Hacking Back: Revenge is Sweet, But is it Legal?
Before you go ahead hack backing intruders, you should proceed with caution.
You may have heard the term “active cyber defense” lately and would like to know if it can help your business, particularly if you work in a sensitive sector like financial services. In theory, active cyber defense (or ACD) sounds like what you need: You want to do more than firewall your systems and instead, actively defend your company against hackers.
But before you go ahead hack backing intruders, you should proceed with caution. Many active cyber defense strategies are currently illegal for financial services and other private companies.
U.S. law around active cyber defense
Introduced as a bill to the U.S. House of Representatives in October by Rep. Tom Graves, the Active Cyber Defense Certainty Act (ACDCA) is still under consideration. Currently, the Computer Fraud and Abuse Act deems many active cyber defense methods to be illegal, including accessing a computer – such as a hacker’s computer – without authorization. ACDCA aims to address new cyber security norms, particularly ones unaddressed in the Computer Fraud and Abuse Act, which was passed as an amendment in 1986.
Ultimately, ACDCA wants to enable broader active cyber defense abilities to the private sector. The bill proposes “to provide a defense to prosecution for fraud and related activity in connection with computers for persons defending against unauthorized intrusions into their computers.”
If the ACDCA passes, Symantec writes that private companies could participate in a two-year pilot program where their activities would be closely coordinated with the FBI. Doing so would empower these companies to employ certain ACD tactics such as hack backs and not face criminal repercussions – though not civil.