Bill Would Legalize Active Defense Against Hacks

A new bill intended to update the Computer Fraud and Abuse Act would allow victims of computer attacks to engage in active defense measures to identify the attacker and disrupt the attack.
Proposed by Rep. Tom Graves (R-Ga.), the bill would grant victims of computer intrusions unprecedented rights. Known as the Active Cyber Defense Certainty Act, the legislation seeks to amend the CFAA, the much-maligned 1986 law that is used in most computer crime prosecutions.
Under the definition in the bill:
“the term ‘active cyber defense measure’—  ‘‘(i) means any measure—  ‘‘(I) undertaken by, or at the direction of, a victim; and ‘‘(II) consisting of accessing without authorization the computer of the attacker to the victim’ own network to gather information in order to establish attribution of criminal activity to share with law enforcement or 26 to disrupt continued unauthorized activity against the victim’s own network”.
The proposed legislation includes the caveat that victims can’t take any actions that destroy data on another person’s computer, causes physical injury to someone, or creates a threat to public safety. The concept of active defense has been a controversial one in the security community for several years, with many experts saying the potential downside outweighs any upside. Not to mention that it’s generally illegal.
Graves is attempting to change that with his new bill.
“This bill is about empowering individuals to defend themselves online, just as they have the legal authority to do during a physical assault,” said Graves.  “While the bill doesn’t solve every problem, it’s an important first step. I hope my bill helps individuals defend themselves against cybercriminals while igniting a conversation that leads to more ideas and solutions that address this growing threat.”
Graves proposed the new bill on Friday.
Image: Karl-Ludwig Poggemann, CC By license.