Rep. Tom Graves, R-Ga., introduced a bill as a discussion draftthat would allow a victim of a cyberattack to access theattacker's computer in order to gather information about the attackto share with law enforcement or to stop the hacker from continuingto access their network.

The Active Cyber Defense Certainty Act would not allow cyberattack victims to destroy any informationon their attacker's network or to otherwise cause a threat topublic safety. The proposed amendment has not been formallyintroduced yet.

“This bill is about empowering individuals to defend themselvesonline, just as they have the legal authority to do during aphysical assault,” Graves said in a statement on March 3 announcingthe proposal. “While the bill doesn't solve every problem, it's animportant first step. I hope my bill helps individuals defendthemselves against cybercriminals while igniting a conversationthat leads to more ideas and solutions that address this growingthreat.”

Conversation is all that Justin Kapahi, vice president ofsolutions and security for External IT, expects to come from theproposed bill. He said that the proposal was likely “meant toprovoke discussion” rather than to actually become law.

“It's good to create a discussion around 'why do we have to playdefense? Why can't we play offense?'” he said. Ultimately, though,he said advisors could take the proposal as “entertainment,” and tocontinue focusing their cybersecurity efforts on what regulatorsare looking for now.

He pointed out that most breaches are from users inadvertentlygiving their passwords to hackers. He recommended financial firmsstrengthen their cybersecurity programs with training andtwo-factor authentication.

Under the Computer Fraud and Abuse Act, victims of cyberattacksmay not retaliate against their hackers by accessing their networkswithout authorization.

“I think it's kind of symptomatic of the whole state ofcybersecurity that most people, me included, didn't even know thatthere were limits to what you can do to defend yourself,” said TimWelsh, president and founder of Nexus Strategy.

Advisors are already struggling to keep up with cybersecuritydemands. “I highly doubt that advisors are pondering this stuff atall,” Welsh said.

Cary Kvitka, a shareholder and member of Stark & Stark'ssecurities practice, raised concerns about the ethical implicationsof allowing advisors to “fight back using similar or otherwiseillegal tactics.”

“That's a little dicey for me,” he said in an interview. “Whenyou're relying on self-defense, that typically involves acontemporaneous element so that if you're employing defensivemeasure, you're doing so at the actual time of the attack.”

However, Kvitka said allowing retaliatory hacking could be adisincentive to cyberattackers trying to breach financial firms'networks.

Scott MacKillop, CEO of First Ascent Asset Management, who has aJD from George Washington University, was similarly skeptical.

“You wonder exactly what they have in mind,” MacKillop said. “Isuspect it's one of these proposals that wasn't even intended to govery far but is just there to make a statement.”

Read the full article in the March 29 issue of CUTimes.