Bipartisan bill would enable companies to defend themselves against cyberattacks

Bipartisan bill would enable companies to defend themselves against cyberattacks
© Getty Images

A bipartisan pair of lawmakers is seeking to enable companies to defend themselves in cyberspace. 

The Active Cyber Defense Certainty Act, introduced Thursday by Reps. Tom GravesJohn (Tom) Thomas GravesModernize Congress to make it work for the people 5 Republicans who could replace Isakson in Georgia's Senate race The Hill's Morning Report - Gillibrand drops out as number of debaters shrinks MORE (R-Ga.) and Josh GottheimerJoshua (Josh) GottheimerProgressive group unveils first slate of 2020 congressional endorsements Hillicon Valley: Critics press feds to block Google, Fitbit deal | Twitter takes down Hamas, Hezbollah-linked accounts | TikTok looks to join online anti-terrorism effort | Apple pledges .5B to affordable housing Twitter takes down Hamas, Hezbollah-affiliated accounts after lawmaker pressure MORE (D-N.J.), would allow companies and individuals to leave their own networks and defend against malicious actors seeking to attack them.

The bill would allow authorized individuals and companies to go onto other networks in order to establish who is attacking them online, to disrupt a cyberattack as it is occurring, to retrieve or destroy stolen files, to utilize beaconing technology and to monitor the behavior of the malicious actor.

ADVERTISEMENT

"Technology has outpaced public policy, and our laws need to catch up,” Graves said in a statement. "We must continue working toward the day when it’s the norm – not the exception – for criminal hackers to be identified and held accountable for their crimes.”

The legislation would also require these individuals and companies to notify the FBI's National Cyber Investigative Joint Task Force and receive a response before being allowed to take any of the defense steps. 

The measures in the bill would involve updating the Computer Fraud and Abuse Act (CFAA), with Graves’s office describing these changes as constituting “the most significant update to the CFAA since its enactment.” This law was enacted in 1984, and limits unauthorized access to computer systems.

The bill notes privacy concerns that could be raised by allowing individuals and companies access to other systems by prohibiting “vigilantism,” physical damage to the other system, and the destruction of information beyond what has been stolen.

Graves’s office noted in a document detailing the bill that “if a defender behaves improperly or recklessly, they will still bear the full penalty of existing law.”

The legislation was introduced during the last Congress but didn’t see action. It has 15 bipartisan co-sponsors beyond the two main sponsors.

Gottheimer noted in a statement that “there’s nothing partisan about protecting our families and businesses from these cyber hackers.”