Rep. Tom Graves (R-Ga.) has released an updated version (PDF) of his draft Active Cyber Defense Certainty (ACDC) Act, incorporating feedback from the business community, academia and cybersecurity policy experts. “I look forward to continuing the conversation and formally introducing ACDC in the next few weeks,” he said yesterday.
The original discussion draft was released in March 2017.
ACDC is designed to amend the existing Computer Fraud and Abuse Act (CFAA). CFAA, enacted in 1986, currently prohibits individuals from taking any defensive actions other than preventative actions; that is, cyber defenders are only legally allowed to defend passively. ACDC would allow controlled ‘active’ defense — something often called, somewhat misleadingly, ‘hacking back’ — by excluding prosecution for the exempted actions under the CFAA.
The modifications now introduced are largely designed to tighten control and avoid collateral damage. For example, entities using active-defense techniques will need to report to the FBI. “A victim who uses an active cyber defense measure… must notify the FBI National Cyber Investigative Joint Task Force prior to using the measure.”
Similarly, modifications make it clear that active defense restrictions against causing physical injury include financial injury; and provide additional safeguards for ‘intermediate computers’. The latter term is defined as “a person or entity’s computer that is not under the ownership or control of the attacker but has been used to launch or obscure the origin of the persistent cyber-attack.”
These intermediate computers have always been considered the weak point in any form of hacking back — it is not easy for anyone to be certain of the precise source of an attack, leading to the possibility that active-defense measures could be launched against an innocent target.
National Security Agency and Cyber Command head Admiral Mike Rogers is one of those with such concerns. “My concern is,” he said during testimony before a House Armed Services subcommittee on Tuesday, “be leery of putting more gunfighters out in the street in the Wild West. As an individual tasked with protecting our networks, I’m thinking to myself — we’ve got enough cyber actors out there already.”
Perhaps in recognition of the inherent difficulties in such an Act, Graves has also introduced a sunset clause: “The exclusion from prosecution created by this Act shall expire 2 years after the date of enactment of this Act.”
“Although ACDC allows a more active role in cyber defense,” says an associated statement released yesterday, “it protects privacy rights by prohibiting vigilantism, forbidding physical damage or destruction of information on anyone else’s computer, and preventing collateral damage by constraining the types of actions that would be considered active defense.”