House bill says companies can hack back after cyberattacks [Commentary]


The U.S. House of Representatives has floated what is titled the “Active Cyber Defense Certainty Act,” which basically allows companies experiencing a cyberattack to hack back! This essentially counters the “Computer Fraud and Abuse Act,” which bars companies and individuals from hacking into a computer system that is attacking them.

Click here to see the 3-page bill — well worth reading.

The proposed legislation was floated March 3, 2017, and will surely get the attention of security professionals and organizations around the world.

Those defending the bill compare this proposed piece of legislation to the right of self-defense in the physical world. Opponents are quick to point out that the difference is cyber anonymity. The tools and techniques that are commonly used to obscure those truly behind the attack have increased in number, sophistication and use. This increases the likelihood that the hack-back activities will be focused on unwilling intermediaries whose systems have been unknowingly hacked and those not really behind the attack. Some are concerned that this could easily cause an escalation of cyber hostilities.

Those in national cyber defense and others (including myself) have frequently warned against allowing unauthorized individuals and companies to “hack back.” Errors in attribution are not just possible, they are likely! What would you do if your organization had a situation where a server was compromised and then it was used as an intermediary drawing retribution in the form of a “hack back?”

Clearly, this is a slippery slope with a number of negative effects. Without question, this is a must-watch issue for all those involved in cybersecurity on the national security side and within the private sector.