A bill that would allow victims of cybercrime to use active defense techniques to stop attacks and identify attackers has been amended to require victims to notify the FBI of their actions and also add an exemption to allow victims to destroy their data once they locate it on an attacker’s machine.
The Active Cyber Defense Certainty Act, drafted by Rep. Tom Graves (R-Ga.) in March, is designed to enable people who have been targets of cybercrime to employ certain specific techniques to trace the attack and identify the attacker. The bill defines active cyber defense as “any measure— (I) undertaken by, or at the direction of, a victim; and ‘‘(II) consisting of accessing without authorization the computer of the attacker to the victim’ own network to gather information in order to establish attribution of criminal activity to share with law enforcement or to disrupt continued unauthorized activity against the victim’s own network”.
After releasing an initial draft of the bill in March, Graves held a public event in Georgia to collect feedback on the legislation. Based on that event and other feedback, Graves made several changes to the bill, including the addition of the notification of law enforcement and an exception in the Computer Fraud and Abuse Act for victims who use so-called beaconing technology to identify an attacker.
“The provisions of this section shall not apply with respect to the use of attributional technology in regard to a defender who uses a program, code, or command for attributional purposes that beacons or returns locational or attributional data in response to a cyber intrusion in order to identify the source of the intrusion,” the bill says.
Graves’s bill also includes a section that requires any defender who plans to use active defense measures to notify the FBI’s National Cyber Investigative Joint Task Force before doing so.
“Notification must include the type of cyber breach that the person or entity was a victim of, the intended target of the active cyber defense measure, the steps taken to preserve evidence of the attacker’s criminal cyber intrusion, as well as steps taken to prevent damage to intermediary computers not under the ownership of the attacker,” the bill says.
Graves said that after including the new provisions in the bill, he plans to introduce it on the floor of the House of Representatives soon.
“These changes reflect careful analysis and many thoughtful suggestions from a broad spectrum of industries and viewpoints,” said Graves. “I look forward to continuing the conversation and formally introducing ACDC in the next few weeks.”