Revenge of the Nerds? Or Highway to Hell?

H.R.4036 – formerly called the Active Cyber Defense Certainty (ACDC) Act and informally called the hack-back bill – was introduced as an amendment to the Computer Fraud and Abuse Act (CFAA) last week. Introduced by Georgia Republican Tom Graves, and Arizona Democrat Kyrsten Sinema, in the House of Representatives. And just like the ACDC song, we’re on the highway to hell.

Even I like the sound of the idea.  It feels great.  I actually hear this very thing from clients who have been attacked.  “Why can’t we just go after these guys and hack them?”  As viscerally satisfying as the concept of revenge hacking is, it is not a good policy, and here is why:

  • In order to “find” the attacker, you need to have the IP address that they are operating from.  Most attacks are launched through the multi-proxy anonymizing service known as TOR.  The address that the victim of a cyber attack would see would be that of the TOR “exit node.”  Revenge hacking an exit node would be pointless.
  • Most phishing attacks originate on the hijacked email account of yet another victim.  Revenge hacking the “sender” of phishing emails only tortures the innocent.
  • Most of the web site landing pages we see used in phishing exploits are hosted on the unfortunately hijacked websites of other innocent victims.  Revenge hacking those sites just heaps insult onto injury.
  • Most IT support professionals and cybersecurity professionals do not have the forensics skills to actually launch a counter-strike, but this will not stop them from trying.  It’s going to look a lot more like the Wild West when anyone can step onto the Internet with a weapon and just blaze away.  This would end up becoming horribly disruptive, and cause interruptions and outages.

I could go on, but you get the point.  What other area of modern life allows people legally to take personal revenge against someone who has done them wrong?  That is the province of law enforcement agencies and the courts.  The solution for cyber-attack victims is the same.  Report your incidents to your local PD and the FBI on the Internet Crime Complaint Center website at www.ic3.gov.  Sharing your story there and at other cyber-incident reporting and sharing sites allows others to hear about new exploits and learn from your experience.   And the FBI and Interpol can use the information to actually track-back the perpetrators, have them properly adjudicated, and put into prison.  And yes, that does happen now, quite often, actually.

More information:

0

About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Senior Cybersecurity Engineer at Computer Integration Technologies, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment