A congressman for Georgia has proposed legislation that would give victims of attacks rights to identify hackers and disrupt attacks.
This should put a smile on the lips of anyone who's spending the day hardening servers against the Apache Struts vulnerability that's being exploited all over the place. There's a congressman who wants victims of computer attacks to be able to return the favor and hack back.
Rep. Tom Graves (R-Ga.) proposed a bill last week, the Active Cyber Defense Certainty Act, that would amend the CFAA to give victims of computer intrusions some new rights.
Don't get too excited. Even if the bill passes, overworked IT security folks aren't going to be allowed to send a damaging payload into the offending computer to bring it down forever and ever amen. As many dreams as that would fulfill, that notion will remain a dream, as it should.
Basically, if passed the bill will let the victim of an attack snoop around inside the attacking computer "to gather information in order to establish attribution of criminal activity to share with law enforcement or to disrupt continued unauthorized activity against the victim’s own network."
While the last part might seem to offer a bit of carte blanche for those hacking back, the bill includes some restricting caveats. Those taking action against an offending hacker won't be allowed take actions that "destroy the information stored on a computers of another," "causes physical injury to another person," or "creates a threat to the public health or safety."
According to Graves, the bill is based on a self-defense premise.
"This bill is about empowering individuals to defend themselves online, just as they have the legal authority to do during a physical assault. While the bill doesn't solve every problem, it's an important first step. I hope my bill helps individuals defend themselves against cybercriminals while igniting a conversation that leads to more ideas and solutions that address this growing threat."
As inticing as it is, this bill probably isn't such a good idea, as it seems to bypass due process, and as Tim Cushing at Techdirt put it, "'Empowering individuals' through federal law can go sideways in a flash."
I can't speak for anyone else, but I'm pretty sure I don't want anyone, no matter how well meaning, to mistake me for a hacker and start poking around inside my computers, even if they do promise to obey Google's law and "do no evil" while they're there.