Until very recently for computer users in the United States, taking steps to strike back proactively at hackers has been a risky strategy, in legal terms. Specifically, the Computer Fraud and Abuse Act (CFAA) of 1986 prohibits individuals from taking retaliatory/defensive actions against hackers or cyber-criminals, other than preventative protective measures, such as using ant-virus software or anti-malware.
But in October 2017 – as a part of the year’s Cyber Security Awareness Month – politicians Tom Graves (a Republican Party member of the U.S. House of Representatives, representing the state of Georgia) and Kyrsten Sinema (a Democratic Party Representative, from Arizona) formally introduced a new piece of legislation designed to extend the powers of victims of cyber-assault beyond the limits imposed by the CFAA.
This bill, known as the Active Cyber Defense Certainty Act (or ACDC), was the result of a lengthy feedback process initiated in March 2017. It continues to provoke debate, and in this article, we’ll consider some of the plus and minus factors of its new approach.
Active Cyber Defense Certainty Act in a Nutshell
After a feedback process which started on March 3, 2017 and drew input from cyber-security policy experts, academics, and members of the business community, Rep. Tom Graves introduced the first discussion draft of the ACDC.
A bipartisan amendment to 18 U.S.C. 1030 (the Computer Fraud and Abuse Act or CFAA), the bill echoes the view of its co-sponsor Representative Kyrsten Sinema, who asserted that:
“The Active Cyber Defense Certainty Act gives specific, useful tools to identify and stop cyber attacks that have upended the lives of hundreds of millions of Americans.”
The new legislation is variously referred to as “Active Cyber Defense”, “Active Defense”, “strike back”, “hack back”, or “hacking back”, and seeks to enshrine in law the principle that victims of cyber-assault should be allowed the use of limited defensive measures extending beyond the boundaries of their network, in order to monitor, identify and stop their attackers.
Basic Provisions of the Active Cyber Defense Certainty Act
Under the ACDC, authorized individuals and companies will have the legal authority to venture outside their computer networks to:
- Establish the attribution (i.e., the nature, cause, and source) of an attack.
- Disrupt cyber-attacks without damaging the computer systems of the presumed assailant – or of any third party.
- Retrieve and destroy any files stolen during the course of an attack.
- Monitor the behavior of an attacker.
- Use “beaconing” technology.
Within this framework, individuals and the private commercial sector will be allowed to use and develop tools which are currently restricted under the CFAA in protecting their own networks, and adopt a more active role in cyber-defense.
An updated discussion draft of the ACDC was introduced by Rep. Graves on May 25, 2017. On the basis of further feedback and suggestions, alterations were added to the bill, including:
- A voluntary review process which individuals and companies can undergo before using so-called “active-defense” techniques.
- Opportunities for consultation with the FBI Joint Taskforce, enabling cyber-security defenders to better conform with federal law and improve the technical operation of their proactive measures.
- An obligation to notify the government for the use of active cyber-defense measures which go beyond beaconing.
- An affirmation that the bill does not interfere with a person’s right to seek damages.
Beacons and Dye Packs
Within the category of what it describes as “attributional technology”, the Active Cyber Defense Certainty Act authorizes companies and individuals to deploy tools which the Center for Cyber and Homeland Security (CCHS) Task Force itself describes as “beacons” and “dye packs”.
In the cyber-security sense, a “beacon” here is defined as:
“Pieces of software or links that have been hidden in files and, when removed from a system without authorization, can establish a connection with and send information to a defender with details on the structure and location of the foreign computer systems it traverses.”
Though often used interchangeably with “beacon”, a “dye pack” is given more aggressive attributes, in that:
“…cyber dye packs are often thought to not only be able to collect information on a hacker’s computer (similar to a beacon) but also to be able to have a destructive impact on their surrounding environment.”
Reporting and Reviews
The ACDC second draft stipulates that anyone wishing to deploy “active cyber defense measures” must first report to a multi-agency collective comprising representatives of the military and intelligence communities, known as the FBI NCIJTF (FBI National Cyber Investigative Joint Task Force).
As the legislation stands, this reporting process is little more than a formality, undertaken just before the launch of a counter-strike.
While seen as an opportunity for the victims of cyber-crime to get some tangible payback, the ACDC only allows retaliatory action against computers based in U.S. territory. Since it’s standard practice now for hacking assaults to be staged via remote servers (some or all of which may be located outside a nation’s borders), this may severely limit the scope of what’s possible on the part of the hapless victim.
Companies engaging in “active-defense” measures may also be held liable for any damage caused to third party computer users, whose systems may come within their line of fire.
ACDC is also limited to a two-year lifespan. Furthermore, if the bill is enacted into law, the U.S. Department of Justice will be required to address Congress once a year, detailing all reported cyber-activities carried out under the new statute.
There’s been something of a knee-jerk reaction to the Active Cyber Defense Certainty Act proposal – not least from Rep. Kyrsten Sinema on the positive side, who states that:
“The recent Equifax data breach shows that cyber vulnerabilities can have real financial and personal implications for Arizona families and businesses. It is our responsibility to find and advance solutions that safeguard the privacy of Arizonans while protecting the security of their data.”
Her colleague Rep. Tom Graves further states:
“The certainty the bill provides will empower individuals and companies to use new defenses against cybercriminals. I also hope it spurs a new generation of tools and methods to level the lopsided cyber battlefield, if not give an edge to cyber defenders.”
From the Naysayers
Other analysts see the situation differently. Rather than enshrining in law a victim’s right to retaliate against their attackers with appropriate force, a recent tweet from the MalwareTech Blog account describes the ACDC proposal as:
“,,, basically the cyber version of being allowed to murder someone for entering your property.”
— MalwareTech (@MalwareTechBlog) October 13, 2017
Others have pointed out that the actual process of “hacking back” may easily lead to a tainting of valuable forensic evidence at the scene of an attack which might (if properly analyzed) yield more valuable results than a reconciliatory strike. The resources expended in a strike back might also conceivably be better deployed in areas such as incident response, Disaster Recovery, and notification of those affected by the damage.
In a lengthy and considered discourse on the new bill, Information Security Researcher and consultant Dave Dittrich goes out of his way to emphasize the potential for “collateral damage” in the proposed retaliatory strikes – disruption or corruption of the systems of innocent third parties caught in the bandwidth sweep or network path of the tools and techniques deployed by certain organizations.
Analogies and Semantics
At least some of the potential problems stem from the suggestive language and not quite accurate analogies drawn in the wording of the Active Cyber Defense Certainty Act. Some allowance for popular sentiment can be made in the use of terms like “attacker” and “victim”, which are commonly heard in the context of cyber security discussion, in any case.
More problematic are the “beacons” and “dye packs” of the ACDC “attributional technology” recommendations. Unlike their real-world counterparts, with the current state of cyber-security technology, a beacon designed to provide a feedback loop to the owner of stolen digital property would require a greater degree of calibration and fine targeting than might be practically feasible, in order to remain within the guidelines of active defense as defined by the bill. Likewise, with the digital equivalent of a dye pack.
The usage of terms such as “persistent intrusion” and “breach” as laid out in the draft may also preclude the use of active defense in the case of an organization which has suffered a Distributed Denial of Service attack.
The Debate Continues
It should of course be emphasized that the Active Cyber Defense Certainty Act has yet to become law. In addition to the limited (two-year) lifespan allocated to its draft form, there remains scope for further consultation and alterations to its text.
Those in the cyber-security profession will surely be hoping that their input and expertise is sought in fine-tuning the bill and lending operational credibility to its recommendations, before a final draft is submitted to the vote.
Share this Post