Rep. Tom Graves (R-Ga.) released updated legislation Thursday to allow victims of cyber crimes to hack their attackers back.
The Active Cyber Defense Certainty Act (ACDC) would exempt victims from hacking laws when the aim is to identify the assailant, cut off attacks or retrieve stolen files.
The updated draft is intended to solicit comment and is not itself being introduced.
The original discussion draft was released in March. The new draft takes into account comments from a panel discussion Graves hosted on the topic earlier this month at Georgia Tech that included representatives from the security industry and academia as well as Rep. Kyrsten Sinema (D-Ariz.).
Hacking back is a controversial idea within the cybersecurity community. Many feel these kinds of measures — ranging from the actions permitted by the bill to taking destructive measures — risk escalating attacks. And, since many attacks are launched from other hacked servers, retaliatory hacking risks damaging the property of other innocent victims. On the other hand, victims often feel hamstrung in the midst of attacks and don’t want to lose a window to respond.
National Security Agency and Cyber Command head Adm. Mike Rogers said on Tuesday he is skeptical of the prior draft of the legislation.
“My concern is, be leery of putting more gunfighters out in the street in the Wild West. As an individual tasked with protecting our networks, I’m thinking to myself — we’ve got enough cyber actors out there already,” Rogers said when asked about the proposal during testimony before a House Armed Services subcommittee.