On October 12, 2017, Rep. Tom Graves (R-GA-14) and Rep. Kyrsten Sinema (D-AZ-9) introduced the Active Cyber Defense Certainty (ACDC) Act in the House of Representatives. Colloquially known as the “hack back” bill, H.R. 4036 was referred to the Committee on the Judiciary that same day. It would amend the Computer Fraud and Abuse Act (section 1030 of title 18, United States Code) by defining the parameters within which parties defending their own computers or networks can respond to attacks by hacking the perpetrators.
The bill notes that cybercrime is a “severe threat” to the country’s “national security and economic vitality,” and that the difficulty in responding to and prosecuting cybercriminals in a timely manner has led “to the existing low level of deterrence and a rapidly growing threat.”
If passed, the ACDC would except a hacking victim (a “defender”) “who uses a [tracking] program, code, or command” to help identify the source of a hack from prosecution under section 1030, so long as the software “originated on the computer of the defender but [was] copied or removed by an unauthorized user.” Additionally, the defender’s actions must not “result in the destruction of data or result in an impairment of the essential operating functionality of the attacker’s computer system, or intentionally create a backdoor enabling intrusive access into the attacker’s computer system.”
The bill would also exclude from prosecution a defender who carries out an “active cyber defense measure,” defined as any measure by which the victim accesses an attacker’s computer to gather information that would help identify the attacker, disrupt continued hacking, or monitor the attacker “to assist in developing future … cyber defense techniques.” However, the bill does not allow a defender to engage in any conduct that “intentionally destroys or renders inoperable information that does not belong to the victim that is stored on another person or entity’s computer,” among other limitations. The ACDC would, however, authorize hacking victims to retrieve and destroy files stolen from them.
Finally, the bill requires defenders to notify the FBI’s National Cyber Investigative Joint Task Force of the type of breach that occurred, the intended target of the victim’s active cyber defense measures, and the steps that the victim intends to take in order to preserve evidence of the hack and prevent future attacks. Defenders must also “receive a response from the FBI acknowledging receipt of the notification prior to” taking action.
A defender who launches a counterattack that abides by these requirements would not be subject to criminal prosecution, although a US-based entity subjected to such a counterattack would still have the option to seek a “civil remedy.”
It’s presently unclear what kind of impact this legislation, if passed, would have on the blockchain space. Much of the theft that takes place in the world of cryptocurrency is the result of social engineering – such as fraudulent token offerings that masquerade as legitimate – and therefore would not constitute hacking according to the language of the bill, which defines an “attacker” as someone who gains “persistent unauthorized intrusion into the victim’s computer.” When actual hackers do steal cryptocurrency, they often successfully hide their identities through the common tactic of bouncing the stolen assets from wallet to wallet.
Some examples of blockchain-related hacking include intentionally programming bugs into executable distributed code contracts as well as gaining access to a website’s backend, then replacing a wallet address to which visitors are encouraged to send money with one belonging to the attacker. Hackers can also access private keys that users store on devices connected to the internet and those that certain cryptocurrency exchanges store on their servers. In cases like these, a hacker could feasibly leave behind some telltale piece of code that would allow a victim to trace an attack back to them, but such scenarios account for only a fraction of the asset theft that occurs in the blockchain sector.
The ACDC has also sparked concern that if untrained actors are authorized to retaliate against hackers, they may end up inadvertently victimizing innocent third parties who the real hackers could falsely implicate in their attacks through a variety of means in order to throw investigators, public or otherwise, off their scent. Additionally, attacks are routinely routed through servers located in multiple countries in a bid to obscure hackers’ true identity and location. In light of this reality, the bill’s cautionary statement that “Computer defenders should also exercise extreme caution to avoid violating the law of any other nation where an attacker’s computer may reside” seemingly undercuts much of the power that the bill aims to grant hacking victims.