An updated version of the Active Cyber Defense Certainty Act (ACDC) or Hack Back bill, introduced today by Rep. Tom Graves (R-Ga.) would require mandatory reporting by entities “that use active-defense techniques, which will help federal law enforcement ensure defenders use these tools responsibly” and includes a “sunset clause to ensure that Congress revisits the changes made by the bill after two years to make any further updates or modifications.”
The bill, which would give cyberattack victims the go-ahead to retaliate against their attackers, was modified to include an exemption that would allow a victim to recover or destroy their own data located through active-defense techniques sanctioned by the bill provided it data belonging to another person is not destroyed in the process.
Graves, after soliciting comment from the business community, lawmakers, cyber policy pros and academics, finetuned the proposed legislation to include clarification that financial injury is forbidden and expands the definition of “'active cyber defense' actions taken to monitor an attacker in order to help develop better cyber defense techniques” as well as providing additional safeguards for intermediary computers to reduce or eliminated collateral damage. The new iteration also includes “a specific exception in the Computer Fraud and Abuse Act (CFAA) for beaconing technology.”
The Georgia lawmaker has claimed that if in play the proposed legislation would have prevented the recent WannaCry attacks. While the revised bill is an improvement over earlier efforts, it's not without its shortcomings.
“This type of bill is far better than prior attempts that tried to create remedies for victims to recover against attackers (who can never be found and, thus, the protection illusory),” said Mike Overly, a Los Angeles-based cybersecurity attorney at Foley & Lardner LLP.
But Overly said while “being more proactive would certainly be useful” any such “efforts must be done responsibly and serious thought put into the ramifications if those efforts, themselves, cause harm to innocent parties.”
This type of bill, he said, “tends to induce businesses to ‘take their eye off the ball,' which is better securing their systems from the outset” and might not be necessary to prevent something like WannaCry.
“Recall that the overwhelming majority of the WannaCry attacks could have been prevented in their entirety simply by adhering to decades old, basic security procedures: promptly implementing security patches,” said Overly. “So while it is useful to think of attacking the attackers, the reality is that those efforts may have very limited real-world effect (e.g., hackers don't all launch their attacks from the same servers or even the same geographic location). So, a defensive attack may result in nothing more than shutting down one server of thousands being used to launch malware.”
Overly suggested that “promptly implementing security patches and thoroughly training personnel” would be more useful. “If just those two areas are addressed, every business of every size and of ever type could dramatically improve their protection,” he said. “Weigh that against using limiting budgets and resources to try to preemptively attack attackers – an unproven strategy, at best.”