Home / Blogs

The Hack Back Bill in Congress is Better Than You’d Expect

Rep’s Graves and Sinema recently introduced H.R. 4036, the catchily named Active Cyber Defense Certainty Act or ACDC act which creates some exceptions to criminal parts of computer crime laws. Lots of reports have decried “hack back” but if you read the bill, it’s surprisingly well targeted.

The first change is to what they call Attributional Technology, and says it’s OK to put bait on your computer for an intruder intended to identify the intruder. It also says that your bait can’t destroy data, impair operation, or create a back door. It’s not obvious to me what the point of this section is, since I don’t see why non-destructive bait would have been a problem in the first place.

The second, longer section is about Active Cyber Defense Measures. It says it will be OK to access the attacker’s computer if it is in the U.S. to:

  • establish attribution of criminal activity
  • disrupt continued attacks against the defender
  • monitor the behavior of the attacker

Again, it specifically does not allow damaging the attacker’s computer or network, intentionally intruding into or damaging an intermediary’s computer, doing more than you have to do for the three bullets above, and some other limitations.

You have to tell the FBI before doing any of these countermeasures, the whole law expires in two years, and the FBI is supposed to report on how well it worked. There only criminal immunity, not civil immunity in all of this, so if you attack and damage someone’s computer, they can still sue you and get damages.

Overall, this is a well thought out bill that clearly has had advice from people familiar with the field. I have some minor issues with the language, such as the “intentionally” limit on damage to intermediaries (“oops, I didn’t mean to destroy every disk on the network where that bot was”) but they are fixable.

By John Levine, Author, Consultant & Speaker

Filed Under


I think the explicit mention of attributional Todd Knarr  –  Oct 23, 2017 10:41 PM

I think the explicit mention of attributional technology is to prevent the attackers from trying to claim putting your bait on their computer was an unauthorized modification and trying to use the CFAA to block their victims from creating positive proof that the computer in question did in fact belong to the same party that attacked the victim.

Makes sense. John Levine  –  Oct 24, 2017 1:10 AM

Makes sense.

I've read the bill several times, thinking Barry Raveendran Greene  –  Nov 15, 2017 11:08 PM

I’ve read the bill several times, thinking about the actions we’ve taken in the past to mitigate, remediate, traceback, and trackback malware systems to the source.  First, I don’t see the point of the bill. It is not solving anything. All the items mention done now within the legal limits that are in place with existing legislation. Second, I can easily see people who do not have solid legal advice taking action which they perceived are “good,” then the collateral consequence is 180 degrees opposite.

John, where are the new items fixing a problem with the existing legislation?

Are we ready for China to deploy malware removal tools on malware infected computer in the US? Removing malware through a discovered “remove” command does not damage the ‘intermediary computer.’ But, how does the victim know? They are under attack and they need “hack back.”

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet




Sponsored byVerisign


Sponsored byDNIB.com

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign