Heavy metal bands can be a great source of vengeance lyrics so it may be no coincidence that the acronym for the proposed US law on hacking back hackers is actually ACDC. The Active Cyber Defense Certainty Act proposes that limited retaliatory strikes against hackers that attack them will be legal. Seventies rockers AC\/DC on the other hand wrote a song called Inject the Venom, with the lyrics, \u201cNo mercy for the bad if they need it, No mercy from me. \u2026\u201d and so on. Clearly whoever came up with the name for the hacking back act has a sense of humour, if not a sense of clarity.ACDC, the Bill not the band, will amend the Computer Fraud and Abuse Act (CFAA) of 1986. Its aim is to give individuals and businesses legal authority to go beyond their own networks to disrupt cyber-attacks, retrieve and destroy stolen files, monitor the behaviour of an attacker and deploy beaconing technology to trace the hacker\u2019s location.US congressman Tom Graves, one of the original sponsors of the bill, recently wrote that \u201calthough ACDC allows a more active role in cyber defense, it protects privacy rights by prohibiting vigilantism, forbidding physical damage or destruction of information on anyone else\u2019s computer, and preventing collateral damage by constraining the types of actions that would be considered active defense.\u201dThat\u2019s a tough one to police. David Monahan, managing research director of Security and Risk Management at Enterprise Management Associates puts it more succinctly: \u201cThis is going to be bedlam,\u201d he says.So, will the legislation really help companies retrieve stolen data?\u201cThough some aspects of a hack are like a fingerprint, few, if any, really are,\u201d says Monahan. \u201cTools, code and methods that are used to help identify who a hacker or hacking group are can be imitated by someone as equally skilled as the \u201cidentified\u201d hacker. At the top level, very little digital evidence is irrefutable. The largest issue with attack back is the difficulty in gaining that real attribution. If the hacker is skilled, he or she can jump through multiple countries and shell servers to make it look like he or she came from just about anywhere. Then there are the international politics involved with some cyber-response regardless of if the country is friendly or not. Each has its issues.\u201dWhile the bill states that anyone planning a hack back has to inform the FBI\u2019s National Cyber Investigative Joint Task Force, presumably so businesses don\u2019t contravene international law or tread on the toes of an ongoing investigation, it still all seems a bit of a grey area, open to interpretation, costly and potentially dangerous. In reality the bill is giving US businesses a green light to investigate hacking incidents but only within its borders, which sort of seems pointless anyway.Not that it would stop anyone. Two years ago a poll of security experts resulted in over 80 percent advising against it. What do they know? A fear of escalation and questionable efficacy were sited. Has anything changed to add clarity? A new president perhaps?Certainly there are concerns around the increased breaches with data being leaked left right and centre with Uber the latest to reveal it was hacked. It suggests current security methodologies are limiting and no doubt businesses are confused and frustrated.Andrew Bushby, UK director at Fidelis Cybersecurity agrees that many businesses are frustrated and the proposed legislation will only add to the confusion. \u201cIt\u2019s very difficult to legislate,\u201d says Bushby, \u201cespecially as hacks are often done through stepping stones, bouncing around various networks. We could end up hurting innocent networks and people.\u201dInterestingly Fidelis recently carried a survey of 500 UK businesses and found that 56.8 percent of respondents believe an offensive security policy is a good idea, while 51.6 percent claim that they have already put in place an offensive policy that enables them to minimise damage after a breach or even retrieve stolen data.It suggests businesses, in the UK at least, are already taking matters in to their own hands to recover stolen data or even obtain decryption keys from hackers to stop ransomware attacks.\u201cWe\u2019ve found that more organisations feel as though they should have the right to be more offensive against hackers,\u201d says Bushby, \u201cbut perhaps the term \u2018hack back\u2019 is wrong and it should be \u2018proactive retrieval\u2019?\u201dThis of course would fit with Fidelis\u2019s deception technology push\u2014it bought deception tech specialist TopSpin Security in October this year, what Bushby describes as \u201ca managed honeypot inside the estate.\u201dBushby likens it to a canary in a coalmine, an early warning system that something is wrong but it\u2019s also a decoy, sending hackers up the wrong path and following them. It can learn their methods and potentially track them too.Monahan likes the idea. \u201cIf deployed properly, deception technology shows how both threats are behaving and can help identify activities that indicate malicious or otherwise dangerous activity. Though it may not detect a skilled administrative insider gone rogue, it will help against just about every other scenario.\u201dBusinesses certainly need to do something more. According to the annual EY Global Information Security Survey (GISS), Cybersecurity regained: preparing to face cyber-attacks (a survey of nearly 1,200 C-level leaders across the globe), only 12 percent say they are likely to detect a sophisticated cyber-attack. While 56 percent are making or planning to make changes to their strategies and plans due to the increased impact of cyber threats, risks and vulnerabilities, 87 percent say they require up to 50 percent more funding to address increased cyber threats.Bushby adds that sometimes this is where new legislation can help, whether you like it or not. He says that ACDC could actually trigger increased funding in security tools and technology as businesses are made more aware of the potential of proactive security tactics and software. The Bill has now been referred to the Subcommittee on Crime, Terrorism, Homeland Security, and Investigations of the House Judiciary Committee. This one is not going to go quietly.