Earlier this month Rep. Graves (R,GA) introduced HR 4036,
the Active Cyber Defense Certainty Act. The bill would amend 18
USC 1030 to, according to a Graves press
release, “to allow use of limited defensive measures that exceed the
boundaries of one’s network in order to monitor, identify and stop attackers.”
Attributional Technology
Section 3 of the bill would add a new paragraph (k) to §1030 that introduces the
concept of ‘attributional technology’. It defines the term as “any digital
information such as log files, text strings, time stamps, malware samples, identifiers
such as user names and Internet Protocol addresses and metadata or other
digital artifacts gathered through forensic analysis” {new §1030(k)(2)}.
The new paragraph would exempt the use of attributional
technology from prosecution under §1030
when used by “a defender who uses a program, code, or command for attributional
purposes that beacons or returns locational or attributional data in response
to a cyber intrusion in order to identify the source of an intrusion” {new §1030(k)(1)}. The ‘program,
code or command’ must have been removed from the defender’s computer by the
unauthorized user being attributed. Further the ‘program, code or command’
cannot “result in the destruction of data or result in an impairment of the
essential operating functionality of the attacker’s computer system, or
intentionally create a backdoor enabling intrusive access into the attacker’s
computer system” {new §1030(k)(1)(B)}.
Active Cyber Defense
Section 4 of the bill would add a new paragraph (l) to §1030 that introduces the
concept of ‘active cyber defense’. The term is defined as actions taken by (or
at the direction of) a defender accessing without authorization the computer of
the attacker to the defender’s own network to gather information in order to {new
§1030(l)(3)(B)(i)(II)}:
• Establish attribution of criminal
activity to share with law enforcement and other United States Government agencies
responsible for cybersecurity;
• Disrupt continued unauthorized
activity against the defender’s own network; or
• Monitor the behavior of an attacker to assist in
developing future intrusion prevention or cyber defense techniques.
The definition goes on to exclude any actions that {new §1030(l)(3)(B)(ii)}:
• Intentionally destroys or renders
inoperable information that does not belong to the victim that is stored on
another person or entity’s computer;
• Recklessly causes physical injury
or financial loss as described under subsection (c)(4);
• Creates a threat to the public
health or safety;
• Intentionally exceeds the level
of activity required to perform reconnaissance on an intermediary computer to
allow for attribution of the origin of the persistent cyber intrusion;
• Intentionally results in intrusive
or remote access into an intermediary’s computer;
• Intentionally results in the
persistent disruption to a person or entities internet connectivity resulting
in damages defined under §1030(c)(4);
or
• Impacts any computer described
under §1030(a)(1)
regarding access to national security information computers, or to §1030(c)(4)(A)(i)(V)
regarding a computer system used by or for a Government entity for the
furtherance of the administration of justice.
Section 5 of the bill adds a new paragraph (m) to §1030 that further limits
the use of an ‘active cyber defense’ by requiring a requirement for advance
notification of its use to the FBI. Approval is not required, but
acknowledgement of receipt is a prerequisite for the use of ‘active cyber
defense’ measures. The notification would be required to include {§1030(m)(2)}:
• The type of cyber breach that the
person or entity was a victim of, the intended target of the active cyber
defense measure, the steps the defender plans to take to preserve evidence of
the attacker’s criminal cyber intrusion;
• The steps they plan to prevent
damage to intermediary computers not under the ownership of the attacker; and
• Other information requested by
the FBI to assist with oversight.
Other Provisions
Section 6 of the bill would require the FBI to establish a
program “to allow for a voluntary preemptive review of active defense measures”
{§7(a)}. It would
provide for the review to provide an assessment of “how the proposed active
defense measure may be amended to better conform to Federal law, the terms of
section 4 [new §1030(l)],
and improve the technical operation of the measure” {§7(b)}.
Section 7 of the bill would provide for the obligatory
report to Congress.
Section 8 of the bill would require the Department of
Justice to update it’s ‘‘Prosecuting Computer Crimes Manual’’ to reflect the changes
made by this legislation.
Section 9 of the bill would provide for a two-year sunset
provision; removing the changes to §1030
two years after the bill is enacted.
Moving Forward
Neither Graves nor his cosponsor {Rep. Sinema (D,AZ)} are
members of the House Judiciary Committee to which this bill was referred for
consideration. That means that it is unlikely that the bill will be considered
in that Committee.
A number of attempts have been made to amend §1030 over the last
couple of sessions (see for example here)
carving out exemptions to the provisions of the statute. There is a natural
legislative inertia when it comes to changing criminal law. I expect that the
same inertia would apply to this bill, above and beyond the lack of influence
that the sponsors have to move the bill forward.
Commentary
This bill has received lots of attention in the press (see here,
here
and here
for example) when it was introduced but it seems that many have missed an important
component of the legislative requirements; any tool used to ‘hack back’ would
have to be extracted from the defenders computer by the attacker. The defender
would have to construct a honey-target (smaller than a honey-pot) file that the
attacker downloads from the defended system. That file would include some sort
of communications protocol that would send information back to the defender
that provides attributional information on the attacker.
If this sounds like what a hacker does when they use a
phishing attack or boobytrapped web site, that is almost certainly deliberate.
It requires the attacker to be explicitly involved in ultimately providing
information from their system to the original defender. This may end up causing
problems in using the information obtained under the self-incrimination
provisions of US law. Lawyers will have fun arguing both sides of this.
What the bill does not allow, and in fact explicitly prohibits,
is either the establishment of a backdoor or actively pivoting through the
attacker’s system searching for information. This is the typical next step of
an attack on a computer system. This is what distinguishes the bills ‘hacking
back’ (the term is not actually used in the bill) from the prohibited actions
of §1030.
The requirements for pre-notification help to ensure that
the new provisions are not used by nefarious hackers as an extraneous tool in
defending against prosecution for traditional hacking prohibited by §1030.
It is important to note that the active cyber defense
provisions are not an exemption from prosecution under §1030, instead it allows them to be used as a defense
against federal charges under §1030.
That means that prosecution for a properly notified active defense measure is
still possible at the discretion of the government. A judge would have to
decide if the active cyber defense measures actually-employed met the
requirements of the revised §1030.
FBI ‘approval’ of the proposed active defense measures would obviously be
beneficial in convincing a judge of the appropriateness of the activities.
More importantly, the active cyber defense provisions in the
bill are specifically not allowed to be used as a defense in a civil action
undertaken under §1030(g).
That paragraph allows anyone who suffers ‘damage or loss’ from unauthorized access
to a system to obtain “compensatory damages and injunctive relief or other
equitable relief” in federal courts. The reasoning is that active cyber defense
measures cannot, by definition, cause damage or loss, so proving damage or loss
means that an authorized ‘active cyber defense’ measure was not employed.
Unfortunately, the provisions in this bill would only apply
to attackers using computers located in the United States. This is an
inevitable problem cause by international law; each country has sovereign control
of the rules prohibiting access to computers physically located within their
boundaries. Prosecution would have to take place in the target country, but extradition
could be possible depending on the extradition status of the country involved.
The problem here is that, by definition, a defender would
not know the location of the target computer when they initiated active cyber
defense measures. Thus, a defender could end up violating foreign law by
executing measures allowed by this bill and could be potentially extradited to
face charges for that violation. This bill should include provisions that
require a judge at an extradition hearing from taking specific cognizance of
the provisions of this bill as a defense against extradition. This would not,
however, protect a defender against arrest and prosecution while traveling
outside of the US.
No comments:
Post a Comment