Congressman Proposes Organizations Should Be Allowed To 'Hack Back'

Engadget reports: Representative Tom Graves, R-Ga., thinks that when anyone gets hacked -- individuals or companies -- they should be able to "fight back" and go "hunt for hackers outside of their own networks." The Active Cyber Defense Certainty ("ACDC") Act is getting closer to being put before lawmakers, and the congressman trying to make "hacking back" easy-breezy-legal believes it would've stopped the WannaCry ransomware. Despite its endlessly lulzy acronym, Graves says he "looks forward to formally introducing ACDC" to the House of Representatives in the next few weeks... The bipartisan ACDC bill would let companies who believe they are under ongoing attack break into the computer of whoever they think is attacking them, for the purposes of stopping the attack or gathering info for law enforcement.
Friday The Hill published a list of objections to the proposed law from the CEO of cybersecurity company Vectra Networks. "To start with, when shooting back, there's the fundamental question of who to shoot... We might be able to retaliate, weeks or months after being attacked, but we certainly could not shoot back in time to stop an attack in progress." And if new retaliatory tools are developed, "How can we be sure that these new weapons won't be stolen and misused? Who can guarantee that they won't be turned against us by our corporate competitors? Would we become victims of our own cyber-arms race?"

Slashdot reader hattable writes, "I would think a proposal like this would land dead in the water, but given some recent, and 'interesting' decisions coming from Congress and White House officials, I am not sure many can predict the momentum."

Alice Bob etc.

[bugs2squash]

So if Mallory hacks bob, who turns around and mistakenly hacks Alice, who then fights back until Bob and Carol are destroyed. Whom does Carol Sue ?

lets just not stop there...

[starblazer]

let's extend the law so that if someone is breaking into their house, we can break into theirs! gather our own evidence! EYE FOR AN EYE!

*facepalms*

[DivineKnight]

The monumental amount of stupi-....one of the first things a 'hacker' does when launching an attack is obscure their origins. They use someone else's machine, like a University's, or a Hospital's, or even one owned by the Department of Defense. And you want to hand people a license to f*ck up what they 'think' (and I use that word broadly here) might be attacking them? How is the DoD going to react to Pfizer launching an all out assault on them because they 'think' an attack is coming from some DoD machines?

It takes weeks, months, possibly more to track down the owners of Botnets, from which Distributed Denial of Service attacks may be launched from zombified machines. That requires investigation, international at times.

And we don't need any laws for what is already an illegal practice.

Government exception?

If not, does that mean when being hacked/spied/wiretapped by a government agency, we can fight back?

When the RNC spams, links to some partisan fake news, and their linked page hosts a malicious ad or simply bad code that resource hogs, we can DoS their ass, since that would impede spread of said malicious code?

Can we go after robocallers too, since they largely use IP networks anyways? Is the FCC fair game if they allow no ring voicemail spamming?

And instead of blocking and rate limiting DoS attacks from bot networks, we can flood everyone's freaking lines in response. And then those networks in turn can respond back. The cascade, the snowball effect would result in one hell of an avalanche.

This is freaking brilliant, and by that, an utterly brain-dead stupid idea.

Re:It's not just or 'for the little guy'

No one. She's not an organization, she's a peasant.

Viacom could hack you under these rules for "believing in good faith" that you may be suspected of possibly being related to an attack on them, and do whatever they want.

You want to defend yourself from this sudden intrusion and figure out who that was, maybe drag them to court over this illegal hacking?
Yeah no. You're a criminal under the CFAA now.

The story misses the really big concern, IMHO

[gweilo8888]

The big issue isn't the question of who to shoot (what's it matter if you take a while to get them, so long as you get the right people?). It's also not "How can we stop the tools being misused", because the simple truth is that we can't, and that they'll get their hands on tools like this even if we don't pass this moronically-named act.

The real concern is that we're trusting big business to use this appropriately. I can guarantee that it won't. The RIAA and MPAA are probably wetting their pants in anticipation of this so they can start hacking internet users to get their identity and extort money out of them, for example. I'm sure they can manufacture some evidence that they were "hacked first". Companies will also be using it against each other. (Microsoft: "No, honest guv. We saw a hacking attempt from both Google and Amazon simultaneously, with an assist from Apple too. We totally had to hack them back. It's just a coincidence that our subsequent product launches seemed almost to have anticipated our competitors' products." Etc., etc.

Big business can't even be trusted with the tools it already has. It sure as hell doesn't need this one too!

The dial up decade

[AHuxley]

Most interesting people would just hop to a nice fast, open staging server.
From that they would use the network speed to move a lot of plain text unencrypted US data.
Clean up the logs, drop some really fake code litter, move the data around a few more servers and finally move the data to a safe location.
What is the USA going to see? The ip range of that first staging server...
A totally unrelated set of networks and computers will feel the full force of US cyber "fight back"?
That nation will tell the tech media of the deep penetration efforts by the USA on some vital/special/ISP/commercial server and network.
Most governments also use their other nations domestic ISP networks ip ranges to look around the "internet" and do spy things.
Could be a home user on a modem downloading plain text data from a wide open US server again, or it could be the last hop by some other very distant gov/group.
Does the US want to "fight back" on some ISP in an unrelated nation? To find the next hop to another ISP and nation?
Keep on hacking back and hope the next hack is the real person trying to get the data in front of their own home computer?
The "fight back" won't find the destination, it will just damage some ISP/network/university/brand used in some random nation. Or some easy network in some nation that got hacked for its speed and unexpected ip ranges.
Its not the 1980's with one user, a dial up modem and their home computer entering advanced US networks directly. Even in the 1980's most smart people used a few different educational and private sector networks around the world before their final US network of interest.
A lot of work for brands, companies, educational, medical networks and ISP will have to clean up after the USA attempts another "fight back" as they saw the ip, the network connection and attempted to "stop the attack" with some clicking around on some contractor's GUI.

What if it kinda is?

[Tatarize]

There's some cases when you could invoke something like BrickerBot against a DDoS attack coming from a bunch of webcams and other unsecured devices. Would I be allowed to attack back against these devices and brick some random guy's webcam or router simple because it's unsecured and being used in the attack?

I mean that's the right target right? I should be allowed to use the same exploit used to compromise that system in mass and destroy vast number of webcams or routers or whatever devices are attacking me right?