WASHINGTON, D.C. – Today, Reps. Tom Graves (R-GA-14) and Josh Gottheimer (D-NJ-5) introduced the Active Cyber Defense Certainty Act (ACDC), a bipartisan bill that gives American businesses and consumers more tools to defend themselves online.
The bipartisan bill makes targeted changes to the Computer Fraud and Abuse Act (CFAA) to allow use of limited defensive measures that exceed the boundaries of one’s network in order to monitor, identify and stop attackers. Enacted in 1986, the CFAA currently prohibits individuals from taking any defensive actions other than preventative protections, such as anti-virus software. ACDC would likely be the most significant update to the CFAA since its enactment.
ACDC unties the hands of law-abiding defenders to use new techniques to thwart and deter attacks, while also providing legal certainty for industry experts to innovate. Specifically, ACDC gives authorized individuals and companies the legal authority to leave their network to:
- establish attribution of an attack,
- disrupt cyberattacks without damaging others’ computers,
- retrieve and destroy stolen files,
- monitor the behavior of an attacker,
- and utilize beaconing technology.
“Technology has outpaced public policy, and our laws need to catch up,” said Rep. Graves. “The status quo is unacceptable and it’s important that private sector organizations feel empowered to take a more active approach to their cyber defense. We must continue working toward the day when it’s the norm – not the exception – for criminal hackers to be identified and held accountable for their crimes.”
“This bill gives specific, useful tools to fight back against cyberattacks that have cost Americans hundreds of millions of dollars, not to mention their personal privacy. There’s nothing partisan about protecting our families and businesses from these cyber hackers. I’m proud to cosponsor this important legislation with my good friend Congressman Tom Graves,” said Rep. Gottheimer.
The enhanced flexibility will allow individuals and the private sector to develop and use tools that are currently restricted under the CFAA to protect their own network. Additionally, this would allow defenders to develop and deploy new tools to help deter criminal hacking.
Prior to acting, ACDC requires users to notify the FBI National Cyber Investigative Joint Task Force, and they must also receive a response from the FBI acknowledging the notification. These safeguards protect the user and ensures law enforcement is part of the conversation from the start. ACDC prohibits vigilantism, forbids physical damage or destruction of information on intermediary computers and prevents collateral damage by limiting the types of actions that could be considered active defense.
Rep. Graves introduced ACDC in the 115th Congress with nine bipartisan cosponsors. Upon reintroduction today, ACDC had 15 bipartisan cosponsors and counting.
During the Appropriations funding bill markup process this past month, Rep. Graves had successfully inserted bipartisan language promoting an active cyber defense included into the State and Foreign Operations; Financial Services and General Government; and Commerce, Justice and Science funding bills.
You can view the bill text here.
You can read more about ACDC here.