From: Just Security
By Chris Cook
For years now, there has been a discussion surrounding the feasibility of active cyber defense, and allowing private entities or individuals to “hack back” against hostile cyber activity, but there has not been a major push in Congress to explicitly authorize such activity, or to propose changes or exceptions under the current legal and statutory framework that would enable it. But a proposal by Representatives Tom Graves (R-GA), Kyrsten Sinema (D-AZ), titled the Active Cyber Defense Certainty Act (ACDC) (H.R. 4036), is starting to change the conversation. The new draft legislation provides an exception to liability under the Computer Fraud and Abuse Act (CFAA) and, in essence, would authorize individuals or organizations to go into networks outside of their own to gather intelligence on hackers for attributional purposes. To date, the proposal has undergone at least three rounds of public scrutiny, after which, to the great credit of Graves’ office, the draft language has been updated, and it now takes into account some legitimate concerns and criticisms. Some of these critiques should be examined carefully, from both a policy and legal perspective, as the bill makes its way through committee.
Important Concerns Left Unresolved by the Updated Bill
The text provides at Sec. 4 (1) that “It is a defense to a criminal prosecution under this section that the conduct constituting the offense was an active cyber defense measure.” The term “active cyber defense measure” is defined as any measure
Leave a Reply