Reps. Tom Graves, R-Ga., and Kyrsten Sinema, D-Az., today introduced the Active Cyber Defense Bill which if passed would give individuals and companies hit with a cyberattack the legal authority to hack back against their assailant.
The bill alters the Computer Fraud and Abuse Act (CFAA) of 1986 and would allow those victimized by a cyberattack to take certain counter measures. This includes leaving their network to establish who attacked, disrupt cyberattacks without damaging others' computers, retrieve and destroy stolen files, monitor the behavior of an attacker and utilize utilize beaconing technology, the bill reads.
“While it doesn't solve every problem, ACDC brings some light into the dark places where cybercriminals operate,” said Rep. Tom Graves. “The certainty the bill provides will empower individuals and companies use new defenses against cybercriminals,” Graves said.
However, not everyone believes it is in the best interest of a company to counterattack.
In November 2016 the United Kingdom announced it would hack back against nation-state attackers, said Israel Barak, CISO at Cybereason, adding that such a maneuver might not be in the victim's best interest. In particular he noted any retaliatory moves could incur collateral damage and the line between legal and illegal activities could be crossed.
“Legal and moral issues aside, when it comes to hacking back, what security professionals should be asking themselves is at the end of the day, will it serve their organization enough to justify the effort and risk,” he said.