A foundational Internet law passed about two decades before anyone used Facebook or Twitter may be on track for an update that would allow the private sector to fight back against hackers.
A bipartisan coalition in Congress is working to tweak the 1986 Computer Fraud and Abuse Act, which bans access to computers without their owner’s permission, and the reform effort has vague backing from the Trump administration.
Reps. Tom Graves, R-Ga., and Kyrsten Sinema, D-Ariz., are leading the push with their Active Cyber Defense Certainty Act, introduced in October with co-sponsors including Rep. Trey Gowdy, R-S.C., an influential member of the House Judiciary Committee.
Graves expects a Judiciary Committee hearing and possible movement on the bill after resolution of the immigration legislative debate.
The ACDC Act would allow companies that have been hacked to access other computer networks to collect evidence, to disrupt cyberattacks, to destroy or retrieve files, to monitor the behavior of attackers, or to use technology that would inform victims of their files’ location.
The bill still has skeptics among experts fearful of unintended consequences, such as hacking fellow victim computers. But in response to concern about vigilantism, the legislation requires notifying the government before accessing a supposed attacker’s network.
The use of “beaconing” technology to locate files would not require prior notification to the government.
“We are providing the guardrails and the rules of the road, because this is currently happening,” Graves told the Washington Examiner. “If I had to sum it all up: The status quo is unacceptable, and people are yearning for a solution. Even just minor steps like we’re trying to provide here.”
The government, Graves said, doesn’t have “the resources or the ability or the breadth to manage all of the threats that currently exist at any given moment in our country.” He said he’s been in touch with the White House and Justice Department about his bill.
“Part of the president’s agenda has been cybersecurity,” Graves said. “They see this type of — and I don’t want to put words in their mouth — but they see it as outside-the-box thinking that provides a great opportunity for discussion and debate.”
In January, Homeland Security Secretary Kirstjen Nielsen told Sen. Orrin Hatch, R-Utah, at a hearing that “we do need to continue to work with the private sector to understand if there are any barriers that would prevent them from taking measures to protect themselves.”
A DHS official said Nielsen wasn’t necessarily talking about responsive hacking, the most controversial element of the bill, but that she does support review of the current law.
“As the secretary said, she is willing to work with Congress on the complicated issues of legal barriers that prevent active defenses,” the DHS official said, adding that “active defenses span a wide spectrum of activities and should not be treated as synonymous with ‘hacking back.’”
Experts, even those who believe the 1986 CFAA could benefit from an update, doubt the Graves bill will be an easy sell, though they expressed support for some reforms.
“One significant problem is that the ‘attacker’s computer’ is often an unwitting third party’s computer being used by the hacker,” said Luke Dembosky, a former cyber crime prosecutor at the Justice Department.
“This creates potential liability and other risk issues for victims who seek to gain remote access to that computer, which may be part of a hospital, university or company network,” said Dembosky, who co-chairs the cyber practice at the law firm Debevoise & Plimpton.
“Another complication is that the computer in question is often located overseas, and authorities in that jurisdiction may investigate the victim’s actions and request evidence from U.S. authorities about it, or refuse to honor U.S. requests for evidence about or extradition of the hacker,” Dembosky said.
Michael Daniel, cybersecurity coordinator at the White House from 2012 to 2017, said he’s concerned that foreign countries might respond with similar legal reforms to allow their citizens to access other computer networks to catch criminals.
“Then, China passes a law that says, ‘We authorize someone to intrude [into other computer networks] because you said bad things against the Chinese government, and that’s against the law,” Daniel said.
“Just because there are some companies that have tried this doesn’t mean it’s a good idea,” he said. “You don’t want to necessarily legitimize it and provide it legal protection.”
The CFAA’s ban on unauthorized computer access “is a bright line we should maintain,” Daniel said. “Once we cross that line, you open yourself up to a lot of other circumstances where the cure may be worse than the disease.”
Daniel, now president of the Cyber Threat Alliance, said he emphasizes the use of encryption, but would support reforms to the CFAA to allow use of beaconing technology or add flexibly in criminal sanctions.
David Kennedy, a computer security expert who testified before Congress about Healthcare.gov vulnerabilities, also expressed doubt about the utility of successfully locating attackers through responsible hacking, but said he’s hopeful that there’s movement on the issue.
“I think from the CFAA perspective, it needs to be overhauled. … I do like that they are making modifications in that it defines what misuse of computer systems are and that it gives limited ability to go after attackers,” Kennedy said.
“I’m not a huge advocate of [‘hacking back’] because I think the focus needs to be on defense,” he said. “Regardless, any change to lighten what the CFAA has been used for in the past is a good step.”
This post originally appeared on Washington Examiner