Skip to content
Naked Security Naked Security

Hack-back bill would legalize companies hacking their attackers

What could possibly go wrong?

A couple of years ago, a counterterrorism expert had an idea: let’s arm US companies with cyber weaponry so they can hack-back cyberattackers, suggested Juan Zarate, a former US deputy national security advisor for counterterrorism during the administration of US President George W. Bush.

Mike Rogers, a former Republican congressman from Michigan and former FBI agent, said at the time that given the plethora of attacks coming from other nations, many businesses would wind up in over their heads in an escalating conflict – a nasty can of worms to open.

Besides, Rogers argued, who says that a given company has the capacity to track down culprits behind an attack? It’s not like all companies are adept at the forensics needed. Sources can be spoofed.

Figuring out the origin of an attack can hinge on subtle clues: what inference should be drawn, for example, in the similarities between the code in the WannaCry ransomware worm and the malware created by Lazarus, a hacking group believed to be linked to North Korea?

Nor is it a given that companies can launch a counter-attack that doesn’t wind up harming a slew of innocents. For example, a hack-back at the vast array of Internet of Things (IoT) devices that got sucked into the Mirai botnet would have seen attacks on home users’ cameras, with the perpetrators left unharmed.

Would we really want to empower an Equifax or a Yahoo, giving them a “cyberwarrant” that would grant private companies license to protect their systems, “to go and destroy data that’s been stolen, or maybe even something more aggressive,” as Zarate suggested?

Their histories of protecting their assets, after all, don’t inspire confidence. Why would we believe they have the ability to competently attack hackers without causing harm?


Some can do it very, very well. Some don’t have a clue of how to do it, but that wouldn’t stop them from [responding] anyway. How do you contain that?

Well, here’s how two legislators have contained the hack-back suggestion: they want to make it the law of the land.

As CNN Money reports, H.R.4036 – formerly called the Active Cyber Defense Certainty (ACDC) Act and informally called the hack-back bill – was introduced as an amendment to the Computer Fraud and Abuse Act (CFAA) last week. Its backers are US Representatives Tom Graves, a Georgia Republican, and Kyrsten Sinema, an Arizona Democrat.

ACDC would give a company the go-ahead to take active defensive measures to access an attacker’s computer or network to identify hackers, as well as to find and destroy stolen information. It makes sense to introduce it as an amendment to the CFAA, given that the CFAA outlaws unauthorized access to somebody else’s computer: a big legal hammer that’s found many nails.

ACDC would give authorized individuals and companies the legal authority to leave their network to:

  1. Establish attribution of an attack.
  2. Disrupt cyberattacks without damaging others’ computers.
  3. Retrieve and destroy stolen files.
  4. Monitor the behavior of an attacker.
  5. Utilize beaconing technology.

Will this lead to cyber-vigilantism? Graves says no; he told CNN that the bill is not opening the door to the Wild Cyber West. The horse is already out of the barn: we’re already living in the Wild Cyber West:

We are already dealing with the Wild West and there’s a lot of outlaws out there but we don’t have a sheriff, we don’t have a deputy and all we were asking for is a neighborhood watch.

But just as they did when Zarate brought up the notion two years ago, security experts are warning that the bill could have dire unintended consequences. CNN quotes digital forensics expert Lesley Carhart on the difficulties of determining whether the source of an attack has been spoofed:

In cybercrime and in nation state attacks, there are often lots of attempts to mislead and confuse researchers analyzing the attack timeline or malware. A savvy bad guy could fairly easily emulate an innocent third party, and draw down the wrath of unskilled analysts on them.

And if an attack were in fact coming from, say, North Korea, the ACDC wouldn’t be worth much. That’s because it limits hack-back actions to within the US. It also requires companies to report to the FBI-led National Cyber Investigative Joint Task Force before taking active-defense measures: a measure that “will help federal law enforcement ensure defenders use these tools responsibly.”

OK… so, why not just entrust cyber investigations and countermeasures with the FBI and the Department of Justice (DOJ) to begin with? According to a news release (PDF) from Graves, we can’t – they’re swamped.

While DOJ and the FBI do great work, the number of cyberattacks far exceeds the government’s ability to respond, identify and prosecute criminals.

At any rate, Graves told CNN, whether we like it or not, companies are already hacking back:

Word on the street is many companies are already doing some of these things. They know, you know, and I know that what they are doing is illegal. What we would be doing is bringing clarity to what some might already be doing and what tools might be successful.

In fact, he’s hoping that if the bill passes, it could spark the creation of new tools to protect against hackers.

One security expert likened the bill to the old Biblical law about retaliation: an eye for an eye, a tooth for a tooth. That dates back to Hammurabi, King of Babylon from 1792-1750BC.

Wise he may have been, but Hammurabi didn’t have to deal with (and nor could he have foreseen) the complex issue of figuring out who hacked who.


I’d rather see the heads of companies just be held responsible when they get hacked. Most companies treat IT like they just take money away and are a waste. Lets send all our IT jobs to India and pay minimum wage. So dumb. If they’d spend the money to protect their networks they could deal with the issues. If Equifax did that they could have patched the security flaw that was left open for two months before they were hacked.


It’s about time the USA had digital privateers. I agree things are going to get messy… but what else can we do when other nation-states treat hacking as a cottage industry?


a member of a self-appointed group of citizens who undertake law enforcement in their community without legal authority, typically because the legal agencies are thought to be inadequate.


Forget the bill. If companies are already hacking back, let’s just acquiesce to that fact and not enforce the provision that makes it illegal. Sort of like blue laws and bingo games.


Whats stopping the Government or businesses claiming they are being hacked…and they may well be but this could be intentional and spoofing innocent people or groups addresses so they can then justify a return hack to the spoofed addresses rather than the orginal target which could be a Government agency.
I think this would be a bad idea to let this bill be passed.


It’s a start, however, most attacks seem to come from outside the US.

Maybe we could just add exploits to our sensitive date that would detonate if it leaves our perimeter? This could reduce the collateral damage as it would only whipe the drive or and keylogger or whatever to the asset that stole the data.

Place exploits in our honeypots, this would be nice! Maybe let honey pot providers add becons back to them so they could provide a service to safely go retrieve my data if the concern is too high of collateral damage.

Yes I do want the ability to retrieve my data or at least destroy it if it has left my perimeter and to add a little pain to the attacker might aid in slowing global attaks. Please give me my cyber concealed carry permit as this whack a mole game is a never winning game! :)


Fighting back is a waste of time as you would do better improving your defences and retrieving files that have been stolen really ought to have been backed up in the first place. Besides they will make copies anyway.

That said if you rattle your adversary and really annoy them you can quite often trick them into revealing more than they would normally reveal such as WiFi and wireless keyboard injections, cloned MAC addresses, various ports used, spoofing WiFi packets sent via wired ethernet and vice versa, deliberate same IP address used (kicking the first off) etc.

The first thing all adversaries will do after penetrating a network will be to establish persistence and if they can they will attack the management console. GSoap vulnerabilities are common. Once inside the management console they have access to all the devices on a network and can perform everything from accessing wireless networks to access control lists and passwords. They will take note of the topology and look for further weaknesses and DOS anyone trying to prevent them. Finally they will modify the underlying OS to suit them and then place it in read only mode so that you are unable to make changes. Tell tale signs are greyed out options where they used to able to change or what you are changing bears no resemblance to how the Switch / Router is functioning. Ports that are still open even after blocking them in the firewall are a dead give away. Finally if they think you are on to them they will cripple the device but still leave it switched on, and when you switch it off and back on again (after you have noticed it is not working) it will trash the firmware giving them time to hide their tracks and destroy any evidence. Look for holes in log files where nothing seems to be recorded.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!