June 10, 2023

Data Protection

Data is changing the world

Bill That Allowed Victims to Hack Back Revised to prevent Vigilante justice

When the Active Cyber Defense Act was first brought to the Senate, it included a call for Hack Back that threw everybody into a frenzy. The revised act ruled out any destructive attacks that could result in financial injury but required the offended to seek approval before initiating retaliatory acts against the assailants.  

The difficulties of identifying specific attack could plunge the nation into the edge of a crisis. The move to revise the hack back clause was made after a careful evaluation and contribution from a broad spectrum of industries. But, what was in the original draft?

The original draft that was criticized for being too broad including combining measures such as active defense that entail elevating barriers to make it difficult for hackers to get through networks, with hack backs.

“In theory, if a victim hacks back and lack the right infrastructure, the current law would criminalize the activity,” argued the Brad Maryman, a retired FBI agent.

The difficulty in determining the source of an attack accurately is monumental. Therefore, having millions of attack victims taking things in their hands is a recipe for chaos that risks both the victims and those they misguidedly attack.

The revision rolls back hack back but allows limited defensive measures 

The revised edition of the legislation permits only limited defensive measures exceeding boundaries of your network in an effort to identify and stop attackers. The victim is allowed to access the attacker computer without authorization to monitor behavior or attribute a crime. Immediately an attacker is identified, you cannot rule out the possibility of being wrong. Therefore, the victim is required to share the details with law enforcement to halt attacks.

While the proponents of the law point at the emerging attacks and need to hit back fast and hard, roping in the law enforcement department comes with one major benefit; allowing users to utilize FAA tools. The process of developing the right tools can be complex, long, and very expensive. However, why go all the way when the CFAA has some of the most advanced tools that can be called to action any moment?

Some of the technologies that victims can employ include beaconing that could help to identify the actual location of a hacker. If a hacker accesses files but allowed victims to delete them on attacker system, it is possible to pinpoint its location. Involving the FBI creates a new approach that not only helps to get the attacker but also follows the technology they used to prevent related attacks in future.

Limits drawn in the revised Active Cyber Defense Act

Even though you have identified the victim, the revised legislation creates several limitations to help streamline it with other laws.

  • You are not allowed to render systems inoperable that do not belong to the attacker.
  • Not to cause financial injury to another person 
  • Not creating public health threat
  • Operating within the allowed reconnaissance level to attribute an attack

New legislation and right target 

The new legislation greatly factors the reality that it is extremely difficult to pinpoint the right target. In many cases, hackers are sophisticated by using comprehensive networks as well as third party assets to host malicious attacks or when launching attacks. The revision has, therefore, removed any efforts to boost vigilante attacks that could cause more harm than good.