Congressman Proposes Organizations Should Be Allowed To 'Hack Back'

Engadget reports: Representative Tom Graves, R-Ga., thinks that when anyone gets hacked -- individuals or companies -- they should be able to "fight back" and go "hunt for hackers outside of their own networks." The Active Cyber Defense Certainty ("ACDC") Act is getting closer to being put before lawmakers, and the congressman trying to make "hacking back" easy-breezy-legal believes it would've stopped the WannaCry ransomware. Despite its endlessly lulzy acronym, Graves says he "looks forward to formally introducing ACDC" to the House of Representatives in the next few weeks... The bipartisan ACDC bill would let companies who believe they are under ongoing attack break into the computer of whoever they think is attacking them, for the purposes of stopping the attack or gathering info for law enforcement.
Friday The Hill published a list of objections to the proposed law from the CEO of cybersecurity company Vectra Networks. "To start with, when shooting back, there's the fundamental question of who to shoot... We might be able to retaliate, weeks or months after being attacked, but we certainly could not shoot back in time to stop an attack in progress." And if new retaliatory tools are developed, "How can we be sure that these new weapons won't be stolen and misused? Who can guarantee that they won't be turned against us by our corporate competitors? Would we become victims of our own cyber-arms race?"

Slashdot reader hattable writes, "I would think a proposal like this would land dead in the water, but given some recent, and 'interesting' decisions coming from Congress and White House officials, I am not sure many can predict the momentum."

Re:Alice Bob etc.

Or Mallory gets Bob to hack him in a false flag attack so he can hack Alice.... If you're legalizing US companies to attack 'foreign' companies, you're also protecting foreign companies that hack US ones in retaliation.

IMHO, Google's self driving car tech is underpinning Uber's Yandex's self driving car tech and Baidu's self driving car tech. Courtesy of General Alexander leaving US corporations open to known backdoors.

How would Google 'hacking back' actually stop that damage?

And then there's the orange elephant in the room, what if the damage is so egrarious that attacking enemies become best buddies and close allies become targets of attack?

I'm waiting for Trump's report saying the election was attacked by France, and Russian detection was only inadvertent attempts to secure our networks remotely.

Ask Not of Whose Face is Being Palmed

[SuperKendall]

The monumental amount of stupi-..

Yes, it's true. That's why I come nearly every day to correct people as monumentally stupid as yourself. Such epic levels of disastrously misguided thought cannot be allowed to stand without challenge from someone with common sense and logic.

one of the first things a 'hacker' does when launching an attack is obscure their origins. They use someone else's machine, like a University's, or a Hospital's, or even one owned by the Department of Defense. And you want to hand people a license to f*ck up what they 'think' (and I use that word broadly here) might be attacking them?

Here's where you went full idiot. Never go full idiot.

The attacking system is ALREADY COMPROMISED.

Are you really so stupid you think the proposal is about attacking the actual attackers system? Apparently so.

But no, that's not what the proposal is about. It's about being able to hack the ALREADY HACKED SYSTEM to stop it from attacking you. Yes it might be a hospital, bank, government, whatever - it's already screwed, bringing down that system does vast amounts of public good:

1) No more attacks on you - AND on other systems it may have been attacking.
2) Reducing danger to the org with the infected box because now it's not a portal to attack other internal systems (which sadly are already compromised, but it might be a proxy for the control mechanism so still good).
3) Protects the users of those system from possible further spread of viruses or malware.
4) There is a more massive indirect benefit that if systems start going down because of hacking, more companies will take IT seriously, thus over time fewer systems would be compromised to begin with. Currently it does not SEEM like there is much of a problem, because an intruder wants the system to stay online and appear to be working - even as the intruder harms others and gains deeper access.

Any IT department SHOULD *cough*BA*cough* be able to bring up a backup system if the compromised one is taken offline. So while there may be some small outage as a result the overall good to be done is WAY more than the harm you are causing by taking a compromised system offline. You can of course tell a company you are about to take a system offline and let them do something about it if you are kind, but then again they really were not letting themselves get compromised and not detecting it so...

How is the DoD going to react to Pfizer launching an all out assault on them

With gratitude when they find out why. Even if begrudging.

Also of course, while such a law would just allow you to attack compromised system every company would look at where the attack was from and decide if trying to take down the system was a good idea from a legal standpoint - you can be pretty sure a lot of people would be running CYA messages up the flagpole about taking down a system in the military or a hospital. Did you even consider that just because people CAN do something, does not mean they WILL?

That's what I do not get about you state control fanbois, you think because you have no self control it applies to everyone else - including large companies which are the very definition of cautious with any risk.

Dear Mr. Graves

[Opportunist]

It is illegal for me to pretend I am a lawyer and act as if I knew something about legal processes. For some odd reason it's still legal for you to pretend to know something about computers or that newfangled thing called "the internets" or something like this, despite your absolute blatant display of total ignorance.

On behalf of the people who know a thing or two about it: Please, do the world, and your reputation, a favor and shut the fuck up. Please don't talk about things you have about as much knowledge of as the average other pig has about nuclear physics.

And, even more important, don't make laws about things without knowing jack shit about them. You have the option to have advisers. Get one that has a clue.