Cyberattacks have increased in scope and severity over the past few years, including the widespread WannaCry ransomware attacks and the Equifax breach in which the personal data of over 140 million people may have been stolen.  Due to the increasing number of breaches and the difficulties that law enforcement faces in responding to these events in a timely manner, a bill has been proposed in the U.S. Congress that seeks to empower private actors to use cyber defensive measures outside the boundaries of their networks.  Rep. Tom Graves (R-Ga.) introduced the Active Cyber Defense Certainty Act (the “Act”) to protect from criminal prosecution companies who use certain countermeasures against cyber intrusions.[1]  Whether or not this legislation is ultimately adopted, it highlights some of the unique difficulties in effectively addressing cybercrime and the ongoing efforts by the government to enlist the aid of the private sector.

The Act as proposed amends the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, which generally imposes criminal liability for intentionally accessing a computer without authorization resulting in damage.  The Act would permit the use of certain attributional technology to identify the source of a cyber intrusion and establish a defense to criminal prosecution for the use of specified types of active cyber defense measures with prior notification to the Federal Bureau of Investigation (“FBI”).  The proposed legislation also would create an FBI pilot program that would allow for advance review of active cyber defense measures and require annual reporting to Congress by the Department of Justice.

Attributional Technology Exception

Anonymity tools available to sophisticated users often complicate law enforcement’s efforts to identify the perpetrators of cybercrimes.  The Act creates an exception under the CFAA for the use of technology for attributional purposes “that beacons or returns locational or attributional data in response to a cyber intrusion,” as long as the technology does not destroy data on, intentionally enable backdoor access to, or impair the operation of the attacker’s computer system.  Under the Act, therefore, individuals and entities could use programs on their systems that would attempt to “call home” with location or attribution information in the event that their data is stolen or copied during a cyber-attack without running afoul of the CFAA, and thus facilitate identification of the attacker.

Active Cyber Defense Measures

The Act also creates a defense to criminal prosecution for victims “of a persistent unauthorized intrusion” (a term undefined in the statute) who undertake an “active cyber defense measure” to access the attacker’s computer without authorization.[2]  The purpose of the countermeasure must be to (1) establish attribution of criminal activity to share with law enforcement, (2) disrupt the attacker’s continued unauthorized activity on the defender’s network, or (3) monitor the attacker in order to develop additional defense techniques.  To avoid collateral damage from the use of such measures, the Act does not protect from prosecution measures that intentionally access intermediary computers (such as innocent third-party computers that were infiltrated by the attacker and used to conduct the attack), destroy information that does not belong to the victim, recklessly cause physical injury or financial loss, create a threat to public safety, or impact certain government computers.

Cyber Defense Moving Forward

The use of active cyber defenses by the private sector has been the subject of intense discussion and debate in recent years, and some private entities have already begun to utilize such measures, particularly overseas. The Act is a bipartisan legislative attempt to encourage private action to counter the growth of cybercrime and assist law enforcement, but it has important limitations.

First, the Act does not preclude civil suits under the CFAA.  Accordingly, companies using active cyber defense measures could still be liable for compensatory damages or subject to equitable relief in civil lawsuits brought by third-parties if the measures access the third-party computers without authorization and cause certain types of adverse impacts.

Second, the Act does not exempt the use of active cyber defense measures or attributional technology from liability under other federal, state, local, or foreign laws, including electronic surveillance, hacking, or data privacy laws.  Due to the international nature of cybercrimes and the frequent use of international intermediary computers and proxies, the pursuit of cybercriminals often implicates multiple U.S. or foreign jurisdictions, each of which may have separate laws governing the treatment and access of certain data.  In fact, the prefatory findings warn that defenders “should also exercise extreme caution to avoid violating the law of any other nation where an attacker’s computer may reside.”[3] This gap creates a legal minefield that defenders must carefully navigate, if they can at all.

If the proposed legislation passes, it may ultimately encourage companies to engage in more active cyber defense.  Companies considering active cyber defense measures, however, should consult legal counsel to ensure compliance with all other applicable law and narrowly tailor the measures in order to avoid collateral damage that could trigger liability.

[1] H.R. 4036: Active Cyber Defense Certainty Act (ACDCA), available at https://www.congress.gov/bill/115th-congress/house-bill/4036/text.

[2] ACDCA § 4.

[3] ACDCA § 2(9).