For many years active cyber defense measures and hacking back have been debated in the USA. The crux of the discussion is whether cybercrime victims from private sector should, in certain cases, be able to respond to an attack outside their own networks. Until now, such actions have been reserved exclusively for the law enforcement agencies, primarily the FBI. The Active Cyber Defense Certainty Act (ACDC) which is now being introduced in Congress would remove this restriction, allowing private companies to use aggressive cyber defense measures in order to identify attackers or even destroy stolen data.
KBN Commentary no. 17 (72) / 2020
28 December 2020
For many years active cyber defense measures and hacking back have been debated in the USA. The crux of the discussion is whether cybercrime victims from private sector should, in certain cases, be able to respond to an attack outside their own networks. Until now, such actions have been reserved exclusively for the law enforcement agencies, primarily the FBI. The Active Cyber Defense Certainty Act (ACDC) which is now being introduced in Congress would remove this restriction, allowing private companies to use aggressive cyber defense measures in order to identify attackers or even destroy stolen data.
Regardless of potentially positive effects of ACDC, the dangers of its introduction cannot be underestimated. The article presents the most important problems and challenges related to an extension of powers of private companies to new forms of an active cyber defense.
Photo credit: "Highway to Hell" by dem_Christoph licensed under CC BY 2.0.