Bill Would Legalize Active Defense Against Hacks

Trailrunner7 quotes a report from On the Wire: A new bill intended to update the Computer Fraud and Abuse Act would allow victims of computer attacks to engage in active defense measures to identify the attacker and disrupt the attack. Proposed by Rep. Tom Graves (R-Ga.), the bill would grant victims of computer intrusions unprecedented rights. Known as the Active Cyber Defense Certainty Act, the legislation seeks to amend the CFAA, the much-maligned 1986 law that is used in most computer crime prosecutions. The proposed legislation includes the caveat that victims can't take any actions that destroy data on another person's computer, causes physical injury to someone, or creates a threat to public safety. The concept of active defense has been a controversial one in the security community for several years, with many experts saying the potential downside outweighs any upside. Not to mention that it's generally illegal.

What about government hacking?

[hawguy]

Do people get the right to disrupt police/FBI hacking of their devices as well? That's probably the only hackers that would actually be disrupted by this new law, since criminal hackers use someone else's computer to hack you -- if you hack back, you're only hurting some innocent third party that had *his* computer hacked.

Re:Backward

[ShanghaiBill]

I would suggest formal Licensure for Cybersecurity professionals

Licenses mean compliance with a bureaucratic checklist, which is very different from actual competence. In a fast evolving field like computer security, the checklist will lag actual best practices by about a decade. Most existing formal computer certifications are widely considered to be negatively correlated with competence, so the track record is not good.

Re:Backward

[professorguy]

So what you're saying, a well regulated militia should be the only ones able to wield these weapons?