For the companies in the midst of high-profile data security breaches, revenge hacking is likely low on their list of priorities. As an activity, hacking isn’t inherently illegal, but there are limits on what is and what isn’t permissible. If you forget the password to your own laptop and exploit security vulnerabilities to gain access to it, this is fine. However, if you do the same to your boss’s laptop and steal information from it, this is illegal. While large companies might hire white hat hackers to test their network vulnerabilities and monitor for unusual activity, these hackers have been largely limited in what they can get away with. Until now.
Under the proposed legislation, the victims of hacking would be legally allowed to take revenge against those who breached their security systems. Revenge could involve anything from hacking their systems back, finding out who they are and even destroying any stolen data and information. The rules would also allow victim companies to deploy beaconing technology that would allow them to find the geographical location of the hacker. This would aid law enforcement in bringing these individuals to justice.
There are some limitations to the bill, and companies that choose to carry out revenge hacks wouldn’t be without liability. Most importantly, revenge hacks would only be allowed to be carried out on US computers, which already limits the reach. Many cybercriminals will route their attacks through systems around the world, which would protect them from revenge hacks. Companies would also have to fill out paperwork and submit this to the FBI’s National Cyber Investigative Joint Task Force. This will help to ensure national boundaries are respected and that any activity wouldn’t infringe on a known investigation. The legislation has also been proposed with a time limit attached. The bill would expire after two years and the United States Department of Justice would have to report to Congress to keep them up to date how the legislation has been utilised.
Liability is also a key issue. If damage was done to a third party system as the result of a revenge hack, the company behind it would be liable, provided there is a trail pointing to the company behind the hack. It is not yet clear how transparent the hacking departments will need to be about their activities.
In the UK, there are currently no plans to work revenge hacking into law, but with ransomware and security breaches on the rise, MPs are under pressure to find a satisfactory solution that will protect businesses, infrastructure and public services from cybercriminals.