With a backdrop of high-profile breaches and October’s designation as “Cyber-Security Awareness Month,” Rep. Tom Graves (R-Georgia) and Rep. Kyrsten Sinema (D-Ariz.) have announced the formal introduction of the Active Cyber Defense Certainty Act (H.R. 4036). The bipartisan bill makes” targeted changes to the Computer Fraud and Abuse Act to allow use of limited defensive measures that exceed the boundaries of one’s network in order to monitor, identify and stop attackers.”
The CFAA, enacted in 1986, currently prohibits individuals from taking any defensive actions other than preventative protections, such as ant-virus software. Specifically, ACDC gives authorized individuals and companies the legal authority to: leave their network to establish attribution of an attack; disrupt cyberattacks without damaging others’ computers; retrieve and destroy stolen files; monitor the behavior of an attacker; and utilize beaconing technology.
“The enhanced flexibility will allow individuals and the private sector to develop and use tools that are currently restricted under the CFAA to protect their own network,” a statement by the legislators says. “Although ACDC allows a more active role in cyber-defense, it protects privacy rights by prohibiting vigilantism, forbidding physical damage or destruction of information on anyone else’s computer, and preventing collateral damage by constraining the types of actions that would be considered active defense.”
“This is likely the most significant update to the Computer Fraud and Abuse Act since its enactment in 1986,” they added.
“While it doesn’t solve every problem, ACDC brings some light into the dark places where cybercriminals operate,” Graves says. “The certainty the bill provides will empower individuals and companies to use new defenses against cybercriminals. I also hope it spurs a new generation of tools and methods to level the lopsided cyber battlefield, if not give an edge to cyber defenders.”
“The recent Equifax data breach shows that cyber vulnerabilities can have real financial and personal implications,” Sinema says.
A list of “frequently asked questions” was released along with the legislative filing.
How would most defenders use Active Cyber Defense Techniques?
Most defenders would likely use active-defense techniques to perform “deep reconnaissance” of the hackers who originated the attack. For example, a defender using active-defense techniques could “follow the bread crumbs,” back to the source of the attack. They could then attempt to attribute the source, “naming and shaming” the attacker, turn over relevant information to law enforcement, or simply learn the “vector” that the attacker took to execute the original malicious attack and avoid it.
Are Active-Defense Techniques Effective?
Active-defense techniques can absolutely be effective. Even though most of these techniques are not legal under current law, the reality is that skilled defenders are already using them to thwart and deter attacks. ACDC unties the hands of law-abiding defenders to use new techniques to thwart and deter attacks, while also providing legal certainty for industry experts to innovate, which could spur a new generation of tools and methods.
Does the bill protect privacy rights?
Yes, it protects privacy rights by prohibiting vigilantism, forbidding physical damage or destruction of information on anyone else’s computer, and prevents collateral damage by constraining the types of actions that would be considered active defense. These safeguards help ensure that active defense is only targeted at the source of the attack, while imposing a strict standard of care on the defender to ensure that innocent bystanders aren’t impacted.
How will the bill impact innocent bystanders and avoid collateral damage?
ACDC has a very high standard for cyber defenders. If a defender behaves improperly or recklessly, they will still bear the full penalty of existing law. ACDC does not change the existing penalties for “unauthorized access”; it merely allows a legal defense for such access in cases where self-defense is clearly justified. The bill makes clear that if a person is inadvertently impacted by active-cyber defense, their right to sue for civil damages or injunctive relief is preserved. Defenders would be forced to take a very deliberate, step-by-step process of using active-cyber defense or they would still run the risk of civil and criminal penalties.
Additionally, the bill requires reporting to the FBI-led National Cyber Investigative Joint Task Force before taking active-defense measures, which will help federal law enforcement ensure defenders use these tools responsibly. The bill also includes a voluntary review process through the FBI Joint Taskforce that individuals and companies could utilize before using active-defense techniques, which will assist defenders in conforming to federal law and improving the technical operation of the measure.
Why not just let the FBI and Justice Department respond?
The federal government plays a crucial role in investigating and prosecuting cyber-crimes. But it shouldn’t stand in the way of victims who are capable of responding to an ongoing attack, nor should it stand in the way of industry innovating and creating new active-defense techniques. The FBI will continue to play the lead role but there is a mutual benefit to empowering individuals and organizations to actively defend themselves online. While DOJ and the FBI do great work, the number of cyberattacks far exceeds the government’s ability to respond, identify and prosecute criminals.
Could active-defenders end up tangling with nation-state hackers?
ACDC requires reporting to the FBI-led National Cyber Investigative Joint Task Force before individuals or companies take active-defense measures. This should allow the FBI to de-conflict private actions that may overlap with law enforcement or involve a nation-state.
Among the key changes to the bill that were made after the release of the second discussion draft:
A voluntary review process that individuals and companies can utilize before using active-defense techniques;
This provision allows defenders to benefit from review of their proposed active-defense measures by the FBI Joint Taskforce, which will assist defenders in conforming to federal law and improving the technical operation of the measure;
The authority to conduct these reviews would exist under a two-year pilot program, and could be amended or renewed at a later date.
Requiring notification to the government for the use of active-cyber defense measures that go beyond beaconing;
Clarification that the bill does not interfere with a person’s right to seek damages; and
Requiring an annual report on the federal government’s progress in deterring cybercrime.
In related news, earlier this month the Senate unanimously passed a bipartisan bill intended to help small businesses protect themselves against cyber-attacks.
The bill, Making Available Information Now to Strengthen Trust and Resilience and Enhance Enterprise Technology (MAIN STREET) Cybersecurity Act, requires the Director of the National Institute of Standards and Technology to specifically consider small businesses when updating its voluntary guidance on how to guard against cyberattacks. The legislation is supported by leading business groups including the U.S. Chamber of Commerce.
The bill was introduced in March by Sen. John Thune (R-S.D.), chairman of the Senate Committee on Commerce, Science, and Transportation, and senators Brian Schatz (D-Hawai‘i), James Risch (R-Idaho), Maria Cantwell (D-Wash.), and Bill Nelson (D-Fla.).