By Katherine TeitlerHighway to hellIt’s the bad idea that just won’t die: The Active Cyber Defense Certainty (ACDC) Act. Earlier this month Representatives Tom Graves (R-Ga.) and Kyrsten Sinema (D-Ariz.) issued an updated version of the proposed bill that would allow companies to take offensive action if a “persistent” and unauthorized cyber intrusion is identified. The bill’s stated aim is to counter some of the restrictions placed on companies by the antiquated and contentious Computer Fraud and Abuse Act (CFAA) of 1984, and to empower companies that have been victims of cyber crime to aid law enforcement in fighting cyber fraud and “related cyber-enabled crimes [that] pose a severe threat to the national security and economic vitality of the United States.” It’s a noble cause, to be certain, but the reality of the bill leaves ample room for interpretation and does not “[clarify] the type of tools and techniques that defenders can use that exceed the boundaries of their own computer network,” as promised. In fact, the language in the bill is so vague it could, theoretically, be used to prove that a victim company acted recklessly when actively “cyber defending” its own computer networks. Importantly, the bill then adds that any destruction, modification, or removal of information—even if the information found by the defender is its own—is prohibited. The defender-turned-aggressor may not cause any harm, install backdoors or remote monitoring capabilities, or disrupt the attacker-now -attacked organization’s systems or data. Tricky, isn’t it?
Living easy, living free
Before we go much further, though, let’s address the issue of active cyber defense, which is what the bill supposes to aid. In the security community, many have dubbed the ACDC Act the “hacking back” bill, but as Ed Moyle of Security Curve wrote so eloquently in his blog post, “Hack-Back is NOT Active Defense,” hacking back is…well, not the same as active defense. To summarize, active defense uses techniques and tools like beaconing, honeypots, and client hooks to catch criminals or would-be criminals. Hacking back would require the victim organization (who becomes the aggressor, since it’s now doing the attacking??) to gain unauthorized access to the organization that breached its network(s). The ACDC Act specifically lays out that acceptable active cyber defense measures include:“Accessing without authorization the computer of the attacker to the defender’s own network to gather information in order to:- Establish attribution of criminal activity to share with law enforcement and other United States Government agencies responsible for cybersecurity
- Disrupt continued unauthorized activity against the defender’s own networks
- Monitor the behavior of an attacker to assist in developing future intrusions prevention or cyber defense techniques.”



