When it came to crimes against the person, governments, for the longest time, told the citizens not to fight back but to cooperate with criminals to minimize the harm they might do. That changed, and the citizens began to take control of their own safety. Civilians all across the nation began arming themselves in the name of self defense.
Currently, a victim of cybercrime can't do much but report it and make repairs. But maybe that's changing, too, as we learn that Rep. Tom Graves (R-GA) has proposed a billed called the Active Cyber Defense Certainty Act (ACDC). From his news release:
The bill makes changes to the Computer Fraud and Abuse Act (CFAA) to allow the use of limited defensive measures that exceed the boundaries of one’s network in an attempt to identify and stop attackers. Once a cybercriminal is identified, the victim can share that information with law enforcement or try to disrupt an ongoing attack.
The enhanced flexibility will allow individuals and the private sector to develop and use tools that are currently restricted under the CFAA to protect their own network. Additionally, by allowing defenders to develop and deploy new tools, it will also serve as a disincentive for criminal hacking.
“This bill is about empowering individuals to defend themselves online, just as they have the legal authority to do during a physical assault,” said Rep. Graves. “While the bill doesn’t solve every problem, it’s an important first step. I hope my bill helps individuals defend themselves against cybercriminals while igniting a conversation that leads to more ideas and solutions that address this growing threat.”
Oh sure, there could be missteps, and innocent people might get caught in the crossfire. Robert Chesney discusses some of the issues at Legislative Hackback: Notes on the Active Cyber Defense Certainty Act discussion draft. One of them is obvious. An attack might proceed through several computers before it reaches the intended victim. A hackback might have to take the reverse route even though the owners of those computers may have also been innocent victims.
We worried about innocent victims when we armed civilians, too. There's always that risk. All the more reason for adequate training of those to whom the cyber-defensive tools are entrusted. Meanwhile, it would be satisfying revenge to picture a hacker staring at his computer realizing all his data have just been sent to the FBI through a reverse hack.