Press Releases

Contact: Garrett Hawkins 202-225-5211

Bookmark and Share

Rep. Tom Graves Releases Updated Active Cyber Defense Bill

Washington, May 25, 2017 - Rep. Tom Graves (R-GA-14) today released an updated discussion draft of the Active Cyber Defense Certainty Act (ACDC), which incorporates feedback from the business community, academia and cybersecurity policy experts, including recommendations he received at his cybersecurity event in Atlanta on May 1.  

Key changes are the following:

  • A mandatory reporting requirement for entities that use active-defense techniques, which will help federal law enforcement ensure defenders use these tools responsibly;

  • A specific exception in the Computer Fraud and Abuse Act (CFAA) for beaconing technology;

  • A sunset clause to ensure that Congress revisits the changes made by the bill after two years to make any further updates or modifications;

  • An exemption allowing the recovery or destruction of one’s own data if its located using the active-defense techniques permitted by this bill and does not result in the destruction of data belonging to another person;

  • Adds to the definition of ‘active cyber defense’ actions taken to monitor an attacker in order to help develop better cyber defense techniques;

  • A clarification that the bill forbids financial injury;

  • Additional safeguards for intermediary computers, which will further protect against collateral damage.

The updated legislation also makes other minor and technical changes.

“These changes reflect careful analysis and many thoughtful suggestions from a broad spectrum of industries and viewpoints,” said Rep. Graves. “I thank everyone who helped sharpen this idea and improve the legislation. I look forward to continuing the conversation and formally introducing ACDC in the next few weeks.”  

Click HERE to read the updated bill text.

Now that updates were made to the original text, Rep. Graves will again solicit feedback and recommendations from interested parties before formally introducing the bill.

ACDC makes changes to the CFAA to allow the use of limited defensive measures that exceed the boundaries of one’s network in an attempt to identify and stop attackers. Once a cybercriminal is identified, the victim can share that information with law enforcement and/or try to disrupt an ongoing attack.

The enhanced flexibility will allow individuals and the private sector to develop and use tools that are currently restricted under the CFAA to protect their own network. Additionally, by allowing defenders to develop and deploy new tools, it will also serve as a disincentive for criminal hacking.

The CFAA, which was enacted in 1986, currently prohibits individuals from taking any defensive actions besides preventative protections, such as ant-virus software.  

Although ACDC allows a more active role in cyber defense, it protects privacy rights by prohibiting vigilantism, forbidding physical damage or destruction of information on anyone else’s computer, and preventing collateral damage by constraining the types of actions that would be considered active defense. 

Rep. Graves introduced the original ACDC discussion draft on March 3, 2017.


Print version of this document