A bipartisan pair of lawmakers is seeking to enable companies to defend themselves in cyberspace.
The Active Cyber Defense Certainty Act, introduced Thursday by Reps. Tom GravesJohn (Tom) Thomas GravesGeorgia businesswoman launches primary challenge against Greene Lobbying world Greene's future on House committees in limbo after GOP meeting MORE (R-Ga.) and Josh GottheimerJoshua (Josh) GottheimerFive takeaways: House passes Biden's sweeping benefits bill Dems brace for score on massive Biden bill Democrats bullish they'll reach finish line this week MORE (D-N.J.), would allow companies and individuals to leave their own networks and defend against malicious actors seeking to attack them.
The bill would allow authorized individuals and companies to go onto other networks in order to establish who is attacking them online, to disrupt a cyberattack as it is occurring, to retrieve or destroy stolen files, to utilize beaconing technology and to monitor the behavior of the malicious actor.
"Technology has outpaced public policy, and our laws need to catch up,” Graves said in a statement. "We must continue working toward the day when it’s the norm – not the exception – for criminal hackers to be identified and held accountable for their crimes.”
The legislation would also require these individuals and companies to notify the FBI's National Cyber Investigative Joint Task Force and receive a response before being allowed to take any of the defense steps.
The measures in the bill would involve updating the Computer Fraud and Abuse Act (CFAA), with Graves’s office describing these changes as constituting “the most significant update to the CFAA since its enactment.” This law was enacted in 1984, and limits unauthorized access to computer systems.
The bill notes privacy concerns that could be raised by allowing individuals and companies access to other systems by prohibiting “vigilantism,” physical damage to the other system, and the destruction of information beyond what has been stolen.
Graves’s office noted in a document detailing the bill that “if a defender behaves improperly or recklessly, they will still bear the full penalty of existing law.”
The legislation was introduced during the last Congress but didn’t see action. It has 15 bipartisan co-sponsors beyond the two main sponsors.
Gottheimer noted in a statement that “there’s nothing partisan about protecting our families and businesses from these cyber hackers.”