June 5, 2017 | By Yacin Nadji
After a panel hosted by the IISP at Georgia Tech, Rep. Tom Graves (R-Ga.) updated and re-released a discussion draft of the Active Cyber Defense Certainty (ACDC) Act. For background, see last month's discussion of the original draft. The draft bill – not yet formally introduced to the U.S. Senate – would allow an individual to perform limited, "cyber defense" beyond and into networks not their own for the purposes of identifying attackers who illegally penetrated anyone’s network, improving defenses, or disrupting unauthorized activities.
IISP Analyst Yacin Nadji: "The 2.0 version is earned, with improvements including prohibiting financial injury to persons, looping in the FBI's National Cyber Investigative Joint Task Force, and having a sunset clause to force working out any kinks. Furthermore, the draft bill now includes some discussion of 'intermediary computers,' which was lacking before, but still needs some clarification. The main concerns I have are surrounding intermediary machines, backdoors, and reporting to the FBI.
"With respect to the first, it remains unclear what can be done if the 'attacker's machine' is yet another victim's machine (used in a botnet for example) that was compromised by the attacker. For example, can active measures be taken through another victim's machine to reach the true attacker? Can this be done ad infinitum? If the intermediary computer is also in the United States, must they agree with the initial victim to pursue further active measures? If victim #2 is in an uncooperative nation, can active measures pass through them surreptitiously? This part needs a massive overhaul. I'd recommend:
- to allow surreptitious pass-through if the intermediary machine is not in cooperative territory,
- to require both informing the intermediary that they are also a victim, and negotiate how to proceed, and
- to update the FBI on additional 'hops.'
"Second, prohibiting backdoors needs more clarification. Does this prevent defenders from maintaining a presence on the attacker's machine while performing active measures? To continue with the analogy, perhaps this is more of an 'additional front door' than a backdoor, but we must be more precise. Read conservatively, this implies defenders must fully automate the attribution/disruption/monitoring processes, which is likely too difficult to do in practice. If not, it's unclear to me what this specifically prohibits.
"Finally, reporting to the FBI is a clear improvement, but may not prevent inconvenient or nightmarish scenarios. Consider if the attacker is already under investigation by the FBI and additional active measures by the victim may tip-off the attackers and impede the investigation. Is the FBI allowed to prevent retaliation by the victim if they fear it will damage their investigation? What if the FBI knows the attacker is a nation-state that would consider responding to cyberattacks kinetically? In attribution scenarios, careful and measured responses requiring checks and balances are likely to be more successful than erring on the side of rapid retaliation. I personally believe offensive operations—especially against nation-state actors that could have geopolitical ramifications—ought to require explicit approval."
For further reading
- U.S. Rep. Tom Graves (R-Ga.) News Release: https://tomgraves.house.gov/news/documentsingle.aspx?DocumentID=398770
- Video of Community Discussion at Georgia Tech (May 1, 2017): https://mediaspace.gatech.edu/media/cyber_mayday17/1_we2nn0dx