The Active Cyber Defense Certainty Bill (ACDC) was introduced recently into the US Congress. If passed on its current terms it will amend the Computer Fraud and Abuse Act to make limited hacking back legal in America by allowing organisations defending their networks against hackers to:
- Go outside those networks to access the servers being used to conduct the attacks.
- Destroy any stolen data.
- Disrupt those servers to interrupt the attack.
- Deploy technology to identify the physical locations of the hackers.
There are some safeguards to the potential unintended impact of ACDC:
- Hacking back (aka active defence or incident response) is restricted to computers in the USA (but domestic hacking can be routed via overseas servers, thus circumventing the application of the ACDC).
- Organisations are financially liable for any damage caused to innocent computer users.
- Prior notice to the FBI’s National Cyber Investigative Joint Task Force is required so that it can check for any extra-territorial impact and interference with national security operations.
- The legislation will have a sunset of two years and the US Justice Department has to report to Congress once a year on activity carried out under the ACDC.
Is this a good thing?
Some regard this as permitting reasonable self defence against the damage caused by hackers (e.g a competing product created from theft of valuable intellectual property). Others argue that it permits disproportionate vigilante action.
There is arguably nothing illegal about tracking down and dealing with hackers within your own network, as this will only impact the computers and data within the network (assuming contractual approvals are in place in respect of other people’s data). However, in pursuing hackers outside your network it may not be clear that the attacking servers are those of the hacker, or an innocent third party whose servers are being used without its knowledge. Significant collateral damage could result to the innocent third party.
Key issues are attribution (being able to accurately identify the source of the hacking) and the reasonableness and proportionality of the response.
In Australia, computer intrusion and unauthorised modification of data (including data destruction) are offences under the Criminal Code Act 1995 (Cth). Hacking the hacker outside your network therefore runs the risk of committing a criminal offence, even if you regard it as self-defence. Whether this situation changes will depend on, amongst other factors, what happens with ACDC and the ability of law enforcement and security agencies to meet the global enforcement challenge.
In any event the ACDC presents another opportunity to consider the legal and policy framework within which an organisation might take legitimate action against hackers.