New ‘Hack Back’ Legislation Makes Improvements and Raises New Questions

Active defense in cyberspace—otherwise known as “hacking back”—has recently emerged as a serious point of contention in cybersecurity policy. In early 2017, Rep. Tom Graves introduced a draft bill titled the “Active Cyber Defense Certainty Act” (ACDC 1.0). His concept was to amend the Computer Fraud and Abuse Act (CFAA) “to allow use of limited defensive measures that exceed the boundaries of one’s network in order to monitor, identify and stop attackers.” Bobby Chesney and Herb Lin applauded Graves for introducing legislative text but cautioned that the proposal suffers from ambiguous language that fails to achieve the primary objective—clearly defining acceptable defensive techniques—while “opening the door to a host of unintended problems.”

Seven months later, Graves and Rep. Kyrsten Sinema have formally introduced in the House of Representatives a new version of the original concept. How does ACDC 2.0 rectify flaws in the original proposal, what questions does it leave open and what are the implications of its newest elements?

What Does the Bill Clarify?

Defenders Can Disrupt Attacks

Both Chesney and Lin read the original proposal as authorizing a defender to penetrate an attacker’s system to gather information and share it with law enforcement. But ACDC 1.0 does not expressly authorize defenders to take the next step and disrupt an attacker’s systems. Lin pointed out that the first bill’s language could be read to allow the victim only “to gather information from the attacker’s computer that can subsequently be used to disrupt the attack.” It is unclear who, if anyone, can engage in disruption.

ACDC 2.0 offers some clarification by splitting the original clause. The bill now defines an active cyber defense measure as accessing an attacker’s computer without authorization:

to gather information in order to—

(aa) establish attribution of criminal activity to share with [the U.S. government];

(bb) disrupt continued unauthorized activity against the defender’s own network; or

(cc) monitor the behavior of an attacker to assist in developing [defensive techniques].

In this way, ACDC 2.0 authorizes disruptive attacks by private parties against some attackers. It remains unclear, however, whether defenders can execute disruptive techniques inside systems that the attacker owns or controls.

Victims Cannot Encrypt Data

Chesney and Lin agreed that ACDC 1.0, which criminalized the destruction of data, might still allow defenders to encrypt data that belongs to an attacker. Neither took a stance on whether that was wise policy, but it now seems that Graves thinks not. ACDC 2.0 excludes from legal protection any conduct that “intentionally destroys or renders inoperable information that does not belong to the victim that is stored on another person or entity’s computer.”

Intermediary Computers Are Fair Game

The original ACDC-sanctioned defense measures aimed at “the computer of the attacker,” defining “attacker” as “the source of the persistent” attack. While Chesney assumed that this language authorized defensive measures against innocent third parties whose computers are commandeered by the attacker, Lin was “less convinced” and wanted clarity to incentivize discrimination by defenders.

The new bill is more precise. First, it defines an “intermediary computer” as one that is “not under the ownership or primary control of the attacker” but is used to launch the attack or hide its source. Then, it excludes from the law’s protection any activities on an intermediary computer that intentionally (a) exceed what is necessary to attribute the source of the attack or (b) result in “intrusive or remote access into an intermediary’s computer.” Of course, while the new language assists in interpretation, it raises new questions—namely, what constitutes “intrusive or remote access” that is not also the necessary reconnaissance needed for attribution?

Mens Rea Applies (Mostly)

In assessing the original proposal, Chesney suggested that the definition of “active cyber defense measures” appeared to set up a strict liability regime; whether a defender could escape culpability depended on consequences. If a defender launched an active defense operation that destroyed data, caused physical injury or created a threat to public safety, they could be held criminally liable even if they never intended to cause those events. The result could undermine the purpose of the bill, which is to promote active defense.

ACDC 2.0 partially addresses this concern. It now contains seven exclusions describing conduct that disqualifies a defender from mounting an affirmative defense to prosecution. Five of those exclusions apply only if the defender commits the described acts “intentionally.” The sixth exclusion, which encompasses activities that cause “physical injury or financial loss,” applies if the defender acts “recklessly”; intent is not necessary. The new bill does not attach a mens rea to the exclusions addressing threats to public health or safety.

Defenders Can Share Beyond than the FBI

Chesney thought ACDC 1.0 could be read to limit the sharing of cybersecurity information with law enforcement (meaning the FBI) only. The new bill expressly authorizes sharing with “with law enforcement and other United States Government agencies responsible for cybersecurity.” Considering how all U.S. government agencies are “responsible for cybersecurity” in one way or another, this blesses expansive information sharing.

What Does the Bill Leave Unclear?

No Clarification on “Persistence” or “Intrusion”

Both Chesney and Lin questioned the vagueness of the term “persistent.” Chesney pointed out it could “refer to dwell-time in relation to a particular intrusion or to a series of intrusions by the (apparently) same actor, or some combination of both.” As Lin noted, if an attacker used different techniques for consecutive attacks, would they amount to a persistent attack? Both wanted a clearer definition.

Additionally, Chesney and Lin disagreed over whether ACDC 1.0 applied to distributed denial-of-service (DDOS) attacks. Chesney reasoned that the term “intrusion,” without more, would appear to exclude coverage for DDOS attacks. Lin, however, argued that a DDOS attack does technically constitute an intrusion, because the associated flood of packets is received by the victim.

ACDC 2.0 does not illuminate the terms “persistent” or “intrusion.” The omission is especially noteworthy given that Graves and Sinema, by their own account, drafted ACDC 2.0 only after reviewing a wide range of expert feedback on ACDC 1.0. This suggests that both members intentionally left these terms ambiguous.

No Clarification on Public Health or Safety

The original proposal and the new ACDC 2.0 exclude from protection conduct that “creates a threat to public health or safety.” Chesney approved of this concept but suggested it could be improved by an “extensive treatment on this point that tries to spell out in far greater detail what might be covered.” ACDC 2.0 does not elucidate this matter.

What Are the Major Additions?

The bill has three new components not found in the original proposal.

A Total Exemption for Attributional Technologies

Section 3 of the bill amends the CFAA to completely exempt limited use of “attributional technology,” defined as a “program, code, or command . . . that beacons or returns locational or attributional data” to identify the source of a persistent attack. Attributional code or functions must originate on the defender’s computer, and they cannot destroy any data on an attacker’s system, impair essential functions or “intentionally create a backdoor enabling intrusive access.”

The bill’s distinction between “attributional technology” and “active cyber defense measures” is the most significant contribution yet to the debate on hacking back. It would settle an enduring question: Does a defender obtain “unauthorized access” into an attacker’s system when such access is achieved only because the attacker illegally absconded with code, which automatically provides a means for the defender to monitor the attacker, and nothing more? It appears that Graves and Sinema want to dispense with the endless legal and technical arguments on either side, and remove the handcuffs on defenders when it comes to pure attribution.

The implication is that attribution poses so little risk and holds so much value to the cybersecurity ecosystem that it does not merit scrutiny by law enforcement. By exempting this limited set of activities from the entire scope of the CFAA, the bill serves to foster innovation in attributional techniques by removing the cloud of potential criminal charges—a cloud that would remain over those who utilize active cyber defense measures to destroy stolen data. (The bill creates an affirmative defense for active defense measures; it does not exempt active defenders from culpability entirely.)

The FBI Gets a Vote

ACDC 2.0 requires defenders to notify the FBI National Cyber Investigative Joint Task Force (NCIJTF) prior to using an active cyber defense measure. Critically, the FBI (not the NCIJTF) must provide receipt of the notification to the defender before the defender may deploy the relevant measure. This provision effectively grants a veto to the FBI. If FBI leadership disapproves of a given operation, they can simply refuse to issue the receipt. The bill includes no standard of review or timeline compelling the FBI to act. Some observers will approve of language that empowers FBI officials to exercise plenary authority over hacking back—particularly where national security equities dictate caution. Again, that would seem to undermine the ostensible purpose of the bill.

Voluntary Preemptive Review by the FBI

ACDC 2.0 directs the FBI to create a pilot program by which defenders can submit to the National Cyber Investigative Joint Task Force (NCIJTF) any plans for active defense measures. The FBI and component agencies may choose to review the plans and suggest changes to increase the likelihood of success and maximize the probability that it will comply with federal law. The bill expressly states that the FBI “may decide how to prioritize the issuance of such guidance to defenders based on the availability of resources.”

This section raises significant questions. If time permits for government review, and the government obtains details sufficient to offer technical recommendations, why should the U.S. government sanction an operation it could conduct alone? Will the FBI leadership—and other NCIJTF members—oppose playing such an unusual role? If enacted, this bill would create the only process I know with which private parties can ask for a preemptive legal review of potentially criminal conduct. It is difficult to imagine career agents blessing such an arrangement.

What About State Law?

ACDC 2.0 does not preempt state computer crime laws, many of which resemble the CFAA. (In some cases, they are broader.) Notwithstanding the fate of the bill, companies and individuals will have to consider whether the conduct it promotes would violate state criminal codes.