Rep. Tom Graves (R-GA-14) and Rep. Kyrsten Sinema (D-AZ-9) have introduced the Active Cyber Defense Certainty (ACDC) Act in the House of Representatives.
Active Cyber Defense Certainty Act
Known as the “hack back” bill, H.R. 4036 would amend the Computer Fraud and Abuse Act (section 1030 of title 18, United States Code) by defining the parameters within which parties defending their own computers or networks can respond to attacks by hacking the perpetrators.
Thus, if passed, the ACDC would except a hacking victim (a “defender”) “who uses a [tracking] program, code, or command” to help identify the source of a hack from prosecution under section 1030, so long as the software “originated on the computer of the defender but [was] copied or removed by an unauthorized user”. On top of that, the defender’s actions must not “result in the destruction of data or result in an impairment of the essential operating functionality of the attacker’s computer system, or intentionally create a backdoor enabling intrusive access into the attacker’s computer system".
The bill would also exclude from prosecution a defender who carries out an “active cyber defense measure,” defined as any measure by which the victim accesses an attacker’s computer to gather information that would help identify the attacker, disrupt continued hacking, or monitor the attacker “to assist in developing future … cyber defense techniques".
The ACDC would also authorize hacking victims to retrieve and destroy files stolen from them.
Finally, the bill requires defenders to notify the FBI’s National Cyber Investigative Joint Task Force of the type of breach that occurred, the intended target of the victim’s active cyber defense measures, and the steps that the victim intends to take in order to preserve evidence of the hack and prevent future attacks.
However, probably, it's too early to be so excited.
Computer defenders should also exercise ex- 2 treme caution to avoid violating the law of any other 3 nation where an attacker’s computer may reside.
From the Active Cyber Defense Certainty Act
Thus, the ACDC also highlights that if untrained actors are authorized to retaliate against hackers, they may end up inadvertently victimizing innocent third parties. In light of this reality, the bill’s cautionary statement seemingly undercuts much of the power that the bill aims to grant hacking victims.