House Bill Would Allow Companies to Hack Back—With Limits

Companies would have broader authority to fight back after hackers breach their networks and steal data under legislation introduced Friday by a bipartisan pair of House lawmakers.

The Active Cyber Defense Certainty Act wouldn’t let companies return digital fire against their attackers by stealing or destroying files.

They could, however, leave their own networks to retrieve or destroy those stolen files and install digital beacons to tell them where those files were taken.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

The bill would mark the largest carve out to date in the 1986 Computer Fraud and Abuse Act, which criminalizes most digital activity in which one person or company invades another’s computer networks.

Privacy and security advocates criticized an earlier version of the bill floated it in March. They said companies trying to defend themselves could strike the wrong targets, accidentally damage attackers’ computers or cause conflict at the nation-state level.

The sponsors, Reps. Tom Graves, R-Ga., and Kyrsten Sinema, D-Ariz., updated the bill in response to some of those concerns.

Most notably, the updated bill requires companies that engage in “active defense” to notify the FBI before doing so, partly to ensure they don’t step on the toes of an active FBI investigation or inadvertently ignite a cyber war.  

Companies can also ask the FBI to review their active defense plans.

Active defenders that damage networks, even unintentionally, would still face legal penalties, according to a question and answer document from Graves and Sinema.

The new bill also would not preclude private companies from suing each other because of active defense campaigns.

Those changes are unlikely to quell criticism of the bill, however.  

The bill would sunset after two years.