Act (CFAA), which makes any sort of hacking illegal regardless of the intentions.
Proponents of the bill prefer to call hacking back “active defense,” with the idea that going after an attacker that has made the attempt will enable companies to better identify potential threats and their methods. The legality of such measures has been debated over for at least the past few years, and critics claim that the bill will encourage misguided vigilantism. Some argue that many companies do not have the capacity to successfully hack or even identify their attackers in such a manner, and that too much could go wrong from trying to do so.
The debate was brought up again this year when the new Secretary of the Department of Homeland Security, Kirstjen Nielsen, announced in January that her agency would be providing “tools and resources” to the private sector to help combat hackers. She told a Senate Judiciary Committee hearing that active defense will be an integral part of the DHS’s strategy for preventing future attacks. Nielsen had previously been involved in a think tank (the Center for Cyber & Homeland Security) based out of George Washington University that expressed support for allowing private companies to partake in active defense. However, she explicitly told the Senate panel that the situation remains “complicated” and must be discussed further before any concrete decisions are made.
Whatever you prefer to call it, this concept will likely be in a legal gray area for some time. The safest option is still to protect your own network and take the right steps to ensure everyone is educated on what to do in the event of a breach. If you would like to learn more about how to effectively defend yourself against hackers and other threats, then check out our resource library or contact us.