The reintroduction of the Active Cyber Defense Certainty Act (ACDC) to the 116th U.S. Congress in June 2019 has reignited the debate on how far American businesses and consumers should be legally allowed to defend themselves from online threats. The bipartisan sponsors of the Bill, Reps. Tom Graves (R-Ga.) and Josh Gottheimer (D-N.J.) claim that “the status quo is unacceptable and it’s important that private sector organizations feel empowered to take a more active approach to their cyber defense… What we’re trying to do is clear up the legal gray areas…”.
A 2016 Project Report prepared by the Center for Cyber & Homeland Security at the George Washington University defines Active Cyber Defence (ACD), a term first coined by the U.S. Department of Defense in 2011, as a spectrum of proactive cybersecurity measures that fall between traditional passive defence and offense (which may range from low impact/risk to high impact/risk activities). The Report shines a light on the legal “gray zone” companies in the U.S.A. currently find themselves in when thinking about ACD measures but warns “hacking back” is not ACD as such and the terms should not be used interchangeably.
Updated in 2017 the influential IP Commission Report into the Theft of American Intellectual Property: Reassessments of the Challenge and United States Policy notes, “the cost of trade secret theft is still difficult to assess because companies may not even be aware that their IP has been stolen, nor are firms incentivized to report their losses once discovered… New estimates suggest that trade secret theft is between 1% and 3% of GDP, meaning that the cost to the $18 trillion U.S. economy is between $180 billion and $540 billion.”
In response to this real and present cyber threat, the ACDC proposes targeted changes to title 18, United States Code, specifically Section 1030. Enacted in 1986 the Computer Fraud and Abuse Act (CFAA) currently prohibits American businesses and consumers from undertaking cyber defence beyond passive defence measures, such as purchasing and updating anti-virus software. The ACDC represents the most significant proposed update to the CFAA since its enactment, by giving American businesses and consumers the legal authority to leave their network to:
- establish attribution of criminal activity, to share with law enforcement and Government agencies,
- retrieve and destroy stolen files,
- disrupt continued un-authorized activity against their network,
- monitor the behaviour of an attacker, to assist in developing future intrusion prevention or cyber defence techniques,
- utilise beaconing technology.
In response to previously raised concerns, the ACDC contains a number of safeguards to try to ameliorate the risk of collateral cyber damage to innocent third parties and violations of their privacy or the risk of accidental undermining of an on-going law enforcement operation or otherwise creating a diplomatic incident with consequential damage to international relations. Moreover, the Bill only offers protection from criminal hacking charges and not civil law suits from innocent victims. Nevertheless, drafting weaknesses continue to be identified by critics, along with the increasing risk of false attribution (the ‘internet of things’ affording greater opportunities for the sophisticated hacker to shield their identity behind innocent parties whose cybersecurity has been compromised). Rep. Graves has been successful in promoting ACDC language into the State and Foreign Operations; Financial Services and General Government; and Commerce, Justice and Science funding bills but opposition to ACDC, not least amongst U.S. legal scholars, remains high. Whilst The Washington Post may deem it “pretty unlikely the bill will actually pass and become law…” the debate it engenders will have a wider significance for the important international question of cyberspace governance.
In the recently published IP Wales Guide to Cyber Defence we note, “since 2004, a UN Group of Governmental Experts (UN GGE) has sought to expedite international norms and regulations to create confidence and security-building measures between member states in cyberspace. In a first major breakthrough, the GGE in 2013 agreed that international law and the UN Charter is applicable to state activity in cyberspace. Two years later, a consensus report outlined four voluntary peace time norms for state conduct in cyberspace: states should not interfere with each other’s critical infrastructure, should not target each other’s emergency services, should assist other states in the forensics of cyberattacks, and states are responsible for operations originating from within their territory. The latest 2016-17 round of deliberations ended in the stalling of the UN GGE process as its members could not agree on draft paragraph 34, which details how exactly certain international law applies to a states’ use of information and communications technology. While the U.S.A. pushed for detailing international humanitarian law, the right of self-defence, and the law of state responsibility (including the counter-measures applying to cyber operations), other participants, like China and Russia, contended it was premature.” Indeed, China has gone further in condemning the U.S.A. for trying to apply double standards in norm-building against cyber espionage for commercial advantage, in light of public disclosures of spying by the National Security Agency (NSA).
In giving evidence to the Public Accounts Committee (PAC) on Cybersecurity in the UK Sir Mark Sedwill (Cabinet Secretary, Head of the UK Civil Service and UK National Security Advisor) revealed that with the “big international question” of cyberspace governance only partly addressed through the UN, the UK is “looking at coalitions of the willing, such as the OECD and some other countries that have similar systems to ours, to try to approach this.”
Retaliatory hacking by business victims is likely to be deemed illegal in the UK under the Computer Misuse Act (CMA) 1990, which makes it a criminal offence to gain unauthorised access to a third party’s computer or data or otherwise impair the operation of a third party’s computer e.g. through orchestrating a retaliatory DDoS attack. Under pressure from Civil Rights Groups, the UK Government has found it expedient to introduce new legislation to ‘clarify’ that GCHQ, Intelligence Officers and the Police possess the lawful authority to engage in hacking (pre-emptive or retaliatory) without criminal liability – thereby ensuring the “Offensive Cyber” capabilities set out in the UK National Cyber Security Strategy 2016-2021.
At the ACD Experts Roundtable hosted by the Center for Strategic and International Studies (CSIS) / Cybersecurity Unit of the U.S. Department of Justice (Criminal Division) in 2015, it was noted that public discourse on the topic has at times been hindered by the use of “varying, overlapping, or confusing terminology.” One outcome, it may be hoped, from the forthcoming ACDC debate will be greater clarity on the use of terminology. In the UK, “Offensive Cyber” – as defined under Into the Gray Zone: The Private Sector and Active Defense Against Cyber Threats– remains the sole domain of Government. Herein lies the divergence in legal approach between ACDC and the UK, with attribution of a cyber-incident to a state actor as much a question of political judgement as law. This approach accords with the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, a research project commissioned by the NATO Cooperative Cyber Defence Centre of Excellence. This group of international legal experts commissioned by NATO conclude under Rule 33 that “non-state actors are not entitled to engage in the responses that states may conduct under the law of State responsibility when facing hostile cyber operations by or attributable to other States.”
If a “coalition of the willing” is to be achieved, especially between the five-eyes community (intelligence co-operation program between the United States, United Kingdom, Australia, Canada, New Zealand) to take the cyberspace governance issue forward, the writer would posit that a common platform needs to be agreed on the more aggressive defensive cyber actions (hacking back/Offensive Cyber/legal right to bear cyber arms) that companies should and should not be permitted to conduct in defence of their networks and data.