House Bill Would Allow “Hacking Back” in Defense of Private Networks
In mid-October, House Representatives Tom Graves (R-GA-14) and Kyrsten Sinema (D-AZ-09) introduced the Active Cyber Defense Certainty Act (ACDC) (H.R.4036). The bill would allow companies and other authorized individuals to use limited defensive measures—that is, to “hack back”—beyond the boundaries of company’s own network to monitor, identify, and disrupt cyber attackers.
A statement released with the bill referred to ACDC as “likely the most significant update to the Computer Fraud and Abuse Act (CFAA) since its enactment in 1986.”
The CFAA is broad in scope and prohibits knowingly accessing a computer without authorization or exceeding authorized access and causing harm.[i] The CFAA effectively prohibits traditional hacking attacks and provides for both criminal and civil penalties. It has also been used in a wide variety of contexts beyond traditional hacking and federal courts often struggle to define what conduct falls within the CFAA. Generally speaking, however, the CFAA has prohibited taking unauthorized action outside of one’s own network.
ACDC would change that, expanding the range of tools and methods that companies and individuals may leverage in “active defense” of their networks. The bill carves out exceptions to the CFAA and would grant authority to operate outside of one’s own network, in order to:
- establish attribution of an attack;
- disrupt cyberattacks without damaging others’ computers;
- retrieve and destroy stolen files;
- monitor the behavior of an attacker; and
- utilize beaconing technology.
Draft versions of the bill have been in circulation for several months, meeting both criticism and praise. Representative Graves stated, “while it doesn’t solve every problem, ACDC brings some light into the dark places where cybercriminals operate.” The overall intent of the bill is to deter cyber attacks and provide more tools for the private sector to defend their networks.
Although not calling for the ability to hack back, multiple federal advisory boards have urged the government to do more to deter perpetrators of these global attacks.[ii] A draft report from the President’s National Security Telecommunications Advisory Committee (NSTAC) states that “DOJ policies should be more supportive of government intervention” and recommends increased “support for global law enforcement with the objective of raising the costs to cyber attackers.”[iii]
Critics of ACDC contend that hacking back may not be the right solution in today’s cyber climate, where both public and private networks are attacked by not only criminal individuals and organizations, but sophisticated nation state actors and affiliates with ambiguous allegiances. Before a House Armed Services Subcommittee, Admiral Mike Rogers the National Security Agency Director and Commander of U.S. Cyber Command shared his concerns, stating that hacking back may put “more gunfighters out on the street in the Wild West.”
A company using ACDC’s proposed authorities could unknowingly go toe-to-toe with a nation state’s army of cyber operatives. Under these circumstances, escalation may result in broader international incidents—with potential law enforcement, intelligence, and national security implications—and expose the organization defending its network to even more harm. Attribution is often complex and allegiances of bad actors may be unclear. Moreover, cyber criminals may launch attacks from unknowing third-party systems, and organizations deploying active defensive measures may do so against an innocent third-party. Concerns have also been raised about the international law implications of potentially permitting private companies to engage on foreign networks.
In response to some of these concerns, the bill underwent several revisions and now proposes the requirement to report planned use of active defensive measures to the FBI-led National Cyber Investigative Joint Task Force in advance of hacking back. Under the bill, the Joint Task Force would de-conflict proposed active defense measures against ongoing law enforcement investigations and broader national security and intelligence community concerns. Companies would also have the option of asking the FBI to review their active defense plans. However, questions remain about precisely how these backstops would work.
Under the proposals in ACDC, companies hacking back could still face legal and financial risk. Section 4 states that “the defense against prosecution created by this section does not prevent a United States person or entity who is targeted by an active defense measure from seeking a civil remedy, including compensatory damages…”[iv]
The bill would sunset two years after its enactment.
American organizations should have more options to defend their networks and the government can certainly do more to help deter cyber attacks. From a higher-level, the long-debated questions surrounding hacking back raise thorny and complex issues. Before contemplating active defense measures, organizations need to enlist appropriate technical guidance and legal counsel. This will help avoid creating additional problems for an organization already victimized by the initial cyber attack.
[i] See 18. U.S.C. § 1030 et seq.
[ii] See, e.g., Draft NSTAC Report to the President on Internet and Communications Resilience (Oct. 2017). (Urging the government to “[d]evelop an effective international cybersecurity strategy focused on raising the cost to attackers”) available at: https://www.dhs.gov/sites/default/files/publications/NSTAC%20Report%20to%20the%20President%20on%20ICR%20FINAL%20DRAFT%20-%20508%20compliant.pdf; and the President’s Commission on Enhancing National Cybersecurity Report on Securing and Growing the Digital Economy at 47 (Dec. 1, 2016) available at: https://www.nist.gov/sites/default/files/documents/2016/12/02/cybersecurity-commission-report-final-post.pdf.
[iii] Draft NSTAC Report to the President on Internet and Communications Resilience (Oct. 2017) available at: https://www.dhs.gov/sites/default/files/publications/NSTAC%20Report%20to%20the%20President%20on%20ICR%20FINAL%20DRAFT%20-%20508%20compliant.pdf.
[iv] See H.R.4036 section 4.