Hacking attacks are seriously destructive, costing companies over $400 billion worldwide each year, but companies are legally handcuffed from going after their attackers. A new proposed bill has got bi-partisan support for suggesting that hacking victims could legally go after their attackers in self-defense. But, is this really a practical solution? We examine the implications of the ACDC Act.
Hacking costs businesses an estimated $400 billion every year around the world, once you consider business disruption, destruction, theft of funds, and the cost of replacing what was damaged. But, although you could defend yourself against a thief who breaks into your store in the night, US law forbids companies from striking back against cyber thieves. That may be about to change.
What is the New Hacking Bill?
In February 2017, a Republican Congressman introduced a draft bill that proposed giving companies legal permission to defend themselves against hackers. If the Active Cyber Defense Certainty (ACDC) Act becomes law, it would modify section 1030 of the Computer Fraud and Abuse Act 1986, which makes it illegal to access anyone else’s computer system or to distribute code that provides access into another’s system.
Representative Tom Graves said that his proposed act would permit victims of cybercrime to enter their attackers’ computer systems without authorization in order to identify the hacker and/or to take action to stop the hacking attack. According to the draft law, victims would be able to invade someone else’s system in order to establish the source of the hacking attack, disrupt the attack, retrieve and, if relevant, destroy files that had been stolen, monitor the attacker’s behavior, and set up beaconing technology that would send the victim the details of their attacker’s IP address and other identifying details.
Why was this Law Proposed?
As things stand, there is no legal concept of cyber ‘self-defense’ in the world of phishing, hacking, and cyber theft. The ACDC law would restore the balance of power somewhat by permitting companies to ‘hit back’ at the bad guys without fearing that they themselves would then be prosecuted for hacking.
It wouldn’t give the green light to hacking victims to punish their hackers in any way, but it would allow them to get back their stolen data, act to stop the attacks, and take steps to identify them. In the wake of multiple highly publicized hacking attacks like the recent Equifax data breach, companies are tired of being told to wait for the Department of Justice and FBI to find the time to respond. The ACDC law would empower companies to help themselves.
What are the Pros of Hacking Your Hackers?
Supporters of the ACDC act, including Representative Graves, say that it would help reduce the incidence of hacking attacks simply through the deterrent value. Once hackers know that their victims can pursue them in their own systems, they won’t be so quick to attack what seem to be easy targets.
It’s often pointed out that the law enforcement authorities simply don’t have the time or resources to deal with hacking attacks within a reasonable time frame. Currently, companies that are hacked are urged to wait for the authorities to deal with it, but hackers know that the chances that they’ll be tracked down are slim. If CISOs can be quicker off the mark in tracking down and fighting back against their hackers, it might change the balance in the struggle.
What are the Disadvantages of this Law?
Opponents of the ACDC law point out that numerous hacking attacks are committed overseas or through a system that is overseas. The ACDC law would only apply to systems in the USA, so even an American-based hacker who attacks a company using a server in Mexico would be immune to pushbacks under the new law. That’s assuming you can even identify one single source of the attack.
A lot of hacking attempts are carried out using botnets, which enlist any number of internet-enabled devices using the Internet of Things. How can a company hit back at an attack operating off of 13 robot vacuum cleaners and 75 digital picture frames? The ACDC law will also be powerless against DDOS attacks, a huge and damaging source of hacking attacks.
Is Hacking Back the Way to Go?
Although it’s arguably very attractive to be able to hit back at your hackers, it might not be sensible or effective. The Law of Unintended Consequences has been invoked many times in debate around the draft bill. Once companies can retaliate against their attackers, there’s a good chance that attacks will just get more sophisticated and more damaging.
While the proposed action requires companies that retaliate to notify the FBI, it doesn’t require them to stop if the FBI forbids their response. Instead, the act would give them immunity to defend themselves against hacking as long as they don’t do any harm. Of course, there’s no guarantee that a defensive hacking response wouldn’t get out of control and end up causing damage to the other system after all.
The ACDC law could be a slippery slope to malicious action that’s carried out under the pretext of self-defense. It even opens the door to hackers creating a fake hacking attack on themselves in order to legally attack ‘back’ against their alleged ‘attackers’. Because so many hacking attacks are launched by botnets using IoT devices, there’s also a good chance that a revenge attack would end up damaging a lot of innocent bystanders without actually affecting the attackers at all.
Many large corporations already use self-defensive hacking responses as well as ‘honeypots’ – fake servers that tempt hackers into your network and then trap them with false data and systems. These deceptive defenses have been proven to work and so far seem a lot more effective than self-defense ‘revenge’ attacks.
Of course, there’s a good chance that the proposed bill will never make it into law, but even just raising the issue on the Senate floor should give rise to some interesting discussions. One certain positive side effect would be to draw attention to the huge risks of hacking and possibly remind businesses of all sizes that they need to take steps to protect themselves.