Congressional committee findings show that cyber crimes pose a “severe threat” to the economic strength of the United States. The committee found that the threat continues to grow because law enforcement has limited resources to respond to a cyber attack. The committee determined that the proper use of “active cyber defense techniques” would deter cyber criminals and improve an organization’s defenses.” The findings specified that only “qualified defenders” should use defense techniques, often referred to as a “hack back.” To qualify, the defenders must have “a high degree of confidence in attribution.” Importantly, the defenders must use “extreme caution” not to harm other systems or make the situation worse.
On October 12 2017, U.S. House Representative Tom Graves (R) introduced H.R. 4036, known as the Active Cyber Defense Certainty Act (ACDC Act). The proposed law has nine co-sponsors, which include five Republicans and three Democrats. Co-sponsor Stephanie Murphy (D) from Florida is a former national security specialist at the Department of Defense. Earlier in 2017, Murphy commented, “The security of the American people should be more important than partisan politics.”
Based on the committee findings, the ACDC Act amends the Computer Fraud and Abuse Act of 1986. The Act creates exceptions for using defenses, but it also adds a requirement to notify the FBI.
A key part of the ACDC Act is an exception to section 1030 of title 18 that allows a defender to use “attributional technology.” This allows a defender to gather digital information about an intrusion through forensic analysis methods. For example, a program could have a beacon inside its code that gathers data to identify the intruder’s origin. However, the Act does not allow a programmer to create a backdoor or destroy data in an intruder’s system.
For certain computer crimes, the ACDC Act protects defenders from prosecution for taking authorized active cyber defense measures. The Act defines a “defender” as “a person or an entity that is a victim of a persistent unauthorized intrusion of the individual entity’s computer.” The bill currently does not mention if this definition also applies to a third-party hired by a victim.
The ACDC Act defines an “attacker” as “the source of the persistent unauthorized intrusion into the victim’s computer.” While pursuing an attacker, a defender may not intentionally destroy data that does not belong to the victim. Also, the defender cannot exceed the level of activity that is necessary to track down the intruder.
Although the ACDC Act serves as a defense against criminal prosecution, it does not prevent civil actions. Under the Act, a person or entity in the United States who is targeted by an active defense measure may seek a civil remedy, which includes injunctive relief or compensatory damages.
Prior to using a defensive measure, a defender must notify the FBI National Cyber Investigative Joint Task Force and receive a response. The defender must provide information about the breach and reveal the intended target of the defense measure. Also, the FBI requires details about a defender’s plan to preserve evidence and prevent damage to computers belonging to other parties.
Hack Back Controversy
Critics of the ACDC Act believe that the potential liability of legal exposure from a “hack back” is too high. Also, critics argue that the Act will not have a big impact on preventing cyber crime. Additionally, critics argue that companies discover most breaches long after the attack, so hacking back will not deter most hackers.
Some critics fail to consider that network administrators often use a “trap and trace” technique to monitor hacking. A trap involves using a honeypot to entice hacking activity and then trace its source. However, although honeypots use passive methods, a company must closely monitor a honeypot or face possible liability issues. To avoid violations, a company should seek legal advice before engaging in the activity of monitoring cyber communications.