Why The Active Cyber Defense Certainty Act Is A Bad Idea

It’s no secret that cybersecurity is a very big problem for companies. Information has become a valuable commodity to bad actors, and when it comes to IP, such information can be worth some serious Bitcoin.  Most companies have taken notice, implementing technological information security measures as well as education programs for their employees to head-off (or more appropriately, hold-off) potential social engineering attacks.  Even the best of intentions, however, will not prevent potential data breaches.  When a data breach occurs, it is natural for most companies to want to fight back, and if they could legally do so, even hack back.  If a bill currently winding its way through Congress eventually becomes law, that is exactly what companies would be legally allowed to do. The problem is: should companies even do it?

The Active Cyber Defense Certainty (ACDC) Act (H.R.4036) is a bipartisan bill introduced in October 2017 by Congressman Tom Graves (R. – Ga) and Congresswoman Krysten Sinema (D. – Az) to amend the Computer Fraud and Abuse Act (CFAA).  At its core, the CFAA prohibits the intentional accessing of a computer without authorization (or exceeding such authorization) and obtaining information from a “protected computer” involving interstate or foreign communications.  As the CFAA in its current form prohibits unauthorized access to another’s computers (including those outside the US that affect interstate or foreign commerce or communications), any “hack back” by the corporate victim of a cyberattack would be prohibited. The ACDC would lift this restriction, allowing a company to implement active defensive measures to not only identify the attackers, but even destroy information originally stolen from their network. To some (including the bill’s sponsors), its a necessary tool for companies to protect their valuable information assets.  To others (including this this practitioner), it’s “cyber-vigilantism”, pure and simple.

There is a certain gratification to thinking that a company can legally strike back at its cyberattackers, especially when it comes to the theft of valuable IP.  Unfortunately, there are a host of reasons why this should not be done. First, whether companies have the skill set internally to effectively take affirmative countermeasures against cyberattackers is questionable.  Under the ACDC, a “defender” is defined as “a person or an entity that is a victim of a persistent unauthorized intrusion of the individual entity’s computer” — the definition does not currently include third-party contractors who can be retained by companies.  In a field of zero-day exploits and targeted botnets, the technical proficiency required to effectively counter-attack hackers is high — it requires constant vigilance, significant expertise, and dedicated focus.  Most IT staff are not positioned to undertake such actions, and bolstering IT staff to do so as part of their existing responsibilities is simply not feasible.

Moreover, companies are finding it hard enough to layer defenses to actually prevent data breaches — developing staff with the toolsets to effectively counterattack hackers takes this to a whole other level.  No offense, but if large companies like Yahoo and Equifax cannot properly prevent or contain their own data breaches, how can they be expected take on organized cyberattackers on their own digital turf?

When it comes to a cyber intrusion, rarely is there one computer attacking a company’s systems directly, either — there is usually a network of servers controlled by the hackers (and in some cases, other companies’ servers that have been surreptitiously hacked to serve as proxies for the attack).  Any counterattack would need to implement tools to navigate back across this network of servers to get to the attacker without harming them in the process.  Any “hack back” under the ACDC, however, cannot reach beyond computers within the US — it limits such defensive measures to within the US.  If anything, such a limitation is telling hackers to make sure their attacks originate outside the US (and many do).

Even assuming that a company has the skillset to take on “hacking the hackers,” there is no guarantee that other computer systems will not be harmed in the effort either.  The ACDC makes any “active cyber defensive measure” a defense to any criminal prosecution under the CFAA.  Such measures, however, exclude a number of activities, such as where a defensive action “intentionally destroys or renders inoperable information that does not belong to the victim that is stored on another person or entity’s computer.”  Further, this defense does not apply to civil actions. As a result, companies face significant potential exposure for damages to computer systems owned by others as a result of taking such “active cyber defensive measures.”

From my perspective, the ACDC is well-meaning, but misses the mark for the time being.  The likelihood that a company can actually “hack back” to retrieve or otherwise destroy its stolen information is remote at best.  The bill’s supporters insist that such legislation is necessary because the number of cyberattacks is outpacing the federal authorities’ ability to respond, but the is a tough row to hoe.  For example, if the number of convenience store burglaries in a jurisdiction is outpacing the ability of local law enforcement to stop them, should the owners be empowered to take matters into their own hands and be given the green light to “run down” such criminals to take back their stolen goods?  Probably not, and for good reason.  The ACDC should not be treated any differently.

As most cybersecurity professionals will tell you, it’s not a matter of if, but when a company suffers a data breach.  The ACDC is well-meaning, but ignores the fundamental fact that most responses to data breaches are simply not conducive to any “hack back” because they are usually identified sometime after the hack has occurred (and in certain instances, a fairly long time afterwards).  By the time any “active cyber defensive measure” can be taken, it is highly likely that the stolen information is long gone, or otherwise copied elsewhere, rendering any deletion or destruction moot.  When weighed against the amount of potential liability exposure (let alone additional personnel costs), the ACDC simply won’t have the impact its sponsors envision.  When it comes to the corporate victims of a data breach, empowering them to take active cyber defensive actions is not an idea whose time has come — it’s just simply a bad idea.