A new US bill makes it legal for private companies to hunt hackers.
In particular, a draft US bill allows the victims of one cyber attack to hunt the suspects legally.
The law, Known as Cyber Defense Certainty Act (ACDC) gives victims the freedom to identify hackers by invading the systems of organizations that suspect that malicious users they have used to attack.
Often, these organizations may be other companies that do not know that their computers have been tampered with. On the other hand, an existing US law prohibits this kind of pursuit, which is known as "hacking back".
Only a few government agencies such as the FBI, have the power to chase supposed hackers in this way.
Supporters of the Cyber Security Bill, recently introduced to the US Congress, say that the FBI and other government agencies are already facing a lot of assumptions cyberattack, including the ransomware that has paralyzed computer systems in cities such as Atlanta and Baltimore and huge data thefts in large companies such as the hotel chain Marriott.
In theory, enabling businesses and individuals to get the law in their hands works in an auxiliary way in the efforts of organizations.
Ο Tom Graves and Josh Gottheimer, they claim that businesses and other private sector organizations need more freedom to defend themselves. They also pointed out that some businesses have already dealt with some forms of digital alert and that their bill will clean up the gray area around it.
The proposed legislation will amend a current US law, the Computer Fraud and Abuse Act (CFAA) law, allowing businesses and individuals to "respond" to hackers. They could also watch systems attackers and disrupt their operations.
The bill states that these capabilities should only be used by "Specialists" who are confident about the identity of the attackers. They need to update it FBI and seek guidance from it before the fight back and make every effort to avoid destroying third-party systems.
Of course, taking into account the foregoing, the ACDC has serious shortcomings as:
- Most companies are not qualified to "respond" to hackers.
- It's really hard to know with certainty who's behind a cyberattack
- The law does not provide any protection or guarantee if the situation becomes uncontrollable
- Possible hatreds and devastating avenging behaviors.
- Companies could be confronted with nation-states