Alexander Berengaut and Tarek Austin of Covington & Burling write:
In March 2017, Rep. Tom Graves, R-Ga., introduced a draft bill titled the Active Cyber Defense Certainty Act. The bill would amend the Computer Fraud and Abuse Act to enable victims of cyberattacks to employ “limited defensive measures that exceed the boundaries of one’s network in order to monitor, identify and stop attackers.” More specifically, the ACDC would empower individuals and companies to leave their own network to ascertain the perpetrator (i.e., establish attribution), disrupt cyberattacks without damaging others’ computers, retrieve and destroy stolen files, monitor the behavior of an attacker, and utilize beaconing technology. An updated, bipartisan version of the bill was introduced by Rep. Graves and Rep. Kyrsten Sinema, D-Ariz., in October 2017.
There has been significant debate on whether the types of “self-help” measures that the ACDC expressly authorizes — sometimes referred to as “active defense” — are currently prohibited by the CFAA. While no court has yet ruled on the issue, several commentators (and the U.S. Department of Justice) have long argued that because the CFAA prohibits accessing computers without “authorization,” cyberattack victims expose themselves to criminal liability if they venture outside their network to unmask an attacker and disrupt, disable or destroy the attacker’s system. The purpose of the ACDC is to reduce legal uncertainty by, in effect, providing a statutory safe harbor for victims of cyberattacks to “hack back” — under the right circumstances, and subject to limitations.
Read more on Inside Privacy.