A revision to a controversial proposed bill that would allow victims of hacking to legally hack their hackers back was tabled Friday by Rep. Tom Graves (R-Ga.).

The proposed law, the Active Cyber Defense Certainty Act, would allow victims of a cyberattack to access the computer of an attacker to disrupt the attack and gather information to establish attribution. While making a so-called “hack-back” legal, the legislation limits the recovery or destruction of an organization’s data so long as it does not cause the destruction of another’s data.

While that sounds somewhat disturbing in itself, the act does provide some safeguards, including a provision that before any “active defense measures” can be taken. An organization wishing to hack its attackers in return would first have to notify the Federal Bureau of Investigation’s National Cyber Investigative Joint Task Force so at to provide oversight of any retaliatory action.

Allowing companies to hack their attackers is considered to be a controversial idea for two reasons. For one, legally allowing counter-attacks risk escalating attacks from hackers. Also, many attacks are launched from hacked servers to begin with, meaning that a retaliatory hack risks damaging the property of others who are innocent victims as well

“While the new version of the ACDC Act provides more specificity on what’s being authorized and how, it still does not address the significant challenges that make hack back a bad idea,” Rapid7 Inc. Vice President Jen Ellis told SiliconANGLE. “There is no clear framework for ensuring appropriate levels of oversight so that accidental or intentional abuses can be avoided. There is no information on how organizations would ensure they are correctly attributing attacks, and interpreting motivations and actions, as well as limiting the reach and impact of their response.”

In regard to the concern that innocent third parties would be caught up in a hack-back, Ellis noted that there is nothing in the proposed act on what recourse should be available for unintended victims. “Without meaningfully addressing these issues, any attempt to authorize hack back can only be viewed as reckless,” Ellis added. “The potential fallout from a hack back misstep could be too severe and far-reaching to authorize the activity without the appropriate oversight.”

According to FCW, many officials and experts have expressed empathy for the intent of the bill, even if they have argued against it. Yet another concern is that a company could inadvertently drag the United States into a conflict with other countries should the targeted hacker be a nation state.

Image: Maxpixel