A re-introduced cybersecurity bill would allow hacked American businesses to step out of their networks to retrieve stolen information in so called hack back operations.
The bipartisan Active Cyber Defense Certainty Act, (ACDC) which makes changes to the Computer Fraud and Abuse Act (CFAA) enacted 33 years ago, would allow “limited defensive actions that exceed the boundaries of one’s network in order to monitor, identify and stop attackers.” The bill was introduced by Reps. Tom Graves (R-GA) and Josh Gottheimer (D-NJ) and has 15 co-sponsors from both sides of the aisle. An earlier version of the ACDC Graves sponsored two years ago had nine bipartisan co-sponsors but went nowhere.
“The ACDC Act is back (and, yes, I feel duty bound to say that it is Back in Black, that the bill addresses Dirty Deeds, and that critics fear it puts us on a Highway to Hell),” wrote Robert Chesney, Associate Dean for Academic Affairs at the University of Texas School of Law, in a Lawfare blog post. (Chesney offers an exhaustive analysis of the bill section-by-section.)
Specifically, ACDC authorized individuals and companies the legal authority to leave their network to:
- Establish attribution of an attack.
- Disrupt cyberattacks without damaging others’ computers.
- Retrieve and destroy stolen files.
- Monitor the behavior of an attacker.
- Use beaconing technology.
The CFAA currently prohibits hacked companies from taking any defensive actions other than preventative protections, such as anti-virus software. The ACDC, on the other hand, “unties the hands of law-abiding defenders to use new techniques to thwart and deter attacks,” said Graves, calling the ACDC the "most significant update" to the CFAA since its enactment. “Americans who take precautions, such as installing updates, purchasing anti-virus software and using strong passwords, are still falling victim to cyberattacks. Companies continue to suffer major breaches of their often sophisticated cyber defenses,” he said.
Hack back critics warn about risks associated with mistaken attribution, unintended collateral damage and the potential to escalate attacks to another level. However, prior to acting, the ACDC requires users to notify the FBI National Cyber Investigative Joint Task Force, and they must also receive a response from the FBI acknowledging the notification.
“This bill gives specific, useful tools to fight back against cyberattacks that have cost Americans hundreds of millions of dollars, not to mention their personal privacy. There’s nothing partisan about protecting our families and businesses from these cyber hackers,” said Gottheimer.
Offensive hacking as a defense strategy may be gaining traction with U.S. friendly foreign governments. Two weeks ago, the UK said it will dedicate £22 million ($28 million USD) to underwrite a new cyber operations center to defend the nation against cyber attackers. The move signals the UK’s newfound willingness to counter cyber attacks on its critical infrastructure by returning fire to damage other countries’ infrastructures and perhaps launch preemptive strikes as well.