Thoughts on the Active Cyber Defense Certainty Act 2.0

On May 25, 2017, Representative Tom Graves released the second draft of proposed amendments to 18 U.S.C. 1030 (known as the Computer Fraud and Abuse Act). Representative Graves’ bill is known as the Active Cyber Defense Certainty Act (or ACDC Act). There is no universally accepted umbrella term for this, but it is variously called “Active Defense”, “Active Cyber Defense”, “hacking back,” “hackback”, and “strike back.” You will find the word “active” applied almost universally in these discussions, though it frequently results in establishing a simple (though false) dichotomy of “passive defense” vs. “active defense” and frequently leading to fallacious “straw man” arguments. I prefer the term “Active Response Continuum” to explicitly avoid setting up such binary choices. [Dittrich and Himma(2005)]

Without technical knowledge and a clear contextual understanding of the criminal actions, potentially triggering legal defensive response, two paradoxes emerge. First, the “attributional technology” cited in the draft ACDC Act may not achieve its desired goals. Second, some actions disallowed by the ACDC Act include previously witnessed “strike back” actions that have motivated calls for the kind of amendments embodied in the ACDC Act. [Robinson(2017)]

Why the ACDC Act?

The motivation for the initial draft from Representative Graves was, “about empowering individuals to defend themselves online, just as they have the legal authority to do during a physical assault,” [Hawkins(2017)] and “to fight back, basically, and defend themselves during a cyber attack.” [Kuchler(2017)] News reports about proposals like this typically invoke the “attacker” / “victim” (self-defense with force) frame, describing the outcome of an amendment like ACDC Act as, “[giving] cyberattack victims the go­-ahead to retaliate against their attackers.”[Robinson(2017)]

It is difficult discussing this topic without using terms like “attack” and “attacker,” so I will reluctantly use those terms in this analysis, but think it’s important to note that using this terminology only accommodates a rigid paradigm of a physical attack against a victim who (as seen in the quotes above) retaliates in kind with physical violence to the exclusion of other more common real-world scenarios. This self-defense with force frame invokes sympathy, appealing to emotion, in order to garner public support. Those invoking this frame do not follow through with clear…