Companies may get the legal power to chase cyber-criminals across the Internet, if a bill introduced in the U.S. House of Representatives passes muster.
The bill, the Active Cyber Defense Certainty Act (ACDC), is the brainchild of Rep. Thomas Graves (R-GA), who started pitching the legislation in March and accepted industry comment over the past six months.
If passed, the legislation would carve out exemptions in the Computer Fraud and Abuse Act (CFAA) of 1986 to allow companies to utilize computers and networks without authorization, but only if they are doing so to attribute or disrupt an attack, to retrieve or destroy stolen files, or to monitor attackers.
"While it doesn’t solve every problem, ACDC brings some light into the dark places where cyber-criminals operate,” Graves said in an Oct. 13 statement on the introduction of the bill. “The certainty the bill provides will empower individuals and companies to use new defenses against cyber-criminals. I also hope it spurs a new generation of tools and methods to level the lopsided cyber battlefield, if not give an edge to cyber defenders.”
The pursuit of a legal framework to protect the ability to take private action against online attackers has continued more than a decade.
The bill does not eliminate the penalties for unauthorized access—the broad application of which continues to be a controversial part of the CFAA—but gives an exemption where self-defense is “clearly justified,” according to an analysis of the bill.
The current incarnation of the bill adds a voluntary review process for companies and individuals to take before using active defense measures. While organizations that use the active-defense provisions must report their activities to the FBI’s National Cyber Investigative Joint Taskforce, companies and individuals can work with the FBI on their process to ensure they are following applicable laws.
In the analysis, Graves’ office pointed out that many companies are already using active defense techniques that violate the letter of the law.
“Even though most of these techniques are not legal under current law, the reality is that skilled defenders are already using them to thwart and deter attacks,” the analysis stated. “ACDC unites the hands of law-abiding defenders to use new techniques to thwart and deter attacks, while also providing legal certainty of industry experts to innovate, which could spur a new generation of tools and methods.”
Critics of the bill have pointed out that using force for self-defense on the Internet is a misnomer. In reality, active defense allows victims to pursue their attackers, investigate them, and in some case, attack back, all while using an analogy to physical attacks that is not appropriate, information-security researcher Dave Dittrich stated in an analysis of the second version of the bill.
“Physical analogies to the cyber realm are extremely difficult to get right without a very deep and sophisticated technical operational understanding on the part of both the person using the analogy and the one interpreting it,” he said.
The bill’s co-sponsor, Rep. Kyrsten Sinema (D-AZ), cited the recent Equifax breach as an indication of how bad the problem of cyber-attacks has become for average Americans.
“The Active Cyber Defense Certainty Act gives specific, useful tools to identify and stop cyber-attacks that have upended the lives of hundreds of millions of Americans,” Rep. Sinema said in a statement. “The recent Equifax data breach shows that cyber vulnerabilities can have real financial and personal implications for Arizona families and businesses.”
The bill has been forwarded to the House Judiciary Committee, which will determine the schedule for hearings and the introduction of legislation.