AC/DC Act: Good in Theory, Terrible in Practice
Last month, Georgia Congressman Tom Graves introduced H.R. 4036, the Active Cyber Defense Certainty Act (AC/DC Act). The legislation would permit certain “victims” of cyberattacks to engage in certain types of “active defense” or “hack back” free from both civil and criminal liability under the Computer Fraud and Abuse Act. It would also empower such victims, and those who work on their behalf (such as cyber forensics firms, incident response companies or even law firms or insurance companies) to engage in active measures to investigate the hackers, determine their identity and location and even to destroy them, or the data that they have stolen. It encourages these firms to rely more heavily on “self help” in these investigations rather than relying on the work of law enforcement, because—as the bill sponsor notes—”It is very difficult for law enforcement to respond to and prosecute cybercrime in a timely manner, leading to the existing low level of deterrence and a rapidly growing threat.” So what we need is more cyber-vigilantes.
Touch Too Much
The federal computer crime law currently makes it illegal to, for example, access a computer without authorization or exceed the scope of authorization to access a computer. Access, undefined in the statute, generally means to “use the resources” of the target computer. The law also forbids the causing of the transmission of a program, information, code or command and, as a result of such conduct, intentionally causing damage without authorization to a computer or computer data. To the extent that an active defense measure causes a program to run on the target’s computer without their knowledge or authorization or transmits a program that causes “damage” to the target (bad guy’s) computer, it may violate these provisions. It’s that “problem” that the AC/DC Act is trying to “fix.”
Back in Black (Hat)
Of course, there are “white hat” hackers, and there are “black hat” hackers. The AC/DC Act is an attempt to turn what otherwise would be a crime and a civil wrong into a lawful act depending on the intent of the actor. One of the provisions of the AC/DC Act would permit what is called “beaconing”—that is, placing a program or code on your computer with the knowledge and intent that the bad guy download the beacon, that the beacon then runs on the bad guy’s computer and sends the good guy the IP address, location or other data about the bad guy. Pretty freakin’ bueno, right?
In particular, the statute says:
“(1) This section shall not apply with respect to the use of attributional technology in regard to a defender who uses a program, code, or command for attributional purposes that beacons or returns locational or attributional data in response to a cyber intrusion in order to identify the source of an intrusion; if—
“(A) the program, code, or command originated on the computer of the defender but is copied or removed by an unauthorized user; and
“(B) the program, code or command does not result in the destruction of data or result in an impairment of the essential operating functionality of the attacker’s computer system, or intentionally create a backdoor enabling intrusive access into the attacker’s computer system.
“(2) DEFINITION.—The term ‘attributional data’ means any digital information such as log files, text strings, time stamps, malware samples, identifiers such as user names and Internet Protocol addresses and metadata or other digital artifacts gathered through forensic analysis.”
Cool … but, first of all, who decides who is a “defender?” Is there any requirement that the person or entity I want to “beacon” actually has committed an offense? How does this impact honeynets or honeypots? Can a “beacon” also be a keylogger? Can I install (or cause the installation of) a program that is designed to run on a target’s computer and transfer all of their files and capture all of their communications, as long as it doesn’t result in destruction of data or impairment of “essential” functionality? That leaves a lot of room for mischief—even by people trying to do the right thing. And remember, the Computer Fraud and Abuse Act is both criminal and civil—it allows you to sue someone for hacking into or abusing access to your computer or data. So this new statute would give both criminal immunity and civil immunity. Moreover, I am not aware of a single criminal prosecution for a victim of a crime using beaconing technology.
(Information Super)Highway to Hell
The AC/DC Act also creates something of a slippery slope—particularly with respect to botnets. Most botnets involve the infection and use of thousands, tens of thousands or millions of computers which, while infected with the botnet code, are themselves innocent bystanders to the offense. To the extent that the AC/DC Act allows individuals or entities to “hack back” and gather data on attackers, there is the potential that these attackers won’t be hooded millennials in Chechnya, but a mom-and-pop bookstore in Ann Arbor, Michigan, or a grandmother in Fort Lauderdale, Florida. Also, what if you design a beacon not to do harm but it does harm anyway? The AC/DC bill only gives you immunity if no harm occurs, not if no harm is intended.
Shoot to Thrill
The AC/DC Act would also give cover to companies that engage in “active defense” measures, immunizing them from criminal and civil liability. It would permit “defenders” to access the computer of the attacker without authorization if that is done to “establish attribution of criminal activity to share with law enforcement and other United States Government agencies responsible for cybersecurity” or to “disrupt continued unauthorized activity against the defender’s own network: or to monitor the behavior of an attacker to assist in developing future intrusion prevention or cyber defense techniques.” Such measures would be immunized if they were non-destructive (although a defender would be permitted to destroy their own data on the attacker’s computer), didn’t result in a persistent disruption (DOS attack or ransomware, I assume), and didn’t result in harm to national security. Also, the defender would be required to notify the FBI in advance of the hack-back describing the type of cyberbreach that the person or entity was a victim of, the intended target of the active cyberdefense measure, the steps the defender plans to take to preserve evidence of the attacker’s criminal cyberintrusion, as well as the steps they plan to prevent damage to intermediary computers not under the ownership of the attacker and other information requested by the FBI to assist with oversight. They would also have to “receive a response from the FBI acknowledging receipt of the notification” prior to using the active defense measure.
But the AC/DC Act wouldn’t require the FBI to approve the measure. In fact, even if the FBI specifically disapproves the measure, and tells the “defender” not to do it, and warns them that they will be prosecuted for the measure, the AC/DC Act would give them criminal immunity. All it requires is notice and a return receipt.
Dirty Deeds Done Cheap
We are sympathetic to the fact that law enforcement can’t handle cybercrime alone and that “victims” want more tools to be able to do more than sit on their hands and wait for an attack. But vigilantism is not the answer. Too much can go wrong when we allow uncontrolled hacking back. What could be done is a controlled program, well-designed, to permit law enforcement or others to do targeted beaconing or investigation, subject to strict oversight and review. Remember that, for some purposes, hackers will consider themselves the defenders and take advantage of these immunity statutes. At the end of the day, we don’t want them to walk all over you.
