The Active Cyber Defense Certainty Act (ACDC), also known as the “Hack Back” bill was first introduced in the U.S. House of Representatives in 2017. The bill has been worked on since, and if passed, would amend the Computer Fraud and Abuse Act. The proposed bill would provide protection for companies that are victims of fraud if they execute more aggressive response activities in an incident when compared to the traditional “detect and report” strategy largely used today.
What types of hacking back are being debated in this Bill?
There are three activities described in this bill defining what a company can and should do when it is being attacked. Those are specifically,
- To establish attribution of criminal activity, which then would be shared with law enforcement and other relevant government agencies;
- To disrupt continued unauthorized activity against the defender’s network; and
- To monitor the behavior of an attacker to assist in development future intrusion prevention or cyber defense techniques.
What actions are Forbidden in the ACDC Bill proposed?
There are many forbidden actions outlined in ACDC including :
- destroying someone else’s data;
- causing physical or financial losses;
- creating threats to public health; and
- conducting unnecessary reconnaissance on the hacking system as it might not belong to the hacker but be an intermediary, and more.
Challenges with any Legislation on Hacking Back
The largest problem with this bill from CyberHoot’s perspective is the difficulty in attributing an attack to a single entity, hacking group, or nation state. False Flags abound in the hacking world leading to attribution errors. The potential for harmful escalation in cyberattacks exists through imperfect attributions is even larger online than in the physical world. This legislation is bound to be debated far into the future without clear resolution.
What does this mean for businesses?
Companies should simply be aware of this bill and what implications the could be. It is unlikely to pass, so there isn’t much preparation you can take for it. The best advice a business can take is to have proper policies, programs, training and tools in place to secure and protect your data. There is significant potential from ambiguous language in the ACDC act, for businesses to “shoot themselves in the foot” by accidentally overstepping their legal bounds when hacking back. Overstepping your legal rights in this case could result in the potential for accusations of fraud, lawsuits, and costly court proceedings.
CyberHoot’s take on this legislation:
Given this legislation has been debated for many years now, and the arguments for and against it are numerous and compelling, it’s unlikely to pass into law anytime soon.