Is proposed US 'hacking back' law really going to help?

Legislation is at least raising the issue of proactive security tactics

Heavy metal bands can be a great source of vengeance lyrics so it may be no coincidence that the acronym for the proposed US law on hacking back hackers is actually ACDC. The Active Cyber Defense Certainty Act proposes that limited retaliatory strikes against hackers that attack them will be legal. Seventies rockers AC/DC on the other hand wrote a song called Inject the Venom, with the lyrics, “No mercy for the bad if they need it, No mercy from me…”and so on. Clearly whoever came up with the name for the hacking back act has a sense of humour, if not a sense of clarity.

ACDC, the Bill not the band, will amend the Computer Fraud and Abuse Act (CFAA) of 1986. Its aim is to give individuals and businesses legal authority to go beyond their own networks to disrupt cyber-attacks, retrieve and destroy stolen files, monitor the behaviour of an attacker and deploy beaconing technology to trace the hacker’s location.

US congressman Tom Graves, one of the original sponsors of the Bill, recently wrote that “although ACDC allows a more active role in cyber defense, it protects privacy rights by prohibiting vigilantism, forbidding physical damage or destruction of information on anyone else’s computer, and preventing collateral damage by constraining the types of actions that would be considered active defense.”

Hackers could have a head start on researching exploits that US firms have not yet caught wind of. Why does China spot security vulnerabilities quicker than the US?

That’s a tough one to police. David Monahan, managing research director of Security and Risk Management at Enterprise Management Associates, Inc, puts it more succinctly.

“This is going to be bedlam,” he says.

So, will the legislation really help companies retrieve stolen data?

To continue reading this article register now