Paulding County’s congressman recently introduced legislation designed to allow computer users to more easily defend against cyber-criminals.
District 14 U.S. Rep. Tom Graves, R-Ranger, announced the formal introduction of H.R. 4036, the Active Cyber Defense Certainty Act, on Oct. 13.
Introduced during Cyber Security Awareness Month, Graves is cosponsoring the legislation with U.S. Rep. Kyrsten Sinema, D-Arizona.
The bipartisan bill makes targeted changes to the federal Computer Fraud and Abuse Act (CFAA) to allow use of limited defensive measures that exceed the boundaries of one’s network in order to monitor, identify and stop attackers.
The Computer Fraud act, which was enacted in 1986, currently prohibits individuals from taking any defensive actions other than preventative protections, such as anti-virus software.
Specifically, the Active Cyber Defense Act gives authorized individuals and companies the legal authority to leave their network to:
• Establish attribution of an attack,
• Disrupt cyberattacks without damaging others’ computers,
• Retrieve and destroy stolen files,
• Monitor the behavior of an attacker,
• Utilize beaconing technology.
The enhanced flexibility will allow individuals and the private sector to develop and use tools that are currently restricted under the CFAA to protect their own network. Additionally, allowing defenders to develop and deploy new tools will help deter criminal hacking.
Although the bill allows a more active role in cyber defense, it protects privacy rights by prohibiting vigilantism, forbidding physical damage or destruction of information on anyone else’s computer, and preventing collateral damage by constraining the types of actions that would be considered active defense.
Graves said this is likely the most significant update to the Computer Fraud and Abuse Act since its enactment in 1986.
“While it doesn’t solve every problem, (the bill) brings some light into the dark places where cybercriminals operate,” Graves said. “The certainty the bill provides will empower individuals and companies to use new defenses against cybercriminals.
“I also hope it spurs a new generation of tools and methods to level the lopsided cyber battlefield, if not give an edge to cyber defenders. We must continue working toward the day when it’s the norm — not the exception — for criminal hackers to be identified and prosecuted.
“I also want to thank the many people who provided feedback throughout the process of drafting this bill,” Graves said. “The idea was improved with the help and expertise of many, and I hope each person, whether they support or oppose this approach, will stay engaged in the debate.”
Sinema said the Active Cyber Defense Certainty Act “gives specific, useful tools to identify and stop cyberattacks that have upended the lives of hundreds of millions of Americans.”
“The recent Equifax data breach shows that cyber vulnerabilities can have real financial and personal implications for Arizona families and businesses. It is our responsibility to find and advance solutions that safeguard the privacy of Arizonans while protecting the security of their data. I look forward to continuing thoughtful conversations as we move forward.”
However, reporter Joe Uchill wrote in The Hill that, "Many people working in the cybersecurity field worry that hacking back will create more problems."
The publication, which covers Capitol Hill in Washington, stated in a news story about the bill's introduction that traditionally "the phrase 'active defense' is used to describe measures that slow hackers through deception or movement of files — not hacking an attacker."
Jen Ellis, vice president of community and public affairs at the security firm Rapid7. told The Hill that, "There's a very pragmatic question — can you reasonably expect someone to go guns blazing and not harm the wrong computers?
"It is easy to inadvertently damage systems, lots of attacks leverage third-party assets that were also hacked, and the vast majority of us don't have the resources to properly attribute a hacker and go after the correct system."
Graves said the bill is the result of a lengthy feedback process, which began on March 3 when he introduced the first discussion draft. After incorporating feedback from the business community, academia and cybersecurity policy experts, including recommendations he received at his cybersecurity event at Georgia Tech in Atlanta, Graves introduced an updated discussion draft on May 25.
During the intervening period, Graves again solicited feedback and suggestions, which resulted in the final version of the bill introduced today.
Key changes to the bill that were made after the release of the second discussion draft are as follows.
• A voluntary review process that individuals and companies can utilize before using active-defense techniques.
This provision allows defenders to benefit from review of their proposed active-defense measures by the FBI Joint Taskforce, which will assist defenders in conforming to federal law and improving the technical operation of the measure. The authority to conduct these reviews would exist under a two-year pilot program, and could be amended or renewed at a later date.
• Requires notification to the government for the use of active-cyber defense measures that go beyond beaconing;
• Clarification that the bill does not interfere with a person’s right to seek damages;
• Requires an annual report on the federal government’s progress in deterring cybercrime.
For a two-page summary of the bill, visit: https://tomgraves.house.gov/uploadedfiles/17_10_11_acdc_description_q-a.pdf.