Hack Back Legislation – The No Good Terrible Idea

There is legislation in the House of Representatives that will give legal authority to people to “hack back,” or hack the hackers that hacked the people hacking the hackers. The FBI and CIA arrest people overseas that try to hack the NSA and CIA in retaliation for the cyber espionage they engage in, but the United States wants to give people and corporations the legal authority to retaliate on their own for breaches. Let’s simply call this the hack back legislation.

From Cyberscoop:


The ACDC amends the Computer Fraud and Abuse Act (CFAA), which makes it illegal to access computers without authorization. Companies and individuals would be granted the right to “active defense” using various ways to identify, disrupt and possibly even destroy data in the name of “hacking back.”

“These changes reflect careful analysis and many thoughtful suggestions from a broad spectrum of industries and viewpoints,” Graves said in a statement. “I thank everyone who helped sharpen this idea and improve the legislation. I look forward to continuing the conversation and formally introducing ACDC in the next few weeks.


There are many reasons why you should never do this. I have to wonder whom the legislators are consulting with, and why on God’s green earth does this seem like a good idea? Sure, hackers write insecure code in their malware that provides an easy opportunity to get even, but just because you can, it does not mean you should. There is an existing grey area for security researchers that hack back for the purposes of adequately identifying threats to create malware signatures, identify malicious IP addresses as accurately as possible for the purposes of blocking them in security products to protect customers, and obtained information on tactics, techniques, and procedures to aid in incident response when other people are attacked or breached. These security researchers are highly trained, and although researchers do make mistakes, they can quickly adapt to a changing situation to protect themselves.

This Bill opens the door for people that are inexperienced in conducting cyber espionage properly and could get themselves or the company they work for into more problems than they anticipate. Reconnaissance is the first of a series of steps hackers take before trying to breach a system and plant malware to limit exposure while in the system, and to positively identify the target and types of data they want to exfiltrate, so the operation is as efficient as possible. Breaching the wrong information system requires more lateral movement than the attackers want to do to find the data the attacker wants because they could get caught. Time and lateral movement within an information system need to be limited to avoid detection before the targeted data is retrieved. Hobby and amateur hackers will have difficulty identifying who they are attacking and could spell disaster if it’s a nation-state.

According to Cyberscoop:


The bill allows hacking victims to retaliate and destroy stolen data “if it’s located using the active-defense techniques permitted by this bill and does not result in the destruction of data belonging to another person,” a press release from Graves explained.

Any attack resulting in financial harm or other collateral damage is forbidden.


Many laws are vaguely written, so I believe it is safe to presume this law will not be different. Hobby and amateur hackers will more than likely be unaware of the extent of damage they are inflicting.

The best way to handle a breach is to identify which avenue of attack the hackers used to gain access to your information system and take steps to eliminate or mitigate that avenue. If someone breaks into your home would you call the cops or try to hunt down the criminal and try to get your property back?