For years now, there has been a discussion surrounding the feasibility of active cyber defense, and allowing private entities or individuals to “hack back” against hostile cyber activity, but there has not been a major push in Congress to explicitly authorize such activity, or to propose changes or exceptions under the current legal and statutory framework that would enable it. But a proposal by Representatives Tom Graves (R-GA), Kyrsten Sinema (D-AZ), titled the Active Cyber Defense Certainty Act (ACDC) (H.R. 4036), is starting to change the conversation. The new draft legislation provides an exception to liability under the Computer Fraud and Abuse Act (CFAA) and, in essence, would authorize individuals or organizations to go into networks outside of their own to gather intelligence on hackers for attributional purposes. To date, the proposal has undergone at least three rounds of public scrutiny, after which, to the great credit of Graves’ office, the draft language has been updated, and it now takes into account some legitimate concerns and criticisms. Some of these critiques should be examined carefully, from both a policy and legal perspective, as the bill makes its way through committee.
Important Concerns Left Unresolved by the Updated Bill
The text provides at Sec. 4 (1) that “It is a defense to a criminal prosecution under this section that the conduct constituting the offense was an active cyber defense measure.” The term “active cyber defense measure” is defined as any measure
“(I) undertaken by, or at the direction of a defender; and (II) consisting of accessing without authorization the computer of the attacker to the defender’s own network to gather information in order to – (aa) establish attribution of criminal activity to share with law enforcement and other United States Government agencies responsible for cybersecurity; (bb) disrupt continued unauthorized activity against the defender’s own network; or (cc) monitor the behavior of an attacker to assist in developing future intrusion prevention or cyber defense techniques.”
The term “defender” is defined as “a person or an entity that is a victim of a persistent unauthorized intrusion of the individual entity’s computer”. (Emphasis added). As Robert Chesney at the University of Texas, Herb Lin over at Lawfare and others have noted, the word “persistent” is probably an effort to prevent invocation of ACDC by somebody who has experienced an intrusion that is only a nuisance on their computer network. However, the word “persistent” is not precise either. As Chesney noted, it could refer to the time on a network in relation to a particular intrusion, or to a series of intrusions, or both. How do we know what is enough to count as persistent? If an “attacker” bounces on and off a network over a period of time does this count as persistent? The term itself leaves room for interpretation.
The text defines the term “attacker” as “a person or an entity that is the source of the persistent unauthorized intrusion into the victim’s computer.” However, the draft legislation does not define what the “computer of the attacker” is. Chesney and Lin also had concerns with this language and previously noted that often times, there is more than one computer in an attack chain. How does one determine what the source of the intrusion is if there are multiple computers involved? The updated version of the draft proposal defines an “intermediary computer” as “a person or entity’s computer that is not under the ownership or primary control of the attacker but has been used to launch or obscure the origin of the persistent cyber-attack.” Nonetheless, it can still be difficult to decipher when such intermediary computers are under the control or ownership of the attacker, moreover, those types of “intrusions” on such intermediary computers can be brief as well.
This can be a problem for individuals and organizations who are considering the use of these tools against intermediary computers. For instance, the bill provides exceptions to liability protection when the defender does things that are explicitly listed as outside the definitional boundaries of ‘Active Cyber Defense’ measures. For instance, Active Cyber Defense measures do not include conduct that
(IV) intentionally exceeds the level of activity required to perform reconnaissance on an intermediary computer to allow for attribution of the origin of the persistent cyber intrusion; or (V) intentionally results in intrusive or remote access into an intermediary’s computer.
This is clearly an effort to limit the potential damage to innocent “intermediary computers” but reading sections (IV) and (V) together can also leave room for interpretation and confusion. Section (IV) is an attempt to set a precise limitation that access on an intermediary computer can only be for reconnaissance and attribution purposes, but how can a defender know if, pursuant to section (V), their action does not intentionally result in intrusive or remote access into such a computer? Does the word intrusive essentially mean “without permission”?
We also do not know what constitutes remote access. If section (V) prevents intrusive and remote access on an intermediary computer, does it effectively require private companies and individuals to get the consent of owners of intermediary computer networks before doing attributional reconnaissance? If so, how feasible is it that owners of “intermediary computer” networks would consent to such activity? If getting such consent is unlikely, does it defeat the purpose of the legislation entirely?
The inclusion of the word intentionally in sections (IV) and (V) is also an update from previous versions of the bill. The drafters may have sought to include this word to give defenders an added layer of assurance that their particular mens rea would be taken into account when determining whether liability protections apply. However, as Andrea Little Limbago, the chief social scientist at the cyber security firm Endgame, has noted at War on the Rocks, by adding this layer of assurance, the drafters have actually expanded the scope of what a defender can do on an attacker’s network. If a defender can escape liability by asserting they did not intend certain effects of their actions, they are likely to be willing to take more risks. The result, is that the drafters may have inadvertently increased the chances for escalation with the inclusion of this language. Moreover, as Little Lombago notes, there is a good possibility that defenders could use active cyber defense measures against the wrong machine. This would be especially true for if a novice defender is matched up against sophisticated cyber actors who have spent years developing deceptions within their attack code.
There are other listed exceptions to liability protection, such as when a defender: “creates a threat to the public health or safety” or when a defender’s action “intentionally results in the persistent disruption to a person or entities internet connectivity…” These, and other exceptions are good-faith efforts to limit the very real collateral damage concerns that can arise in “hacking back,” but there is still very little clarifying language about what these terms actually mean. For instance, what constitutes a threat to public health or safety? How do you define what a persistent disruption is? How broadly (or narrowly) could these terms be interpreted?
Critically, the bill also states that use of “active cyber defense measures” is a “defense” to criminal prosecution. But proponents of active defense are seeking authorization and total exemption from prosecution for taking defensive action. An affirmative defense will still permit the government to charge private parties with violating the CFAA and will require those parties to submit to litigation and to satisfy the affirmative defense before being exonerated. There is also a reminder in the bill that liability protection only extends to criminal prosecution. The bill explicitly states that “the defense against prosecution in this section does not prevent a United States Person or entity who is targeted by an active defense measure from seeking a civil remedy, including compensatory damages or injunctive relief…” This is an ominous cue that lawyers for companies or individuals seeking to use such measures would highlight very plainly. The bill also says nothing about states laws, many of which have similar prohibitions against hacking.
Also, the bill only amends the CFAA and says nothing about the electronic surveillance statutes such as the Wiretap Act, the Electronic Communications Privacy Act, and the Pen Register Trap and Trace statute. Because ACDC measures would likely involve infiltration and/or monitoring of an attacker’s network, such techniques would likely fall under the category of electronic surveillance, and be in violation of these other important federal laws. The bottom line is that it is not abundantly clear to a defender looking to use these techniques that they are not taking on undue legal risk.
There is however, new language in the latest proposal that includes a voluntary pre-emptive review by the FBI before using active cyber defense measures, which is a good step in alleviating these concerns. But does it go far enough? All that is required under the current proposal is that users of active cyber defense measures must notify the FBI of their intent to use such techniques. The pre-emptive review itself and actually getting the formal blessing of the FBI to take specified action is voluntary. It is probably safe to assume that some individuals/organizations would not wait for the formal blessing of the FBI, or in some cases exceed what was previously authorized given the nature of an intrusion and unforeseen developments related to it. Given the likelihood of unwanted second and third order effects when using these types of countermeasures, there is thus a great deal of danger that liability protections will not apply the way they are intended.
Additionally, as far as oversight is concerned, the draft proposal says very little. The new language regarding the voluntary FBI pre-emptive review effectively requires the FBI-led National Cyber Investigative Joint Task Force (NCIJTF) to build and set its own internal procedures to oversee this type of program and create further guidance/feedback for users of active cyber defense measures. One of the common concerns that led to the drafting of ACDC in the first place, is that the government does not have the resources to defend the entire private sector in cyberspace. While the latest proposal acknowledges that the FBI may decide how to prioritize the issuance of such guidance to defenders based on the availability of resources, it still begs the question, how strained will the FBI become in overseeing this type of program? And what would the specific mechanisms of oversight and guidance look like?
There is also an ancillary concern that the FBI pre-emptive review language presents. Kristen Eichensehr at UCLA’s School of Law noted in an earlier post here at Just Security that adding such language, and explicitly including the FBI in the process, implicates international law. “The FBI’s participation in the review process may trigger the U.S. government’s international legal responsibility for actions of private actors.” It follows that, “If the United States is responsible for international law violations committed by private actors, then international law permits aggrieved foreign governments to take countermeasures against the United States…” The potential for escalation here is therefore substantial. The bill could therefore constrain international cooperation and intensify the possibility of retaliation.
There is also nothing in the draft proposal that limits what types of individuals/entities could pursue such tactics. In its report on active cyber defense, titled “Into the Gray Zone,” George Washington University’s Center for Cyber and Homeland Security suggested that the U.S. might be better served by having a set number of highly skilled firms who are vetted and licensed to conduct active cyber defense. The current draft effectively allows anyone, so long as their activity falls under the excepted provisions of the statute, to take on a cyber-adversary. Are we comfortable allowing any company with an IT department to take on a nation-state?
Another big concern is the lack of uniformity among nations for how active cyber defense would be perceived and accepted around the world. Again, this is largely because certain types of countermeasures would be used on the networks and servers hosted by foreign nations. U.S. actors would be subject to foreign law when taking actions against computers outside our border. “Hacking back,” is illegal in most countries where U.S. actors would likely be operating. Under normal circumstances, the U.S. would honor an extradition request from affected nations where these types of countermeasures are expected to be deployed, absent a change in the law. If the U.S. were to ignore such requests or to change the law, we can expect foreign nations to retaliate in kind. Given the inherent vulnerabilities in our highly digitized society, this may not be strategically wise. Thus, the crucial question policymakers should be asking is whether we are comfortable allowing foreign actors/private entities to do on our own networks what we are proposing to authorize on theirs.
James Lewis at the Center for Strategic and International Studies has opposed hacking back and aggressive active cyber defense for these reasons and others. He has been quoted as calling the notion a “remarkably bad idea that would harm the national interest…and that encouraging corporations to compete with the Russian mafia or Chinese military hackers to see “who can go further in violating the law, is not a contest American companies can win.” Lewis also notes that the situation becomes awkward if/when the Chinese government, for example, catches a U.S. firm hacking back and requests an arrest warrant through Interpol for the Company’s CEO. Is the U.S. going to honor such a request? If not, Lewis asks, would cyber defenders be willing to take on the risk of traveling abroad under such circumstances? It is not hard to see another country, one that is not even an adversary, having similar concerns and/or make similar requests.
In the same article, Lewis also notes that allowing individuals and/or companies to engage in hacking back would essentially signal an abandonment of U.S. efforts to establish international norms against this type of activity. The same could also probably be said for engaging in activity that falls short of hacking back, but involves going onto foreign networks without consent. For years, the U.S. has pushed the idea that unauthorized hacking is illegal, and should not be done. It is worth asking: Would the ACDC implicitly contradict these efforts? By allowing companies/individuals to engage in this type of activity, Lewis points out that we would no longer be able to hold others who conduct such activity to account. The point is that the rules of the cyber battlefield would be potentially altered in ways that may not be desirable.
Alternative Options? Room for Improvement?
While the current bill includes a great deal of ambiguity, unresolved issues, and major policy implications, it is possible this Congress (and this administration) push forward on the issue and make active cyber defense the law of the land. The pace and severity of cyberattacks against private industry do not appear to be abating, and as the Equifax data breach, which affected more than 145 million Americans, has shown, it is directly impacting large portions of the population. If Congress pushes forward on ACDC, there are a few precise areas of the bill, in addition to the above criticisms, that should be addressed. This list is far from exhaustive, but can help move the discussion forward.
First, there should be an effort to build an international consensus regarding this type of activity. As the above analysis indicates, active cyber defense implicates some very serious questions when it comes to foreign policy and international law. If active cyber defense measures are going to be perceived as hostile by foreign nations, it befits the U.S. to signal to its allies (at the least) that it will be conducting this type of activity. Agreements with our adversaries on this issue are unlikely, but building some type of international norm with like-minded nations would be a positive step. This will be difficult, especially given how controversial active cyber defense is in the first place, but coming to some understanding about what is acceptable with our allies is better than going into this blind and hoping for the best. The updated bill’s exemption for “attributional technology” and its distinction from “active cyber defense” might be a good starting point for building a consensus with our allies on what is acceptable.
If getting an agreement in place at all is unlikely, another legislative option outside of active cyber defense altogether would be to build an international consensus on cross-border cyber investigations involving computer data. Mutual legal assistance reform has been written about extensively, here, here, and here, but this is one avenue where there is already broad agreement among private industry and foreign governments who are calling for change.
Second, to help guard against unwanted escalation and non-compliance with federal law, make the voluntary pre-emptive review by the FBI-NCIJTF mandatory. As mentioned above, the updated version of the bill requires the FBI to be notified when active cyber defense measures are undertaken, but it is voluntary for defenders to get a pre-emptive review of their techniques before they are deployed. Although, the bill requires the FBI to provide receipt of notification, it is unclear if the intent of this receipt functions as a clearing house for initial deployment of active cyber defense measures. The next draft of the bill can clarify this by specifying that all deployments of active cyber defense measures must be pre-approved. This would also help ensure that such measures are only deployed by qualified cyber operators with sophisticated capabilities. In order to get “left of boom,” and give defenders some assurance that they will not be hamstrung by a slow-moving review in the middle of an ongoing intrusion, the FBI can provide some clarity on what tools/techniques across the board are acceptable beforehand and do not need further scrutiny. To unburden the FBI with an inundation of requests, the language that specifies that the FBI “may decide how to prioritize requests based on availability of resources” should remain.
Third, clear up the definitional uncertainty. The ambiguity surrounding the terms “persistent” and “threat to public health or safety” (along with some of the other terms noted above) might be purposeful, as the drafters had ample time to address earlier criticisms of these terms, but it does not give would-be defenders the clarity that they would need to deploy their cyber tools. There should also be some clarification on how other federal statutes such as the Wiretap Act, the Electronic Communications Act, and the Pen Register Trap and Trace statute apply/do not apply to the ACDC legislation. If Congress actually wants people to start doing this, it must be clear what is and what is not acceptable and who actually qualifies for liability protection.
Finally, given all of the inherent complexities with active cyber defense, and the very real risks it presents, it is likely (and probably wise) that FBI-NCIJTF approval for certain active cyber defense measures and techniques will be very modest and conservative. And the government should be prepared to pull back on what is allowed when necessary. The public should be made aware of this reality as well, to guard against the possibility that an everyday software engineer goes toe-to-toe with the Iranian Revolutionary Guard Corps.
At the end of the day, whether ACDC can actually help in the ongoing cyber conflict is debatable. It is obvious, however, that ACDC, especially in its current legislative form, introduces a mass of very difficult ancillary legal and policy problems.
All statements of fact, opinion, or analysis expressed are the author’s alone and do not necessarily reflect the official positions or views of the Department of Justice or any other U.S. government agency. This article has been reviewed by the Department of Justice to prevent the disclosure of classified or otherwise sensitive information.