Bipartisan bill would enable companies to defend themselves against cyberattacks

Bipartisan bill would enable companies to defend themselves against cyberattacks
© Getty Images

A bipartisan pair of lawmakers is seeking to enable companies to defend themselves in cyberspace. 

The Active Cyber Defense Certainty Act, introduced Thursday by Reps. Tom GravesJohn (Tom) Thomas GravesRep. Tom Graves announces early retirement Democrat in race against Marjorie Taylor Greene drops out McEnany: Trump 'hasn't done deep dive' on anti-Muslim views of Loomer, Greene MORE (R-Ga.) and Josh GottheimerJoshua (Josh) GottheimerCentrist House group offers bipartisan COVID-19 relief deal Hillicon Valley: Lawmakers introduce resolution condemning QAnon | US Cyber Command leader vows to 'defend forward' in protecting nation from cyberattacks House Democrats request briefing on seizure of terrorist cryptocurrency assets MORE (D-N.J.), would allow companies and individuals to leave their own networks and defend against malicious actors seeking to attack them.

The bill would allow authorized individuals and companies to go onto other networks in order to establish who is attacking them online, to disrupt a cyberattack as it is occurring, to retrieve or destroy stolen files, to utilize beaconing technology and to monitor the behavior of the malicious actor.


"Technology has outpaced public policy, and our laws need to catch up,” Graves said in a statement. "We must continue working toward the day when it’s the norm – not the exception – for criminal hackers to be identified and held accountable for their crimes.”

The legislation would also require these individuals and companies to notify the FBI's National Cyber Investigative Joint Task Force and receive a response before being allowed to take any of the defense steps. 

The measures in the bill would involve updating the Computer Fraud and Abuse Act (CFAA), with Graves’s office describing these changes as constituting “the most significant update to the CFAA since its enactment.” This law was enacted in 1984, and limits unauthorized access to computer systems.

The bill notes privacy concerns that could be raised by allowing individuals and companies access to other systems by prohibiting “vigilantism,” physical damage to the other system, and the destruction of information beyond what has been stolen.

Graves’s office noted in a document detailing the bill that “if a defender behaves improperly or recklessly, they will still bear the full penalty of existing law.”

The legislation was introduced during the last Congress but didn’t see action. It has 15 bipartisan co-sponsors beyond the two main sponsors.

Gottheimer noted in a statement that “there’s nothing partisan about protecting our families and businesses from these cyber hackers.”