H.R. 3270

…also known as the Active Cyber Defense Certainty Act (ACDC), will, if it becomes law, allow victims of hacking to execute self-defense outside of their networks. The essence of this bill was originally introduced in 2017 as H.R. 4036, which subsequently died in committee. Now it is back with new sponsorship and seems to be gaining both support and enthusiasm for the new privileges it would give to cyber defenders.

The draft legislation introduces the concept of “beacons.” This allows a defender to put camouflaged snippets of code, files, or artifacts in their storage and application systems. Once stolen, this code can activate on the cyber attackers’ computers to record identifying information, appraise the victim of the theft and location of their proprietary data, and more. The beacon language frames out exclusion from any prosecution under the CFAA.

Today this is illegal per the 18 U.S. C 1030 entitled Computer Fraud and Abuse Act (CFAA). You currently cannot access a computer without authorization or exceed authorized access. You cannot damage it, take files from it, or pretty much do anything that the hackers might have already done to you. The Active Cyber Defense Certainty Act might change all of that.

Normally the concept of a beacon would be a clear violation of the CFAA, but the draft bill language seems to provide a “get out of jail free” card (or, better said, a never-go-to-jail-in-the-first-place card) to cyber defenders within some narrow and explicit confines of behavior. As defined in the bill, a beacon must elicit locational or attributional data, must come from the cyber defenders systems, and must not destroy data or functionality in the cyber attacker’s system. Finally, and importantly, the beacon cannot set up a backdoor so that the defender has intrusive access to the cyber attacker’s system.

It appears that the ACDC would allow Active Cyber Defense Measures against a cyber attacker’s systems. This allows a cyber defender to access the computer of the attacker without any authorization. Active Cyber Defense Measures would include the establishment of attribution for criminal activity, the disruption of unauthorized activity against the defender’s own network, and the monitoring of the behavior of an attacker to assist in developing future intrusion prevention or cyber defense techniques.

On the other side of the Active Cyber Defense Measures, there are still many gotchas and restrictions spelled out explicitly in the draft document. They include:

  • You cannot intentionally destroy someone else’s data, although accidental destruction appears okay. This seems like a gray area.
  • You cannot recklessly cause physical injury or financial loss above a $5,000 threshold.
  • You cannot create a threat to public health or safety.
  • Active Cyber Defense Measures that impact an intermediary computer cannot go beyond reconnaissance on that computer.
  • Limits to intrusive or remote access into an intermediary’s computer. This seems a bit contradictory – the government is trying to ensure that the defensive hacking is limited in scope.
  • You cannot disrupt someone’s internet access on a persistent basis.
  • You cannot impact any computers involving national defense, government systems, law enforcement systems, or national defense systems. If any of these systems are part of the cyber attackers outreach into your systems, that would mitigate your ability to utilize the ACDCA.

There are also notification requirements prior to the use of Active Cyber Defense Measures that must go to the FBI National Cyber Investigative Joint Task Force (FBI NCI-JTF), including a requirement for the receipt of confirmation from the Task Force. The law also would also establish the ability for the FBI and other agencies to provide input on how the Active Cyber Defense Measures might be technically improved and to provide commentary as to how it would best remain compliant with the seven restrictions noted above.

Consider the tools you would want to have ready in the event that this pending legislation becomes law. Deception technology might gain and automate new enhancements to embed beacons across your entire enterprise. Think about it. The theft of these deception beacons could trigger software that identifies the attacker and transmits that information back to you. Deception technology can wrap it up with a bow for you.

Impossible, you say? Don’t be so sure. One of the key premises of the Active Cyber Defense Certainty Act is that the government has still been unable to deal with the large volume of computer hacking and malicious behavior. If this legislation becomes law, they are giving you a limited, but powerful, set of permissions to take matters into your own hands.

Find out more about Acalvio and how deception technology can help you reduce risk and maintain compliance. We’d be pleased to introduce you to our latest technology and share information about customers that have used Acalvio ShadowPlex to protect the most sensitive enterprise and government networks.