Active Cyber Defense
More on the Active Defense Certainty Act
Bobby Chesney raised a number of issues regarding the Active Defense Certainty Act, and I’m just getting into it now. I think Bobby’s comments are spot on, but I want to amplify some of his concerns.
Meaning of persistent intrusion
Bobby calls out the terms “persistent” and “intrusion” (victim of a persistent unauthorized intrusion). He asks what defines a “persistent intrusion,” and suggests dwell time or a series of intrusions by the same actor as possible definitions. Yet another ambiguity is whether the intrusions need to be similar or the same from a technical perspective—if Joe Badguy penetrates my computer with malware A today and malware B tomorrow (perhaps with a different purpose or effect) and malware C next week, is that a persistent intrusion? What if they use different penetration mechanisms? I’d want clarification of this point.
Bobby raises the question of whether a DDOS attack counts as an intrusion. Bobby says they probably don’t because while they flood the victim’s system, they don’t penetrate it. I’d argue the reverse, since data packets from the attacker do enter the victim’s system—if they did not, the system would not get overloaded. But the fact that we disagree simply points to a need to clarify this point as well.
Definition of a protected action
Bobby parses the bill’s definition of protected actions (defenses against violations of CFAA) in a particular way. The bill includes this key passage:
‘(II) consisting of accessing without authorization the computer of the attacker to the victim’ own network to gather information in order to establish attribution of criminal activity to share with law enforcement or to disrupt continued unauthorized activity against the victim’s own network; but (exceptions listed)
This definition is ambiguous in a critical manner. Depending on where one might put parentheses, it can be interpreted as
1) Penetrating the attacker’s computer (to gather information in order to establish attribution of criminal activity to share with law enforcement) or (to disrupt continued unauthorized activity against the victim’s own network);
2) Penetrating the attacker’s computer to gather information in order [(to establish attribution of criminal activity to share with law enforcement) or (to disrupt continued unauthorized activity against the victim’s own network)];
That is, is the intent of the bill to allow penetrations of the attacker’s computer for two purposes (gathering information and disrupting unauthorized activity) or for only one purpose (gathering information albeit for one of two possible reasons)? For example, can the victim take actions on the attacker’s computer to turn off the attack? (That would be interpretation (1).) Or can the victim only gather information from the attacker’s computer that can subsequently be used to disrupt the attack? (That would be interpretation (2), which would forbid turning off the attacker’s computer.)
Bobby’s parsing of this language is consistent with Interpretation (1). He may well be right, but it’s not at all clear from the language.
Meaning of “destroying data”
The bill also provides that the protection afforded by this bill is not operative if the victim’s response action “destroys the information stored on a computer of another”. Bobby points out the ambiguity of the case in which the victim responds by encrypt the data on the attacker’s computer—the data has not been destroyed, but the computer has been rendered inoperative. He’s right – and another case is if the victim simply downloads the data to another site, effectively creating a backup of the attacker’s computer.
Meaning of the “computer of the attacker”
Bobby points out that the bill blesses responses against the “computer of the attacker.” Indeed, the definitions section says that “the term ‘attacker’ means a person or an entity that is the source of the persistent unauthorized intrusion into the victim’s computer.’’ In so many words, Bobby notes the ambiguity of “source”, which can mean proximate source or ultimate source. The proximate source is likely to be a computer belonging to a duped innocent party (grandma’s computer). Is that OK? Bobby says the bill should be read as including all links in the chain.
For myself, I’m less convinced, because the bill would not then distinguish between actions taken against innocent but duped parties and the actual perpetrator of an attack, and I think it would be wise to differentiate between these two types of party—I’d want to be able to take stronger actions against the actual perpetrator and less strong actions against innocent parties.
Lack of requirement for due care
Lastly, I’m concerned that I don’t see any requirement that the victim must exercise due care in conducting the response. That was the intent of the exceptions to the defense—can’t destroy data on the attacker’s computer, threaten public health or safety, or cause physical injury to another person—but there’s many other ways to not exercise due care that don’t have these results. For example, what if during the course of a response action, the victim willfully damages a device belonging to a 3rd party through an action taken on the attacker’s computer?
Kudos for the attempt to bring clarification to active defense
I share Bobby’s praise for the attempt to clarify whether the Computer Fraud and Abuse Act allows for active defense. In 2009, a report of the National Research Councilpointed out that the law was not clear on this point, and it’s great to see an attempt to clarify the law. Of course, a different kind of clarification might explicitly include active defense as a prohibited action by ruling out a self-defense justification. Parties who believe that active defense will just muddy the waters more should be advocating for that kind of legislation.