Is proposed US ‘hacking back’ law really going to help?

Legislation is at least raising the issue of proactive security tactics

Heavy metal bands can be a great source of vengeance lyrics so it may be no coincidence that the acronym for the proposed US law on hacking back hackers is actually ACDC. The Active Cyber Defense Certainty Act proposes that limited retaliatory strikes against hackers that attack them will be legal. Seventies rockers AC/DC on the other hand wrote a song called Inject the Venom, with the lyrics, “No mercy for the bad if they need it, No mercy from me. …” and so on. Clearly whoever came up with the name for the hacking back act has a sense of humour, if not a sense of clarity.

ACDC, the Bill not the band, will amend the Computer Fraud and Abuse Act (CFAA) of 1986. Its aim is to give individuals and businesses legal authority to go beyond their own networks to disrupt cyber-attacks, retrieve and destroy stolen files, monitor the behaviour of an attacker and deploy beaconing technology to trace the hacker’s location.

US congressman Tom Graves, one of the original sponsors of the bill, recently wrote that “although ACDC allows a more active role in cyber defense, it protects privacy rights by prohibiting vigilantism, forbidding physical damage or destruction of information on anyone else’s computer, and preventing collateral damage by constraining the types of actions that would be considered active defense.”

That’s a tough one to police. David Monahan, managing research director of Security and Risk Management at Enterprise Management Associates puts it more succinctly: “This is going to be bedlam,” he says.

So, will the legislation really help companies retrieve stolen data?

“Though some aspects of a hack are like a fingerprint, few, if any, really are,” says Monahan. “Tools, code and methods that are used to help identify who a hacker or hacking group are can be imitated by someone as equally skilled as the “identified” hacker. At the top level, very little digital evidence is irrefutable. The largest issue with attack back is the difficulty in gaining that real attribution. If the hacker is skilled, he or she can jump through multiple countries and shell servers to make it look like he or she came from just about anywhere. Then there are the international politics involved with some cyber-response regardless of if the country is friendly or not. Each has its issues.”

To continue reading this article register now

Subscribe today! Get the best in cybersecurity, delivered to your inbox.