Congressman Introduces Bill That Would Allow People And Companies To 'Hack Back' After Attacks

from the a-limited-offensive-weapon-that-can-only-be-raised-as-a-defense dept

Probably not the best idea, but it's something some legislators and private companies have been looking to do for years: hack back. Now there's very, very, very nascent federal legislation in the works that would give hacking victims a chance to jab a stick in the hornet's nest or work on their attribution theories or whatever.

A new bill intended to update the Computer Fraud and Abuse Act would allow victims of computer attacks to engage in active defense measures to identify the attacker and disrupt the attack.

Proposed by Rep. Tom Graves (R-Ga.), the bill would grant victims of computer intrusions unprecedented rights. Known as the Active Cyber Defense Certainty Act, the legislation seeks to amend the CFAA, the much-maligned 1986 law that is used in most computer crime prosecutions.

The CFAA amendment [PDF] would (sort of) authorize very limited "hack back" permissions. The powers can only be used for good, so to speak. The attacked can turn the tables slightly by invading the attacker's domain solely for the purpose of determining the person/group behind the attack.

What it won't allow is retribution and revenge, which may come as a disappointment to those who have been brutally breached.

(ii) does not include conduct that—

(I) destroys the information stored on a computers of another;

(II) causes physical injury to another person; or

(III) creates a threat to the public health or safety

That may temper the enthusiasm of supporters, but it's best the victims don't stoop to the level of their attackers, if only because the CFAA is already a hideously out-of-date mess that would be helped NOT AT ALL by endorsing the same behavior it criminalizes elsewhere.

The bill is only a "discussion draft" at this point, so by the time it reaches a vote, it may bear little to no resemblance to this embryo of an idea.

While it may be tempting to give private companies the power to hack attackers, there's always the chance mission creep will turn these permissions into violations. A few years ago, the IP Commission suggested it might be a good idea to allow software companies to "hack" computers owned by those suspected of infringement in order to uncover their identities and the location of the purloined software. The commission suggested the deployment of malware -- something more aligned with the FBI's child porn investigation tactics (which themselves have been found to be of dubious legality) than with what's being suggested here.

But this is only a suggestion. There's still a lot of legislative meat to be put on these bones and it's unlikely the same companies who thought it would be a fine idea to deploy malware against suspected pirates have changed their opinion over the last four years.

Rep. Tom Graves is the person behind the bill and had this to say about it -- part of which is pretty much dead on.

“This bill is about empowering individuals to defend themselves online, just as they have the legal authority to do during a physical assault,” said Graves. “While the bill doesn’t solve every problem, it’s an important first step. I hope my bill helps individuals defend themselves against cybercriminals while igniting a conversation that leads to more ideas and solutions that address this growing threat.”

"Empowering individuals" through federal law can go sideways in a flash. The second half of Graves' statement is better. A conversation does need to take place about responses to security breaches and attacks. But that conversation shouldn't start until those wishing to speak up start doing a much better job locking down their digital valuables. Offense is more fun to play than defense, but defense is where it all should start.

It also should be pointed out this bill is not open season on hackers. It doesn't give companies or individuals explicit permission to hack back, but rather provides them with a defense should they happen to be sued or prosecuted for engaging in this behavior. An affirmative defense is rarely as useful as explicit permission, as anyone who's argued fair use in court can attest. The DOJ has engaged in some very creative readings of the CFAA over the years, and an affirmative defense is only going to go so far in preventing bogus prosecutions.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: attribution, cfaa, congress, hack back, hacking, tom graves


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 9 Mar 2017 @ 4:36pm

    Sounds good - until...

    This sounds good, sort of like "Black ICE" in Neuromancer. However, one cannot know if the counter hack is against something that would endanger the public health or safety.

    For instance, a while back a dam control system was being used as a anonymous proxy to launch penetration attacks against other systems. There was no rDNS to give a clue as to who this was, and the ARIN allocation was for a telecom with no suballocation.

    Now, imagine the fun that would happen with a counter hack should they accidentally do something like, oh, command the floodgates to open past the point where the pinions could engage the rack on the mechanics of the gates, thus making it impossible to close them until all the water has been released.

    This would first cause uncontrolled flooding, destroying property down stream. Next, since dams are usually there for water impoundment, no drinking or irrigation water, usually for 2 years (average impoundment reserve).

    One of the things I pass time with is just passive network inspection in data centers. I don't probe, just listen to what is present on my own network port. Some of the things you see (generally broadcasts since switches are not promiscuous - or at least, shouldn't be) is kinda eye opening. For instance, you can tell a lot about what is around you network wise just by the ARP broadcasts and the MAC.

    It sounds good to be able to "hit back", but target selection is not guaranteed to be safe, thus making it impossible to know if you are causing more damage than the system trying to hack you.

    link to this | view in thread ]

  2. identicon
    Châu, 9 Mar 2017 @ 4:50pm

    Hack CIA and NSA

    Cool can hack back CIA and NSA, FSA, and Mi5, etc, really cool idea.

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 9 Mar 2017 @ 5:17pm

    Apparently doxing, leaking trade secrets, destroying an entity financially and physically damaging hardware that doesn't store information is fine. This has so many holes that I am wondering if the proposed 'law' is a joke.

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 9 Mar 2017 @ 5:18pm

    This bill is about empowering individuals to defend themselves online, just as they have the legal authority to do during a physical assault"

    Given that these botnets are composed of innocent computers it's more like defending yourself against Brian Douglas Wells.

    link to this | view in thread ]

  5. icon
    NeghVar (profile), 9 Mar 2017 @ 7:05pm

    Bad idea!

    If the attack is a DDoS, then the counter-attack will likely be targeting a compromised zombie system and not the ones responsible for orchestrating the attack. Thus your counter-attack could be against a legitimate business and now they have you logged as attempting a cyber-attack on them.

    link to this | view in thread ]

  6. icon
    Norahc (profile), 9 Mar 2017 @ 7:10pm

    Sounds like this will lay the framework for the next generation of porno or copyright trolls...

    They could claim they were hacked, and "hack back" to install ransomware on the the target computers. Eliminates the need for those pesky collection/settlement calls and letters.

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 9 Mar 2017 @ 7:41pm

    Re: Bad idea!

    Exactly, It's it's not like it hasn't happened before:
    http://dyn.com/blog/backconnects-suspicious-bgp-hijacks/

    So here we have a DDoS protection service hijacking IP space from other providers. In the meantime, legitimate traffic is being redirected to an unknown location. Imagine this is your service provider being hijacked, so all your information to being forwarded to them to save flows and possibly data. Hell, a few high speed links and DAC cards aren't that expensive when you are talking about commercial espionage. Once you have the data you can spend as much time on it as required, so it's not a loss. Sadly, RPKI should help, but it's still tied down, and hell I haven't even implemented it.

    link to this | view in thread ]

  8. This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 9 Mar 2017 @ 9:39pm

    Re: Sounds good - until...

    The post below brought to you by Michael Masnick, Inventor of Techdirt, The Place Good Ideas Go To Get Buried, Anonymously and Shamefully

    link to this | view in thread ]

  9. identicon
    PRoMetHEUz, 9 Mar 2017 @ 9:57pm

    HI america

    id like to tell you that one time long ago someone attacked me

    they didnt stop and your nation ( which was where i was hosting did shit)

    I TOOK care not only of said problem without any need of law i took the entire offending nation off the internet....

    FOR A WEEK.
    Signed DONT FUCK AROUND THIS KINDA SHIT WILL LEAD TO MORE JERKS ATTACKING PEOPLE AND THEN CLAIMING THEY WERE ATTACKED FIRST.....

    THIS IS YOUR ONLY WARNING ON THIS SUBJECT ...pass along to the people that need too.

    signed ..

    THE WORLD

    oh and does this mean hollywood will attack everyone downloading a music tune cause they think that copying there music is an attack?

    WILL THEY DOS ME FOR SUCH and do you think this will lead anywhere healthy

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 9 Mar 2017 @ 11:48pm

    Re: Re: Sounds good - until...

    The post below brought to you by Michael Masnick, Inventor of Techdirt, The Place Good Ideas Go To Get Buried, Anonymously and Shamefully

    1. I don't write as artfully as Mr. Masnick
    2. I'm not Mr. Masnick.
    3. Mr. Masnick has no problem putting his name on his opinions that I've seen.
    4. If you object to anonymity, why are you posting anonymously?
    5. If you hate TechDirt so much, why are you here?
    6. Did your Seroquel prescription get cancelled due to DrumphDon'tCare? Oh, I'm sorry, obviously you don't take Seroquel - it's contra-indicated for elderly patients with dementia-related psychosis.

    Now that we have the argumentum ad hominem out of the way, did you wish to make a point using logic, facts, and examples? Because that's why I come here. I'm perfectly willing to listen to conservative talking points if you are prepared to defend and argue them using some semblance of common courtesy and intelligence.

    That's what grown ups do. Children just yell "neener! neener! neener!" and run away. So the question is: "Are you a adult, or a child?"

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 10 Mar 2017 @ 6:21am

    I can't wait to sit and watch the shit storm that some hacker would create with this law.

    Step 1: Break into Apple's silly UFO
    Step 2: Do nice sloppy hack of Microsoft making sure to leave a good trail that is easy to find, but not too obvious.
    Step 3: Sit back and watch as two giants start trading blows.

    link to this | view in thread ]

  12. identicon
    Anonymous Coward, 10 Mar 2017 @ 6:32am

    And if an individual is hacked by a government agent?

    I wonder how he'd feel about an individual defending him/her self then...

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 10 Mar 2017 @ 6:42am

    Re:

    You say that like there's any doubt most of us haven't already been snooped by the government.

    Yeah, Graves might want to watch his words. I suspect he doesn't actually want citizens to be allowed to hack the government in retaliation.

    link to this | view in thread ]

  14. icon
    D.C. Pathogen (profile), 10 Mar 2017 @ 6:55am

    Pinkerton Network Security

    ******** -- Now Available -- ********
    Pinkerton Network Security Solutions
    Just tell us your objectives, we will take care of the rest!
    Plus, Join now and get 1/2 out intrusion detection software.
    Discretion is for the Week! Call Us Now!!!

    link to this | view in thread ]

  15. icon
    Ninja (profile), 10 Mar 2017 @ 7:18am

    Re: Re: Re: Sounds good - until...

    Don't insult the children. Or the adults. Suggestion for future reference:

    - Are you an amoeba or a fungus?

    link to this | view in thread ]

  16. icon
    dfed (profile), 10 Mar 2017 @ 7:23am

    Re: Re: Re: Re: Sounds good - until...

    I am a meat popsicle.

    link to this | view in thread ]

  17. icon
    Sok Puppette (profile), 10 Mar 2017 @ 9:13am

    Not ONLY for purposes of identification.

    It also says "or to disrupt continued unauthorized access".

    So DoS attacks are fine as long as you don't actually delete any files on their machine or create a threat to public safety.

    The whole "hacking back" concept is idiotic, anyway. You're giving your enemy control over your targeting. If this happens, Joe jobs will become even more popular than they are now.

    link to this | view in thread ]

  18. identicon
    Anonymous Coward, 10 Mar 2017 @ 10:21am

    "What it won't allow is retribution and revenge..."

    So, no hurling nukes in the direction of the bad actors?

    Where's the fun in that?

    link to this | view in thread ]

  19. icon
    Wyrm (profile), 10 Mar 2017 @ 11:13am

    So, spend years learning that vigilantism and personal revenge is bad. Trust the justice system.
    Then, learn that all the moral lessons you've learned about real life don't apply on the Internet, because... reasons?

    link to this | view in thread ]

  20. identicon
    Anonymous Coward, 10 Mar 2017 @ 3:07pm

    They will have to specify what kinds of attacks are allowed. When I was in high school, in the 80s, one kid who broke into a computer literally got some shocking results. The owners of the computer he broke into sent a high voltage current down the phone line and fried his computer, and also killed every phone in the house, and tripped a few circuit breakers in the phone company exchange

    link to this | view in thread ]

  21. icon
    Bergman (profile), 10 Mar 2017 @ 4:48pm

    Re:

    It could actually be worse than that.

    If you are unaware your computer's spare CPU cycles are being co-opted by a botnet, the first sign of trouble could be what looks like a hack attack on your system.

    So, under the hack-back law, you take down the computers of the people hacking your computers. So they hack you back, and so on.

    It could wind up like a peculiarly digital version of the Hatfields & McCoys.

    link to this | view in thread ]

  22. icon
    Bergman (profile), 10 Mar 2017 @ 4:51pm

    Re:

    Self defense is not vigilantism or personal revenge, any more than taking an aspirin for a headache is practicing medicine without a license.

    link to this | view in thread ]

  23. icon
    The Wanderer (profile), 12 Mar 2017 @ 5:28am

    Re: Re:

    Theoretically, that should be prevented by the "only hacking to identify the people responsible for hacking you" clause(s), which would make any given hack-back much less likely to be noticed than an "original" (and not-permitted-by-this-law) hacking attempt would be.

    There's considerable difference between theory and practice, however.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.