You’ve almost certainly heard something similar to the following: cyberattacks are resulting in severe damage to our economy and compromising the personal information of Americans.
But what does that mean?
In almost every case, it means a piece of an American citizen is being taken. That could include their social security number, credit score, bank account information, phone number, address or even their shopping habits. A successful cyberattack means that what’s most intimate and important to us — our identity, our habits, our trust — was stolen.
There are many factors that contribute to the environment that make cyberattacks possible. But one of the major problems is that criminal statutes and our law enforcement framework are simply unable to address to the severity of the cyber crime threat. Public policy has not kept up with technology.
Very few hackers are ever caught. In fact, the federal government prosecuted far more “check and postal crimes” last year than it did computer fraud. In 2016, nearly 300,000 reports of criminal hacking were filed through the Internet Crimes Complaint Center – the online version of calling 911 – yet less than 1 percent of cases are prosecuted.
The Department of Justice and the FBI should be recognized for their efforts in combating cybercrime but, at a time when the federal government is struggling to defend its own networks, it’s unsurprising that they don’t have the capability to respond effectively to millions of cyberattacks targeting individuals and businesses. When the lack of response is combined with the changing economic forces making hacking more lucrative for criminals, the trend will only get worse unless changes are made.
The law governing cyberspace is the Computer Fraud and Abuse Act (CFAA), which hasn’t seen any substantive updates since its enactment in 1986. Even the Justice Department has recognized that, “laws addressing the misuse of computers have not kept pace uniformly with developments in technology and criminal schemes.”
Because the CFAA is understood to prohibit defenders from leaving their network, companies and individuals are forced to rely on passive defenses and a “patch and pray” approach for identifying malware. This approach ignores the reality that we don’t simply have a malware problem; we have a severe criminal deterrence problem. Criminals are attacking us and we’re allowing them without consequence. In effect, we’re treating symptoms and not the root cause of cyberattacks.
Recently, some companies have recognized the shortcomings of this approach and have begun to use attributional beacons, conduct surveillance of dark web criminal bazaars, launch coordinated botnet takedowns and other actions that fall within the spectrum of “active cyber defense.”
Although these actions can help companies improve their defenses, many of these tactics require them to exceed the boundaries of their network, resulting in actions that fall into a legal gray zone under the CFAA. This is an emerging area of cyber defense, prone to misunderstanding and confusion.
Abolishing the CFAA or allowing companies to strike back without restraint is not the answer, but there are options to allow for carefully crafted defensive actions.
That’s why Rep. Kyrsten Sinema (D-Ariz.) and I introduced the Active Cyber Defense Certainty Act (ACDC), which makes the most significant changes to the CFAA since its enactment. Our bill will untie the hands of cyber defenders and spur a new generation of tools and methods to level the lopsided cyber battlefield.
ACDC would allow individuals and companies legal authority to leave their network to: 1. establish attribution of an attack, 2. disrupt cyberattacks without damaging others’ computers, 3. retrieve and destroy stolen files, 4. monitor the behavior of an attacker and 5. utilize beaconing technology.
Critics might suggest that our bill will create an online version of the Wild West, filled with unchecked vigilante justice and innocent bystanders caught in the crossfire. But that criticism is unfounded. Anyone who reads ACDC will find that it specifically prohibits vigilantism, forbids physical damage or destruction of information on anyone else’s computer, and prevents collateral damage by constraining the types of actions that would be considered active defense.
Additionally, ACDC requires anyone planning to take active-defense measures to notify the FBI first, which will help federal law enforcement ensure defenders use these tools responsibly. The bill also includes a separate voluntary review process through the FBI that individuals and companies could utilize before using active-defense techniques, which will assist defenders in conforming to federal law and improving the technical operation of the measure.
ACDC also maintains the potential for civil penalties so that innocent bystanders are protected if a defender exceeds the boundaries of the law. The bottom line: if defenders proceed recklessly, they would face the exact same criminal penalties that exist under current law.
While ACDC doesn’t solve every problem, the risk of attribution will cause criminal hackers to think twice before launching an attack. It’s a ray of sunlight in the dark places cybercriminals operate. It’s also a step toward the day when it’s the norm – not the exception – for criminal hackers to be identified and prosecuted.