H.R.4036 – formerly called the Active Cyber Defense Certainty (ACDC) Act and informally called the hack-back bill – was introduced as an amendment to the Computer Fraud and Abuse Act (CFAA) last week. Introduced by Georgia Republican Tom Graves, and Arizona Democrat Kyrsten Sinema, in the House of Representatives. And just like the ACDC song, we’re on the highway to hell.
Even I like the sound of the idea. It feels great. I actually hear this very thing from clients who have been attacked. “Why can’t we just go after these guys and hack them?” As viscerally satisfying as the concept of revenge hacking is, it is not a good policy, and here is why:
- In order to “find” the attacker, you need to have the IP address that they are operating from. Most attacks are launched through the multi-proxy anonymizing service known as TOR. The address that the victim of a cyber attack would see would be that of the TOR “exit node.” Revenge hacking an exit node would be pointless.
- Most phishing attacks originate on the hijacked email account of yet another victim. Revenge hacking the “sender” of phishing emails only tortures the innocent.
- Most of the web site landing pages we see used in phishing exploits are hosted on the unfortunately hijacked websites of other innocent victims. Revenge hacking those sites just heaps insult onto injury.
- Most IT support professionals and cybersecurity professionals do not have the forensics skills to actually launch a counter-strike, but this will not stop them from trying. It’s going to look a lot more like the Wild West when anyone can step onto the Internet with a weapon and just blaze away. This would end up becoming horribly disruptive, and cause interruptions and outages.
I could go on, but you get the point. What other area of modern life allows people legally to take personal revenge against someone who has done them wrong? That is the province of law enforcement agencies and the courts. The solution for cyber-attack victims is the same. Report your incidents to your local PD and the FBI on the Internet Crime Complaint Center website at www.ic3.gov. Sharing your story there and at other cyber-incident reporting and sharing sites allows others to hear about new exploits and learn from your experience. And the FBI and Interpol can use the information to actually track-back the perpetrators, have them properly adjudicated, and put into prison. And yes, that does happen now, quite often, actually.