Rep. Tom Graves (R-Ga.) has released an updated version (PDF) of his draft Active Cyber Defense Certainty (ACDC) Act, incorporating feedback from the business community, academia and cybersecurity policy experts. “I look forward to continuing the conversation and formally introducing ACDC in the next few weeks,” he said yesterday.
The original discussion draft was released in March 2017.
ACDC is designed to amend the existing Computer Fraud and Abuse Act (CFAA). CFAA, enacted in 1986, currently prohibits individuals from taking any defensive actions other than preventative actions; that is, cyber defenders are only legally allowed to defend passively. ACDC would allow controlled ‘active’ defense — something often called, somewhat misleadingly, ‘hacking back’ — by excluding prosecution for the exempted actions under the CFAA.
The modifications now introduced are largely designed to tighten control and avoid collateral damage. For example, entities using active-defense techniques will need to report to the FBI. “A victim who uses an active cyber defense measure… must notify the FBI National Cyber Investigative Joint Task Force prior to using the measure.”
Similarly, modifications make it clear that active defense restrictions against causing physical injury include financial injury; and provide additional safeguards for ‘intermediate computers’. The latter term is defined as “a person or entity’s computer that is not under the ownership or control of the attacker but has been used to launch or obscure the origin of the persistent cyber-attack.”
These intermediate computers have always been considered the weak point in any form of hacking back — it is not easy for anyone to be certain of the precise source of an attack, leading to the possibility that active-defense measures could be launched against an innocent target.
National Security Agency and Cyber Command head Admiral Mike Rogers is one of those with such concerns. “My concern is,” he said during testimony before a House Armed Services subcommittee on Tuesday, “be leery of putting more gunfighters out in the street in the Wild West. As an individual tasked with protecting our networks, I’m thinking to myself — we’ve got enough cyber actors out there already.”
Perhaps in recognition of the inherent difficulties in such an Act, Graves has also introduced a sunset clause: “The exclusion from prosecution created by this Act shall expire 2 years after the date of enactment of this Act.”
“Although ACDC allows a more active role in cyber defense,” says an associated statement released yesterday, “it protects privacy rights by prohibiting vigilantism, forbidding physical damage or destruction of information on anyone else’s computer, and preventing collateral damage by constraining the types of actions that would be considered active defense.”
More from Kevin Bowers
- Alexa May Be Recording More Than You Realize
- UK’s NCSC Adopts HackerOne for Vulnerability Coordination Disclosure
- Artificial Intelligence in Cybersecurity is Not Delivering on its Promise
- Untangle Partners With Malwarebytes to Bring Layered Security to SMBs
- Testing Security Products: Third-Party Standards vs. In-House Testing
- New Cyber Readiness Program Launched for SMBs
- Personal Details of 120 Million Brazilians Exposed
- Researchers Find Thousands of Twitter Amplification Bots in Just One Day
Latest News
- Verosint Launches Account Fraud Detection and Prevention Platform
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Oleria Scores $8M Seed Funding for ID Authentication Technology
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- News Analysis: UK Commits $3 Billion to Support National Quantum Strategy
- Malicious NuGet Packages Used to Target .NET Developers
- Google Pixel Vulnerability Allows Recovery of Cropped Screenshots
