Should it be legal to hack a hacker who is intent on attacking you? It’s an interesting, touchy debate, with powerful opinions on both sides.
On the one hand, hacking is universally regarded as an illegal act, even when conducted in self-defense. After all, it invariably involves breaching a network you do not own. Furthermore, a crucial component is often the insertion of malicious code into the penetrated network that will either disable it, or allow you to track the activities of the network’s owner.
On the other hand, in the physical world, if you are threatened, you are within your rights to defend yourself, including conducting actions that would result in the death of the person who is attacking you. Given that simple truth, an increasing number of people have been demanding similar attitudes in the digital realm.
This has culminated in a new bill, proposed by Georgia Representative Tom Graves. The bill, known as the Active Cyber Defense Certainty (ACDC) Act, would empower the victims of hackers to make use of “limited defensive measures that exceed the boundaries of one’s network,” in order to identify and potentially stop a hacker.
The bill has a broad base of support, but detractors point out that there are key differences between the digital and physical worlds, and that the “self-defense” paradigm that works in the physical world may not translate seamlessly to the digital.
For instance, if a person is physically assaulting you, then you can clearly identify your attacker. In the digital world, the identity of your attacker may not be readily apparent.
Second, while owning a gun for home defense is seen by many as being a sensible precaution, the digital equivalent may be owning a private botnet that could be used in defensive counterattacks if and when the assailant can be identified – but is that the world we want to live in?
The Maryland Coordination and Analysis Center explains, “Hacking back, on the other hand, is quite illegal today under the CFAA and gives many researchers and legal experts great pause. The concerns are many, with first foremost being that given so many compromised computers are involved in attacks, a victim could rarely be certain they would be attacking the attacker rather than an innocent victim.”
It’s too soon to say whether the bill will pass, and even if it does, it may create as many problems as it solves. The debate rages on.