Congressman Tom Graves Introduces Active Cyber Defense Certainty Act

Cindy Morley

Thursday, June 20th, 2019

To read all of InsiderAdvantge Georgia’s daily news, SUBSCRIBE HERE. *Subscription includes a complimentary subscription to JAMES Magazine.

Congressman Tom Graves (R-GA-14) is concerned about criminal hackers in cyberspace.

The Republican Congressman from Ranger, GA teamed with Democrat Congressman Josh Gottheimer (N.J.-05), to introduce a bipartisan bill that gives American businesses and consumers more tools to defend themselves online.

The Active Cyber Defense Certainty Act would allow authorized individuals and companies to go onto other networks in order to establish who is attacking them online, to disrupt a cyberattack as it is occurring, to retrieve or destroy stolen files, to utilize beaconing technology and to monitor the behavior of the malicious actor.

“Technology has outpaced public policy, and our laws need to catch up,” Graves said. “We must continue working toward the day when it’s the norm – not the exception – for criminal hackers to be identified and held accountable for their crimes.”

According to information from Graves’ office, the bill makes targeted changes to the Computer Fraud and Abuse Act (CFAA) to allow use of limited defensive measures that exceed the boundaries of one’s network in order to monitor, identify and stop attackers. Enacted in 1986, the CFAA currently prohibits individuals from taking any defensive actions other than preventative protections, such as anti-virus software. ACDC would likely be the most significant update to the CFAA since its enactment.

The bill essentially unties the hands of law-abiding defenders to use new techniques to thwart and deter attacks, while also providing legal certainty for industry experts to innovate. Specifically, ACDC gives authorized individuals and companies the legal authority to leave their network to:

○ establish attribution of an attack,

○ disrupt cyberattacks without damaging others’ computers,

○ retrieve and destroy stolen files,

○ monitor the behavior of an attacker,

○ and utilize beaconing technology.

The enhanced flexibility will allow individuals and the private sector to develop and use tools that are currently restricted under the CFAA to protect their own network. Additionally, this would allow defenders to develop and deploy new tools to help deter criminal hacking, according to information from Graves’ office.

However, prior to acting, ACDC requires users to notify the FBI National Cyber Investigative Joint Task Force, and they must also receive a response from the FBI acknowledging the notification. These safeguards protect the user and ensures law enforcement is part of the conversation from the start. ACDC prohibits vigilantism, forbids physical damage or destruction of information on intermediary computers and prevents collateral damage by limiting the types of actions that could be considered active defense.

The legislation was introduced during the last Congress but didn’t see action. It has 15 bipartisan co-sponsors beyond the two main sponsors.