Rep. Tom Graves (R-GA) and Rep. Kyrsten Sinema (D-AZ) introduced the Active Cyber Defense Certainty Act (H.R. 4036) in the House of Representatives on Oct. 13. The bill would amend the Computer Fraud and Abuse Act (CFAA)—the main federal statute that governs computer hacking—effectively to allow victims of certain cyber intrusions to take defensive measures that would otherwise violate the CFAA’s prohibitions on unauthorized access to computers.
Although Graves has been circulating drafts of the bill since last spring (see here and here), the version introduced on Friday includes a new section that creates a procedure by which entities considering taking “active cyber defense measures” can submit their plans in advance to the FBI National Cyber Investigative Joint Task Force. This procedure is designed so that “the FBI. . . can provide its assessment on how the proposed active defense measure may be amended to better conform to Federal law . . . and improve the technical operation of the measure” (Sec. 6(b)). While this review may decrease some concerns about vigilantism by private parties, it may create a new problem: making the U.S. government responsible for private hacking as a matter of international law.
The Active Cyber Defense Certainty Act would make a number of changes to the CFAA. First, it would clarify that the CFAA’s prohibitions on unauthorized access do not apply to the use of “beaconing” technology (Sec. 3). In other words, a company, for example, could have data on its system that is designed to “beacon” back its location if it is removed from the company’s system by a hacker. Second, the bill would create a defense to CFAA prosecution for a “defender”—“a person or an entity that is a victim of a persistent unauthorized intrusion of the individual entity’s computer”—who takes an “active cyber defense measure” as defined in the statute. Such measures could include accessing the computer of whomever attacked the “defender” for specified purposes, so long as such access avoids certain redlines, including destroying “information that does not belong to the victim that is stored on another person or entity’s computer” and “creat[ing] a threat to the public health or safety” (Sec. 4). Section 5 of the bill requires “defenders” to notify the FBI National Cyber Investigative Joint Task Force about the nature of any planned active cyber defense measure before the measure is deployed, and Section 6 creates the “voluntary preemptive review” process described above, whereby the defender can submit planned measures to the FBI and receive feedback. Later sections of the bill require the Department of Justice to report to Congress annually on, among other things, the number of cybercrime cases, active cyber defense notifications filed, and voluntary preemptive reviews undertaken (Sec. 7). Importantly, the bill’s final section (Sec. 9) includes a two-year sunset clause.
As introduced, the bill raises many important questions, including the scope of entities that can take advantage of the defense to CFAA prosecution. As Bobby Chesney flagged in response to an earlier draft of the bill, what counts as a “persistent unauthorized intrusion” that would trigger a victim’s right to invoke the bill’s defense to prosecution? But I want to focus on the international law issue raised by the new “voluntary preemptive review process” in Section 6.
The FBI’s participation in the review process may trigger the U.S. government’s international legal responsibility for actions of private actors. The International Law Commission’s Articles on the Responsibility of States for Internationally Wrongful Acts specify that the actions of non-state actors “shall be considered an act of a State under international law if the person or group of persons is in fact acting on the instructions of, or under the direction or control of, that State in carrying out the conduct” (Art. 8). The United States has recognized that this standard is binding as a matter of customary international law. In a speech last fall, State Department Legal Adviser Brian Egan explained, “cyber operations conducted by non-State actors are attributable to a State under the law of state responsibility when such actors engage in operations pursuant to the State’s instructions or under the State’s direction or control.”
Although there is some debate about the level of state involvement required to trigger state responsibility, the FBI’s case-by-case review of active defense measures would appear to satisfy even the most stringent understanding. In the Case Concerning Application of the Convention on the Prevention and Punishment of the Crime of Genocide, the International Court of Justice explained that a private party’s actions are attributable to a state when the state exercises “effective control” over the private party or “the State’s instructions were given, in respect of each operation in which the alleged violations occurred” (para. 400). Government direction with respect to “each operation” is precisely what the bill envisions for the FBI review process. The bill itself says that the FBI review can “improve the technical operation of the measure,” and a bill summary seems to suggest that the FBI might have the power to veto actions that “overlap with law enforcement or involve a nation-state.” This sort of operation-by-operation tailoring of and control over a non-state actor’s plans by a government actor falls squarely within “effective control.” Because the FBI’s involvement would satisfy the comparatively stringent ICJ standard, it would also necessarily satisfy the lower “overall control” standard that the International Criminal Tribunal for Yugoslavia has used to impose responsibility on states for the actions of non-state actors (para. 122).
The stakes here are high. If the United States is responsible for international law violations committed by private actors, then international law permits aggrieved foreign governments to take countermeasures against the United States—that is, actions that would be violations of international law but for the prior U.S. violation of international law. Such countermeasures may be cyber-related (like retaliatory hacking of U.S. government computers) or outside the cyber realm (like breach of existing treaty commitments).
Part of the difficulty in assessing the bill’s international legal implications is continued uncertainty about which actions in cyberspace violate international law. At what point would a targeted state consider active cyber defense measures to violate its sovereignty, or even to constitute a use of force? How does the threshold change depending on what types of systems are targeted with defensive measures? The U.S. government’s involvement in approving and controlling the actions of private parties makes these questions more urgent. While intrusions by a non-state actor, acting independent of a government, would likely not be considered, for example, a violation of sovereignty, governmental responsibility ups the ante, making what would otherwise be considered criminal behavior into an international legal and diplomatic issue. The answers to the basic international law questions are unsettled and will remain so until states either negotiate and agree on the answers or develop sufficient state practice to form customary international law.
The FBI notification and review process is intended, as explained in the bill summary, to “help federal law enforcement ensure defenders use [active cyber defense] tools responsibly.” That’s a worthy goal. But the bill’s proposed solution to irresponsible hacking back creates the risk of U.S. responsibility for the actions of private actors. Congress must take into account both kinds of risks if it moves forward with the bill.