A bill that would lift some restrictions on cyber defenders’ use of techniques known as “hacking back” was introduced today in the House by Reps. Tom Graves (R., Ga.) and Josh Gottheimer (D., N.J.).
The Active Cyber Defense Certainty Act (ACDC) would make “targeted changes to the Computer Fraud and Abuse Act (CFAA) to allow use of limited defensive measures that exceed the boundaries of one’s network in order to monitor, identify, and stop attackers,” the lawmakers said.
“Enacted in 1986, the CFAA currently prohibits individuals from taking any defensive actions other than preventative protections, such as antivirus software,” they added.
“Americans who take precautions, such as installing updates, purchasing antivirus software, and using strong passwords, are still falling victim to cyber attacks. Companies continue to suffer major breaches of their often-sophisticated cyber defenses,” they said in a fact sheet on the bill.
The bill would require cyber defenders to notify the Federal Bureau of Investigation before undertaking any of the active cyber defenses envisioned in the legislation and would hold them responsible if they caused collateral damage.
“If a defender behaves improperly or recklessly, they will still bear the full penalty of existing law. ACDC does not change the existing penalties for ‘unauthorized access’; it merely allows a legal defense for such access in cases where self-defense is clearly justified. The bill makes clear that if a person is inadvertently impacted by active cyber defense, their right to sue for civil damages or injunctive relief is preserved,” according to the fact sheet.
Most cyber defenders would use the law to track attackers back to their base, the lawmakers said, but the bill would also allow defenders to “disrupt cyber attacks without damaging others’ computers,” retrieve stolen files, and monitor the behavior of an attacker.
Some cyber experts have characterized the techniques that would be allowed by the bill as “cyber vigilantism.” But Rep. Graves said the existing rules disadvantage cyber defenders.
“Technology has outpaced public policy, and our laws need to catch up,” he said. “The status quo is unacceptable, and it’s important that private sector organizations feel empowered to take a more active approach to their cyber defense. We must continue working toward the day when it’s the norm – not the exception – for criminal hackers to be identified and held accountable for their crimes.”
Rep. Graves also sees growing momentum for legislation like the ACDC. He first released a draft version of the bill in 2017 and made several revisions based on feedback from stakeholders. That bill ultimately had nine co-sponsors but did not clear the House Judiciary Committee. This time, he has 15 co-sponsors. —Tom Leithauser, [email protected]
MainStory: Cybersecurity Congress FederalNews
Interested in submitting an article?
Submit your information to us today!Learn More