In 2017, U.S. House Representative Tom Graves introduced H.R. 4036, known as the Active Cyber Defense Certainty Act (ACDC Act). The ACDC Act, or hack back law, amends the Computer Fraud and Abuse Act of 1986 (18 U.S.C. § 1030). The passage of this bipartisan bill into law would allow active cyber defenses for protecting computer networks from hackers. However, H.R. 4036 died in committee in the same year that it was introduced.
This year, Rep. Graves reintroduced the ACDC Act under H.R. 3270. On his website, Rep. Graves stated, “Technology has outpaced public policy, and our laws need to catch up.” He explained that the law would give the private sector a more active role in catching cyber criminals.
Active Defense vs. Hack Back
The ACDC Act authorizes individuals and entities to go beyond their networks to monitor network intruders and disrupt cyber attacks. Basically, the ACDC Act defines an “active cyber defense measure” as any action a defender takes to access an attacker’s computer without obtaining authorization. The measure can be used to establish attribution of an attacker, disrupt continued unauthorized activity, and monitor the attacker’s behavior. The Act does not allow an intentional action that causes physical harm, financial loss, or public danger. Also, the defender cannot harm data that does not belong to the victim.
At the 2016 SANS DFIR Summit, Robert M. Lee explained that an “active defense” is a strategy that militaries used long before adding the word “cyber.” Lee described an active defense as monitoring the environment and being able to take action based off the adversary while adapting over time. Importantly, he emphasized that the strategy is not about hacking back or going into someone else’s territory, which includes tracking geo locations and using honeytokens. Instead, an active defense is really about responding to adversaries and securing the environments.
The ACDC Act, if passed, would legally expand the meaning of active defense beyond the classic definition. Once passed, the Act authorizes a “hack back” type of cyber defense that may reach beyond the victim’s network. However, before using an active cyber defense measure, a defender must notify the FBI National Cyber Investigative Joint Task Force.
Too Much Power?
Giving the private sector more power to fight hackers may strengthen the effort to stop cybercriminals, but big companies may end up with too much power. As an example, Microsoft has already used legal remedies to seize domains when it was threatened by botnets that distributed malware.
In 2014, Microsoft targeted domains at No-IP, a dynamic DNS provider. Microsoft analyzed data from anti-malware utilities that it received from its consumers. The data revealed that No-IP was functioning as a major hub for the distribution of the Bladabindi and Jenxcus malware. Once a system became infected, the malware enabled an attacker to access files, record keystrokes, and turn on the camera and microphone.
To stop the malware, Microsoft obtained a federal court order to take control of almost a dozen of No-IP’s high-traffic domains. No-IP claimed that Microsoft never communicated with it about the problem. Microsoft informed No-IP that it intended to “filter out the known bad hostnames in each seized domain, while continuing to allow the good hostnames to resolve.” However, No-IP announced that millions of its customers experienced outages due to Microsoft’s “draconian actions.” A few days later, Microsoft returned the domains back to No-IP, and the companies reached an agreement.
Although Microsoft was successful in stopping the malware, its actions disrupted many innocent users. Critics of the ACDC Act believe that big companies will take advantage of a law that would protect hack back techniques. The big companies could bring disruptions to others if they take “active cyber defense measures” to protect their own interests. But the proposed law’s creator, Rep. Graves, believes that the ACDC Act would help fight cybercrime while establishing high standards and accountability for companies.