Where the law and technology meet, there is usually some friction, and proposed legislation in the US to help cybercrime victims turn the tables on their attackers has proven to be no exception.

The controversial legislation, called by some the ‘hack back’ bill, was formally introduced in October by Rep. Tom Graves and Rep. Kyrsten Sinema, and proposes targeted changes to the existing CFAA (Computer Fraud and Abuse Act) law.

Specifically, the proposed amendments of the Active Cyber Defense Certainty Act (ACDC) would provide immunity from prosecution for individuals and companies that use protective measures that overreach the boundaries of their own networks in response to a cyber attack.

If successful, the measures will be looked at more closely by other countries including the UK.

What the legislation authorises

The bill permits anyone victimised by cyber crime to establish that the attack was caused by way of attribution, to disrupt the cyberattack without damaging hackers’ computers, to retrieve and destroy their own stolen files, to track the behaviour of the attacker, and to utilise beaconing technology to identify the hacker’s geographic location.

Currently, the CFAA makes it a crime for any person to access a computer or network without authorisation – which very much includes accessing a hacker’s computer. While perpetrators of cyber crimes are undeterred by cyber laws, the threat of criminal charges restrains most law-abiding victims from beating the hacker at his own game.

DDoS included?

Whether victims of distributed denial of service (DDoS) attacks would be included in the bill is uncertain. At first glance, it appears that any DDoS definition would place the attack recipient square in the middle of this legislation. However, the language of the law creates a possible, if unintentional, distinction between DDoS attacks and more intrusive forms of hacking.

According to the definitions included in the legislation, an ‘attacker’ is either an individual or entity that persistently attempts to intrude into the victim’s computer without authorization. Question is, are DDoS attacks intrusive?

In one sense, it could be argued that the perpetrator in this case is not intruding into the victim’s website server, just asking it to serve up web pages faster than it ought to. However, as legal research scholar Herb Lin argues, a DDoS could constitute an intrusion, since the perpetrator is sending packets into the server.

The bill’s authors do not make this clear. The distinction is important, since the ACDC only permits action against a person defined by the statute as the attacker.

The merits

Let us assume that DDoS attacks will be covered by the bill, if it passes. What, then, are the merits of the legislation?

Pros: Supporters say the bill can help prevent cyber crime by allowing victims to stop hackers in their tracks. According to the bill, victims can take active measures against the attacker to disrupt an attack on their computers. Moreover, victims are authorized to enter the attacker’s computer to collect information that can be used to prevent further attacks.

So far, so good, right? Maybe, but wait till you consider the ramifications granting cyber victims such vigilante powers. Advocates argue that allowing those victims to shut down an attacker will help reduce cybercrime. Of course, hacking a hacker requires a skillset most victims will not possess.

Cons: The legislation raises some very serious questions that, some would argue, have not been well thought out by the bill’s authors. For instance, what happens if a victim accesses an intermediary computer that was used as a proxy by the attacker? In that case, is the victim not now violating the law by accessing the computer of someone other than the attacker and without the owner’s authorization?

According to the legislation, victims are not afforded protection when “intentionally” using “remote access” to intrude into an intermediary’s computer.

Since the victim may not know that the intermediary computer did not belong to the hacker, does their ignorance not therefore afford them protection under the bill? Even though the uncertainties abound, the bill’s authors insist the bill has sufficient protections to safeguard against unintended problems.

Further questions are raised by the requirement that victims first report a cyber attack to the FBI National Cyber Investigative Joint Task Force (NCIJTF) prior to engaging in a counter offensive against an attacker.

Supposedly, the FBI may evaluate the victim’s plan of attack and provide guidance on how to increase the chances of success. According to the bill, the FBI “may decide how to prioritize the issuance of such guidance to defenders based on the availability of resources.”

Since the agency has little experience directing private citizens on the art of cyber warfare, it is questionable whether such guidance would ever be forthcoming.

The history and future of ACDC

The Active Cyber Defense Certainty Act (ACDC) has taken two forms: ACDC 1.0 and ACDC 2.0. The second version offers some language clarification, and grants victims more authority to disrupt an attack and to destroy data on the hacker’s computer than was spelled out in ACDC 1.0.

While the bill introduced by Graves and Sinema proposes an amendment to the 1986 CFAA, the CFAA is, itself, the result of changes to the Comprehensive Crime Control Act of 1984.

To date, there is no Senate version of the ACDC bill, and the legislation must survive committee stages before being moved to the Upper House. Whether it is wise to empower cybercrime victims to take a retaliatory strike against hackers is remains a subject for debate.

What is not debatable is the need for legislators to continue revising laws in light of changing cyber threats. Whether DDoS or other types of cyber attacks, laws must intelligently keep up with the technology, if they are to have more than a token effect on cyber crime.