House legislation floated Friday would give companies attacked by hackers free rein to penetrate those hackers' networks so long as they don’t destroy anything while they’re there.
The Computer Fraud and Abuse Act currently bars companies and individuals from hacking into anyone else’s network even if that person is attacking them.
The Active Cyber Defense Certainty Act, sponsored by Rep. Tom Graves, R-Ga., would allow companies under attack to break into their attackers’ networks either to stop an attack or to gather intelligence about the attackers’ identity to share with law enforcement.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
The bill would not protect companies from prosecution if they destroy any data during those forays, cause injury to someone or otherwise endanger public health or safety, according to a discussion draft. The bill expressly forbids "vigilantism."
Government officials have typically warned against allowing companies to “hack back” out of fear they would accidentally harm innocent bystanders or, in the case of nation-state-backed hackers, force the government into an unwanted or unexpected diplomatic or military conflict.
Lawmakers and executive branch officials frequently fret, however, that, in the case of highly resourced nation-state-backed hacking groups, industry is being forced into a fight it cannot win.
Former National Security Agency Director Keith Alexander wrestled with the question during testimony before the Senate Armed Services Committee on Thursday, essentially arguing that government was not holding up its end of the bargain to protect industry from cyberattacks.
“Should Sony have been allowed to hack back?” he asked, referencing North Korea’s 2014 destructive attack against Sony Pictures Entertainment. “The answer for me is probably ‘no’ because if Sony attacked back and North Korea thought that was an attack by our government, it would have started a land war on the Korean Peninsula and we’d all say that’s industry starting a war and that’s government’s role and responsibility.”
When asked about those concerns, Graves replied that “the status quo is simply unacceptable” and that “a significant first step to addressing growing cybersecurity threats is empowering the American people and American companies to defend themselves regardless of the threat source.”
He described his bill as giving individuals legal leeway to defend themselves online just as they could during a physical assault.
“I believe people should have the legal authority to defend themselves during a cyberattack and the tools to assist the authorities with catching the bad guys, just as they do during a physical attack,” he said.
Graves, who chairs the House Appropriations Committee’s financial services and general government panel, described the discussion draft as "an important first step" he hopes will spark additional ideas.
Though most cyber scholars are wary of allowing private companies to move beyond their own networks in combating cyberattacks, there are exceptions.
George Mason University Law Professor Jeremy Rabkin, for example, has frequently floated the idea of government deputizing certain companies that are well vetted to take on some cyber investigations and retaliatory cyber strikes.
An October report from the Active Defense Task Force, organized by The George Washington University’s Center for Cyber and Homeland Security, urged the government to outline limited circumstances in which a hacked company could penetrate its hacker’s network, for example, to retrieve stolen data or lock the hacker’s network until stolen data is returned.