Oct. 13 (UPI) — A bipartisan bill introduced in the House Friday would allow targets of computer hacks to “hack back” and destroy what information of theirs was stolen.
Reps. Tom Graves, R-Ga., and Kyrsten Sinema, D-Ariz., co-sponsored the Active Cyber Defense Certainty Act, known as the hack back bill. It would decriminalize retaliatory hacking by allowing victims, individuals or large companies, to retaliate against their hackers — and steal back or destroy the information that was taken.
The bill stops short of allowing victims to harm or destroy computer networks or elements besides the initial information that was captured.
“While it doesn’t solve every problem, ACDC brings some light into the dark places where cybercriminals operate,” Graves said in a statement. “The certainty the bill provides will empower individuals and companies use new defenses against cybercriminals. I also hope it spurs a new generation of tools and methods to level the lopsided cyber battlefield, if not give an edge to cyber defenders.”
Hacking victims would be required to notify the FBI’s cyber crimes division before retaliating.
Experts have questioned how it’s possible for victims to ensure they aren’t damaging computer infrastructure during the strike back. Most sophisticated computer hackers employ third-party networks that have already been compromised to carry out large-scale attacks, meaning someone retaliating might accidentally destroy or damage a computer network belonging to another victim.
The very question of what constitutes hacking in everyday life has posed vexing legal questions.
Two cases recently decided by the California-based 9th Circuit Court of Appeals failed to earn a review by the U.S. Supreme Court that might have helped clarify what constitutes hacking and what does not.
The basic legal question was answered in a 1986 law that made it illegal to access a private computer network without the administrator’s permission, but the widespread use of sophisticated computer networks in the digital age has raised new questions that have yet to receive a full legal vetting.
In one case, an employee who’d been fired from a company was convicted of a criminal offense after he and two former co-workers used login credentials given them by another employee. The 9th Circuit upheld the conviction despite questions about whether using someone else’s login constitutes hacking.
Critics contend password sharing shouldn’t be considered hacking because many people share such information with relatives or friends. For example, spouses might share bank account passwords; friends frequently share passwords for streaming entertainment sites like Netflix.
In a second case, Facebook sued a Cayman Islands company that had created software to enable users to access their Facebook pages through a company portal. Facebook objected, saying the company was capturing data from customers in a way that made it insecure — and that if hacked, would reflect poorly on Facebook despite their having nothing to do with the company’s independent access portal.