Revenge of the Nerds? Or Highway to Hell?

H.R.4036 – formerly called the Active Cyber Defense Certainty (ACDC) Act and informally called the hack-back bill – was introduced as an amendment to the Computer Fraud and Abuse Act (CFAA) last week. Introduced by Georgia Republican Tom Graves, and Arizona Democrat Kyrsten Sinema, in the House of Representatives. And just like the ACDC song, we’re on the highway to hell.

Even I like the sound of the idea.  It feels great.  I actually hear this very thing from clients who have been attacked.  “Why can’t we just go after these guys and hack them?”  As viscerally satisfying as the concept of revenge hacking is, it is not a good policy, and here is why:

  • In order to “find” the attacker, you need to have the IP address that they are operating from.  Most attacks are launched through the multi-proxy anonymizing service known as TOR.  The address that the victim of a cyber attack would see would be that of the TOR “exit node.”  Revenge hacking an exit node would be pointless.
  • Most phishing attacks originate on the hijacked email account of yet another victim.  Revenge hacking the “sender” of phishing emails only tortures the innocent.
  • Most of the web site landing pages we see used in phishing exploits are hosted on the unfortunately hijacked websites of other innocent victims.  Revenge hacking those sites just heaps insult onto injury.
  • Most IT support professionals and cybersecurity professionals do not have the forensics skills to actually launch a counter-strike, but this will not stop them from trying.  It’s going to look a lot more like the Wild West when anyone can step onto the Internet with a weapon and just blaze away.  This would end up becoming horribly disruptive, and cause interruptions and outages.

I could go on, but you get the point.  What other area of modern life allows people legally to take personal revenge against someone who has done them wrong?  That is the province of law enforcement agencies and the courts.  The solution for cyber-attack victims is the same.  Report your incidents to your local PD and the FBI on the Internet Crime Complaint Center website at  Sharing your story there and at other cyber-incident reporting and sharing sites allows others to hear about new exploits and learn from your experience.   And the FBI and Interpol can use the information to actually track-back the perpetrators, have them properly adjudicated, and put into prison.  And yes, that does happen now, quite often, actually.

More information:


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.