Basic Provisions of the Source: Cyberisk Cyber Defense Certainty Act
Under the ACDC, authorized individuals and companies will have the legal authority to venture outside their computer networks to:
- Establish the attribution (i.e., the nature, cause, and source) of an attack.
- Disrupt cyber-attacks without damaging the computer systems of the presumed assailant – or of any third party.
- Retrieve and destroy any files stolen during the course of an attack.
- Monitor the behavior of an attacker.
- Use “beaconing” technology.
Within this framework, individuals and the private commercial sector will be allowed to use and develop tools which are currently restricted under the CFAA in protecting their own networks, and adopt a more active role in cyber-defense.
An updated discussion draft of the ACDC was introduced by Rep. Graves on May 25, 2017. On the basis of further feedback and suggestions, alterations were added to the bill, including:
- A voluntary review process which individuals and companies can undergo before using so-called “active-defense” techniques.
- Opportunities for consultation with the FBI Joint Taskforce, enabling cyber-security defenders to better conform with federal law and improve the technical operation of their proactive measures.
- An obligation to notify the government for the use of active cyber-defense measures which go beyond beaconing.
- An affirmation that the bill does not interfere with a person’s right to seek damages.
Beacons and Dye Packs
Within the category of what it describes as “attributional technology”, the Active Cyber Defense Certainty Act authorizes companies and individuals to deploy tools which the Center for Cyber and Homeland Security (CCHS) Task Force itself describes as “beacons” and “dye packs”.
In the cyber-security sense, a “beacon” here is defined as:
“Pieces of software or links that have been hidden in files and, when removed from a system without authorization, can establish a connection with and send information to a defender with details on the structure and location of the foreign computer systems it traverses.”
Though often used interchangeably with “beacon”, a “dye pack” is given more aggressive attributes, in that:
“…cyber dye packs are often thought to not only be able to collect information on a hacker’s computer (similar to a beacon) but also to be able to have a destructive impact on their surrounding environment.”
Reporting and Reviews
The ACDC second draft stipulates that anyone wishing to deploy “active cyber defense measures” must first report to a multi-agency collective comprising representatives of the military and intelligence communities, known as the FBI NCIJTF (FBI National Cyber Investigative Joint Task Force).
As the legislation stands, this reporting process is little more than a formality, undertaken just before the launch of a counter-strike.
While seen as an opportunity for the victims of cyber-crime to get some tangible payback, the ACDC only allows retaliatory action against computers based in U.S. territory. Since it’s standard practice now for hacking assaults to be staged via remote servers (some or all of which may be located outside a nation’s borders), this may severely limit the scope of what’s possible on the part of the hapless victim.
Companies engaging in “active-defense” measures may also be held liable for any damage caused to third party computer users, whose systems may come within their line of fire.
ACDC is also limited to a two-year lifespan. Furthermore, if the bill is enacted into law, the U.S. Department of Justice will be required to address Congress once a year, detailing all reported cyber-activities carried out under the new statute.
There’s been something of a knee-jerk reaction to the Active Cyber Defense Certainty Act proposal – not least from Rep. Kyrsten Sinema on the positive side, who states that:
“The recent Equifax data breach shows that cyber vulnerabilities can have real financial and personal implications for Arizona families and businesses. It is our responsibility to find and advance solutions that safeguard the privacy of Arizonans while protecting the security of their data.”
Her colleague Rep. Tom Graves further states:
“The certainty the bill provides will empower individuals and companies to use new defenses against cybercriminals. I also hope it spurs a new generation of tools and methods to level the lopsided cyber battlefield, if not give an edge to cyber defenders.”