Stanford CIS

Would the United States Be Responsible for Private Hacking?

By Kristen Eichensehr on

Rep. Tom Graves (R-GA) and Rep. Kyrsten Sinema (D-AZ) introduced the Active Cyber Defense Certainty Act (H.R. 4036) in the House of Representatives on Oct. 13. The bill would amend the Computer Fraud and Abuse Act (CFAA)—the main federal statute that governs computer hacking—effectively to allow victims of certain cyber intrusions to take defensive measures that would otherwise violate the CFAA’s prohibitions on unauthorized access to computers.

Although Graves has been circulating drafts of the bill since last spring (see here and here), the version introduced on Friday includes a new section that creates a procedure by which entities considering taking “active cyber defense measures” can submit their plans in advance to the FBI National Cyber Investigative Joint Task Force. This procedure is designed so that “the FBI. . . can provide its assessment on how the proposed active defense measure may be amended to better conform to Federal law . . . and improve the technical operation of the measure” (Sec. 6(b)). While this review may decrease some concerns about vigilantism by private parties, it may create a new problem: making the U.S. government responsible for private hacking as a matter of international law.

The Active Cyber Defense Certainty Act would make a number of changes to the CFAA. First, it would clarify that the CFAA’s prohibitions on unauthorized access do not apply to the use of “beaconing” technology (Sec. 3). In other words, a company, for example, could have data on its system that is designed to “beacon” back its location if it is removed from the company’s system by a hacker. Second, the bill would create a defense to CFAA prosecution for a “defender”—“a person or an entity that is a victim of a persistent unauthorized intrusion of the individual entity’s computer”—who takes an “active cyber defense measure” as defined in the statute. Such measures could include accessing the computer of whomever attacked the “defender” for specified purposes, so long as such access avoids certain redlines, including destroying “information that does not belong to the victim that is stored on another person or entity’s computer” and “creat[ing] a threat to the public health or safety” (Sec. 4). Section 5 of the bill requires “defenders” to notify the FBI National Cyber Investigative Joint Task Force about the nature of any planned active cyber defense measure before the measure is deployed, and Section 6 creates the “voluntary preemptive review” process described above, whereby the defender can submit planned measures to the FBI and receive feedback. Later sections of the bill require the Department of Justice to report to Congress annually on, among other things, the number of cybercrime cases, active cyber defense notifications filed, and voluntary preemptive reviews undertaken (Sec. 7). Importantly, the bill’s final section (Sec. 9) includes a two-year sunset clause.

Read the full post at Just Security.