In the USA, the Computer Fraud and Abuse Act (CFAA) of 1986 prohibits individuals from taking retaliatory/defensive actions against hackers or cyber-criminals, other than preventative protective measures such as using anti-virus software or anti-malware. So, anyone trying to strike back against the scammers is currently risking prosecution.

In October 2017 – politicians Tom Graves (Republican Party) and Kyrsten Sinema (Democratic Party) introduced a new piece of legislation designed to extend the powers of victims of cyber-assault beyond the limits imposed by the CFAA.

This bill, known as the Active Cyber Defense Certainty Act (ACDC), was the result of a lengthy feedback process initiated in March 2017 and it seeks to enshrine in law the principle that victims of cyber-assault should be allowed the use of limited defensive measures extending beyond the boundaries of their network, in order to monitor, identify and stop their attackers.

Basic Provisions of the Active Cyber Defense Certainty Act

Under the ACDC, authorized individuals and companies would have the legal authority to venture outside their computer networks to:

·         Establish the attribution (i.e., the nature, cause, and source) of an attack.

·         Disrupt cyber-attacks without damaging the computer systems of the presumed assailant – or of any third party.

·         Retrieve and destroy any files stolen during the course of an attack.

·         Monitor the behavior of an attacker.

·         Use “beaconing” technology.

Within this framework, individuals and the private sector will be allowed to use and develop tools which are currently restricted under the CFAA in protecting their own networks, and adopt a more active role in cyber-defense.

An updated discussion draft of the ACDC was introduced. On the basis of further feedback and suggestions, alterations were added to the bill, including:

·         A voluntary review process which individuals and companies can undergo before using so-called “active-defense” techniques.

·         Opportunities for consultation with the FBI Joint Taskforce, enabling cyber-security defenders to better conform with federal law and improve the technical operation of their proactive measures.

·         An obligation to notify the government of the use of active cyber-defense measures which go beyond beaconing.

·         An affirmation that the bill does not interfere with a person’s right to seek damages.

Beacons and Dye Packs

The ACDC authorizes companies and individuals to deploy tools which the Center for Cyber and Homeland Security Task Force describes as “beacons” and “dye packs”.

In the cyber-security sense, a “beacon” is defined as:

“Pieces of software or links that have been hidden in files and, when removed from a system without authorization, can establish a connection with and send information to a defender with details on the structure and location of the foreign computer systems it traverses.”

A “dye pack” is similar to a beacon but is given more aggressive attributes, such that it is able to have a destructive impact on its surrounding environment.

However, companies engaging in “active-defense” measures may be held liable for any damage caused to third party computer systems.

Tom Graves released an update to the initial Active Cyber Defense Certainty Act that intends to exempt victims of cyber attacks from being prosecuted for attempting to hack back at their attackers under the CFAA.

According to the proposed law, organizations would be exempt from prosecution if they alert law enforcement before committing such acts

Tracking the Cyber Criminals

It’s often not easy to identify the cyber criminals. Even a simple email can be misleading. E.g. you receive a scam email and trace the owner of the email account, but it may be that scammers hacked the account and the account holder is a victim. You cannot tell.

While in theory it might be useful to have highly skilled organizations authorized to perform some level of active defense, it may be difficult in practice to get the right balance between defending systems and active defense that can potentially damage the attackers systems or what appears to be the attackers systems.

Should private citizens be allowed to take the fight to the attackers? What do you think?

Go to the About page then Contact Us.

Articles on Fightback