Most Significant Update of CFAA since 1986, Bipartisan Bill to Empowers the American People to Defend Themselves Online
Washington, D.C. – As part of Cyber Security Awareness Month, Rep. Tom Graves (R-GA-14), along with Rep. Kyrsten Sinema (D-AZ-09), announced the formal introduction of the Active Cyber Defense Certainty Act (ACDC) (H.R. 4036) today, Friday the 13th. The bipartisan bill makes targeted changes to the Computer Fraud and Abuse Act (CFAA) to allow use of limited defensive measures that exceed the boundaries of one’s network in order to monitor, identify and stop attackers.
The CFAA, which was enacted in 1986, currently prohibits individuals from taking any defensive actions other than preventative protections, such as ant-virus software.
Specifically, ACDC gives authorized individuals and companies the legal authority to leave their network to 1) establish attribution of an attack, 2) disrupt cyberattacks without damaging others’ computers, 3) retrieve and destroy stolen files, 4) monitor the behavior of an attacker, and 5) utilize beaconing technology. The enhanced flexibility will allow individuals and the private sector to develop and use tools that are currently restricted under the CFAA to protect their own network. Additionally, allowing defenders to develop and deploy new tools will help deter criminal hacking.
Although ACDC allows a more active role in cyber defense, it protects privacy rights by prohibiting vigilantism, forbidding physical damage or destruction of information on anyone else’s computer, and preventing collateral damage by constraining the types of actions that would be considered active defense.
This is likely the most significant update to the Computer Fraud and Abuse Act since its enactment in 1986.
“While it doesn’t solve every problem, ACDC brings some light into the dark places where cybercriminals operate,” said Rep. Tom Graves. “The certainty the bill provides will empower individuals and companies use new defenses against cybercriminals. I also hope it spurs a new generation of tools and methods to level the lopsided cyber battlefield, if not give an edge to cyber defenders. We must continue working toward the day when it’s the norm – not the exception – for criminal hackers to be identified and prosecuted.”
“I also want to thank the many people who provided feedback throughout the process of drafting this bill,” Rep. Graves continued. “The idea was improved with the help and expertise of many, and I hope each person, whether they support or oppose this approach, will stay engaged in the debate.”
“The Active Cyber Defense Certainty Act gives specific, useful tools to identify and stop cyberattacks that have upended the lives of hundreds of millions of Americans,” said Rep. Sinema. “The recent Equifax data breach shows that cyber vulnerabilities can have real financial and personal implications for Arizona families and businesses. It is our responsibility to find and advance solutions that safeguard the privacy of Arizonans while protecting the security of their data. I look forward to continuing thoughtful conversations as we move forward.”
The bill is the result of a lengthy feedback process, which began on March 3 when Rep. Graves introduced the first ACDC discussion draft. After incorporating feedback from the business community, academia and cybersecurity policy experts, including recommendations he received at his cybersecurity event in Atlanta, Rep. Graves introduced an updated discussion draft on May 25.
During the intervening period, Rep. Graves again solicited feedback and suggestions, which resulted in the final version of the bill introduced today.
Key changes to the bill that were made after the release of the second discussion draft are as follows.
- A voluntary review process that individuals and companies can utilize before using active-defense techniques;
- This provision allows defenders to benefit from review of their proposed active-defense measures by the FBI Joint Taskforce, which will assist defenders in conforming to federal law and improving the technical operation of the measure;
- The authority to conduct these reviews would exist under a two-year pilot program, and could be amended or renewed at a later date.
- Requires notification to the government for the use of active-cyber defense measures that go beyond beaconing;
- Clarification that the bill does not interfere with a person’s right to seek damages;
- Requires an annual report on the federal government’s progress in deterring cybercrime.
The updated legislation also makes other minor and technical changes.