Congressman files new 'hack back' bill

cyber attack button 

Under newly proposed legislation, private entities would be given legal cover to "hack back" in response to a persistent breach or intrusion.

The discussion draft filed by Tom Graves (R-Ga.) updates a previous version based on initial feedback, but the premise remains the same -- victims of a cyberattack may access the computer of an attacker to disrupt the attack and gather information to establish attribution.

The legislation, which would modify the Computer Fraud and Abuse Act, bars victims from destroying the data on attackers' systems, causing physical or financial injury or "creating a threat to public health or safety."

The Active Cyber Defense Certainty Act 2.0 adds provisions to the March 2017 draft requiring that entities notify law enforcement when they use active cyber defense measures and allowing entities to recover or destroy data using active defense techniques.

In addition, the new version adds an exception for beaconing technology and allows victims to "monitor the behavior of an attacker to assist in developing future intrusion prevention or cyber defense techniques." Another provision sunsets the bill after two years.

Many officials and experts have expressed empathy for intent of the bill, even if they have argued against it, saying it could result in the private sector inadvertently dragging the country into a conflict with other nation states.

They acknowledge that private companies have the technology to hack back or can hire security firms to do so, and the response would be much faster than waiting for the government to intervene in the case of a persistent breach.

Rep. Jim Cooper (D-Tenn.) stated in a recent House hearing that he was unaware it was currently illegal for companies to "hack back" and asked Adm. Michael Rogers, head of the National Security Agency and U.S. Cyber Command, if active defense should be legal.

"While there is certainly historic precedent for this -- nation states have often gone to the private sector when we lacked government capacity or capability ... my concern is, be leery of putting more gunfighters out on the street in the wild west," Rogers replied.

He expressed concerns about second- and third-order consequences that could result from a private entity hacking back.

Cooper argued that as long as businesses feel "disconnected from government or that ... government response is too slow or that certain national security interests are not recognized as being national security interests even when it's protecting the grid, I think you're going to see greater pressure."

Rogers agreed there could be greater pressure from the private sector and legislators to allow active defense.

"I would just be concerned that going that route argues against the broad principles we've used about the role of the state applying force kinetically or non-kinetically," Rogers said.

About the Author

Sean Carberry is a former FCW staff writer who focused on defense, cybersecurity and intelligence.


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.