The Active Cyber Defense Certainty Act (ACDC), also known as the “Hack Back” bill was first introduced in the U.S. House of Representatives in 2017. The bill has been worked on since, and if passed, would amend the Computer Fraud and Abuse Act. The proposed bill would provide protection for companies that are victims of fraud if they execute more aggressive response activities in an incident when compared to the traditional “detect and report” strategy largely used today.
There are three activities described in this bill defining what a company can and should do when it is being attacked. Those are specifically,
There are many forbidden actions outlined in ACDC including :
The largest problem with this bill from CyberHoot’s perspective is the difficulty in attributing an attack to a single entity, hacking group, or nation state. False Flags abound in the hacking world leading to attribution errors. The potential for harmful escalation in cyberattacks exists through imperfect attributions is even larger online than in the physical world. This legislation is bound to be debated far into the future without clear resolution.
Companies should simply be aware of this bill and what implications the could be. It is unlikely to pass, so there isn’t much preparation you can take for it. The best advice a business can take is to have proper policies, programs, training and tools in place to secure and protect your data. There is significant potential from ambiguous language in the ACDC act, for businesses to “shoot themselves in the foot” by accidentally overstepping their legal bounds when hacking back. Overstepping your legal rights in this case could result in the potential for accusations of fraud, lawsuits, and costly court proceedings.
Given this legislation has been debated for many years now, and the arguments for and against it are numerous and compelling, it’s unlikely to pass into law anytime soon.
Discover and share the latest cybersecurity trends, tips and best practices – alongside new threats to watch out for.
Stop tricking employees. Start training them. Take Control of Your Security Awareness Training with a Platform...
Read moreA recent discovery by cybersecurity firm Oligo Security has unveiled a series of critical vulnerabilities in...
Read moreGet sharper eyes on human risks, with the positive approach that beats traditional phish testing.