A US congressman is currently tinkering away at a proposed bill that will legalize some "hack back" counter-measures that breached companies can take to stop and identify ongoing cyber-attacks, and recover their data.
Called the Active Cyber Defense Certainty Act (ACDC), this bill will bring amendments to the Computer Fraud and Abuse Act (CFAA), the US law that governs cyber-related crimes.
Rep. Tom Graves of Georgia proposed a first version of the ACDC bill back in March. That version of the bill would have allowed victims of cyber-attacks to hack their attacker for the sole purpose of collecting information that could help in identifying the culprit.
ACDC 2.0 lets victims be more aggressive
After public meetings and feedback from the business community, academia, and cybersecurity policy experts, Rep. Graves has made some important modifications to the ACDC bill.
The most important of these is that the ACDC bill would allow a victim to take aggressive countermeasures against an attacker to protect its data, meaning a victim would be able to delete its own information, if it finds it on the attacker's system.
This provision was made for victims of data breaches and data theft, in order to allow them to delete stolen company data present on an attacker's web or FTP servers. This could be useful to prevent the spread of stolen data, if the breach is discovered shortly after it happened.
Victims can destroy "their" data, but not the attacker's data
Furthermore, a victim carrying out a "hack back" attack cannot destroy any data belonging to another person, including the attacker, or cause damage or impairment of the attacker's machine.
This provision is present in the ACDC bill to protect shared hosting providers or the property of users whose computers were infected with malware, and which are used without their knowledge or consent.
Furthermore, to bypass proxies and other anonymizing services, and aid in identifying an attacker's actual location, ACDC authors also amended the bill to include the usage of beaconing technology, not included in the ACDC's first version.
Victims must notify the FBI before "hack back" attacks
To curtail any abuse of "hack back" actions, legislators are also proposing that victims who want to engage in such a endeavors first report to authorities.
Notification must include the type of cyber breach that the person or entity was a victim of, the intended target of the active cyber defense measure, the steps taken to preserve evidence of the attacker's criminal cyber intrusion, as well as steps taken to prevent damage to intermediary computers not under the ownership of the attacker.
The ACDC 2.0 bill describes the following actions as "active cyber defense measures:"
➔ Disrupt continued unauthorized activity against the victim's own network
➔ Monitor the behavior of an attacker to assist in the developing of future intrusion prevention of cyber defense techniques.
On the other hand, the ACDC 2.0 bill specifically prohibits any action that:
➔ Causes physical or financial injury to another person
➔ Creates a threat to the public health or safety
➔ Exceeds the level of activity required to perform reconnaissance on an intermediary computer to allow for attribution of the origin of the persistent cyber intrusion.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now