Tom Graves (R-GA) released an update to the initial Active Cyber Defense Certainty Act (ACDC) that intends to exempt victims of cyber attacks from being prosecuted for attempting to hack back at their attackers under the Computer Fraud and Abuse Act (CFAA). If enacted, the law allows organizations that are the victims of hacks to conduct their own hacks to identify the assailants, stop the attacks or retrieve stolen files. At a high level, it makes sense. In practice, it is ridiculous.
According to the proposed law, organizations would be exempt from prosecution if they alert law enforcement before committing such acts. It sounds very straightforward, and I wish there were more to this law. The reality, though, is that most victims are ill-equipped to deal with an incident and even less equipped to hack another organization without creating damage. It is reminiscent of the scene in The Dark Knight, where Batman points out that the would-be vigilantes le he is wearing bulletproof armor.
Even the logic of the ACDC is flawed. For example, you cannot “retrieve” a stolen file. They are not physical entities. The law fundamentally lacks an understanding of computer crime.
First, lets consider the attribution problem. Even in cases where attribution was considered very straightforward, such as the Russian hack of the DNC and the North Korea hack of SONY, the attributions were criticized and mocked. How can individual organizations, with less skill and resources, be expected to sufficiently determine the attribution that will justify their subsequent actions?
Then, while you might allow organizations to hack organizations, you have to consider the resulting damages. Even assuming that a victim is skilled enough to accomplish the intended actions, if the infrastructure used by the criminal belongs to another party, the retaliating victim could cause damage on the third party. Would the victim be liable for damages suffered? If the third party doesn’t suffer direct damages, but they are subject to data breach notification requirements, would the hacking by the victim result in a situation requiring notification?
There are also a variety of other circumstances where the offending infrastructure is owned by a third party. For example, a website can be hacked and used to launch attacks, but the website is hosted on AWS. Would Amazon then be justified in hacking the victim again to stop the attack against the hosted website?
While in theory it might be useful to have highly skilled organizations authorized to perform some level of active defense, it is not practical. There would need to be some licensing ability established. Even then, it would likely require international cooperation. And there are an unlimited number of scenarios where the ACDC could be improperly implemented, resulting in collateral damage.
While I agree that organizations can use more support when victimized by a computer crime, the ACDC is definitely not the answer. A better approach would be for the handful of organizations that may be capable of hacking back actively engage with law enforcement.