Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

Considering The Complexities of Hack Back Laws

Are the ‘Hack Back’ Laws Being Proposed by Congress a Good Idea?

Are the ‘Hack Back’ Laws Being Proposed by Congress a Good Idea?

Back in October 2017, U.S. Congressman Tom Graves spearheaded a modification of the Active Cyber Defense Certainty (ACDC) Act (PDF), which allows companies to “hack back” against hackers in an effort to identify and stop cyberattacks. In theory, the concept makes sense – in sports for example, defense doesn’t win championships, offense does. Responding to your attackers, or ‘taking them out’ in some cases, could be an effective way to get ahead of potential threats. However, discussions around hacking back in Congress today rely on analogies that are too simple and use examples focused on physical self-defense that fail to capture the true nature of online interactions.  

One of the core ideas in this, and similar, proposals is to ensure that the “hack back” does not impact any innocent third parties. In Graves’ proposed law, Active Cyber Defense is only allowed against “a person or an entity that is the source of the persistent unauthorized intrusion into the victim’s computer,” otherwise it would be considered criminal hacking.

One issue raised by this idea is the need to be able to determine whether a given system belongs to the attacker or whether the hacker is controlling a system belonging to someone else.

Another issue is that it is not clear what would constitute a “persistent unauthorized intrusion.” Could logging into a site while violating its terms of service count, say by using a false name? Depending on how this is interpreted, it could create massive opportunities for abuse and make numerous innocuous users subject to active hacking.

An interesting idea floated in this bill is to allow companies to create a kind of cyber poison pill. They could place a file that identifies the attacker, or takes other actions, but only after the file has been stolen and placed on some other system. If the poison pill can only be acquired by hacking into a system, it would at least ensure that the subject of the pill was up to no good. It would not guarantee that it ran on the hacker’s own computer however. Many smart attackers would examine their stolen files while they are on some compromised third-party server.

Further complicating the situation, many companies may be unwilling to risk taking active countermeasures at all because a single slip could put them on the wrong side of the law. For example, the protection could be lost entirely if there is any damage to systems, data or functional impairment of the target computers. And exposure to criminal prosecution is not the only risk. Most of these kinds of proposals provide no protection from lawsuits. An injured third party could claim damages that could exceed the direct impact of the original hack.

Any analysis of “hack back” or active defense needs to look beyond the borders of the United States. Other countries will probably adopt similar laws with varying restrictions. Defensive actions will inevitably cross national boundaries and attackers will leverage servers in locations with laws most favorable to them. This will make it even more difficult for organizations to target attackers as they will be forced to comply with constraints unique to each country across the globe. This could also create international incidents with US companies being seen to attack servers in other countries.

While the frustration of organizations only being able to use defensive measures to combat threats is evident, few are willing to accept the possible repercussions of a misstep when going on the offensive or even possess the skills required to do so safely and effectively. I suspect that the result of any such legislation will be for attackers to become more sophisticated in their use of anonymity, false flags, and regulatory arbitrage, leaving the playing field largely unchanged.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Incident Response

Implementation of security automation can be overwhelming, and has remained a barrier to adoption