Imagine that a random car is periodically driving across your front yard, leaving tire treads and gouges on your otherwise pristine lawn. How would you handle it? You might set up a surveillance camera to capture an image of the license plate and driver and then share the image with the police. You might install a fence. You might also consider scattering several boxes of nails across your lawn to puncture the tires of the intruding car, if you thought the risks and legal consequences from the chance that a guest or a child retrieving an innocently-misdirected ball might be harmed in the process were worth it. But you probably wouldn’t hire a group of contractor “lawn ninjas” wielding deadly weapons to hide in the bushes, follow the car to its destination, install video and audio surveillance devices on it, slash its tires, and smash its windows.
The law does not consider these four responses as functional equivalents: the first two are likely entirely reasonable, the third requires precautions of safety, but the fourth involves multiple crimes and dangerous vigilantism. These distinctions are well-founded in brick-and-mortar world criminal and civil law – and they should transfer into the digital world of information security.
Yet “hackback” legislation (the Active Cyber Defense Certainty Act “ACDC Act”) has lost sight of these legal distinctions. The ACDC Act creates an exception to the Computer Fraud and Abuse Act (“CFAA”) for various retaliatory acts by the “victim” of a “cyberattack” against the person the victim believes is the perpetrator of the computer intrusion. While it is understandable that companies want to actively defend their systems from computer intrusions, this approach is problematic because it condones security vigilantism, underestimates the difficulty of correct attribution, and ignores underlying problems in the CFAA.
In essence, as drafted, the law would encourage private conduct that usurps the role of law enforcement. It also may compound the problem of security vigilantism by underestimating the technical difficulty of correct attack attribution. Attack attribution in internet-mediated criminality is complex. However, even our primitive lawn-ninja hypothetical can illustrate some types of attribution challenges. For example, the driver of the car may not be the owner of the car. The driver might be a car thief. He might be a malicious neighbor who periodically rents a car for purposes of property destruction. Destroying and bugging the car in retaliation may be destroying property belonging to someone other than the perpetrator of the lawn intrusion.