G:\M\16\GRAVGA\GRAVGA_007.XML [115H4036] ..................................................................... (Original Signature of Member) H. R. ll 116TH CONGRESS 1ST SESSION To amend title 18, United States Code, to provide a defense to prosecution for fraud and related activity in connection with computers for persons defending against unauthorized intrusions into their computers, and for other purposes. IN THE HOUSE OF REPRESENTATIVES Mr. GRAVES of Georgia introduced the following bill; which was referred to the Committee on llllllllllllll A BILL To amend title 18, United States Code, to provide a defense to prosecution for fraud and related activity in connection with computers for persons defending against unauthorized intrusions into their computers, and for other purposes. 1 Be it enacted by the Senate and House of Representa- 2 tives of the United States of America in Congress assembled, 3 4 SECTION 1. SHORT TITLE. This Act may be cited as the ‘‘Active Cyber Defense 5 Certainty Act’’. g:\VHLC\061119\061119.425.xml June 11, 2019 (3:34 p.m.) VerDate 0ct 09 2002 15:34 Jun 11, 2019 Jkt 000000 (719331 2) PO 00000 Frm 00001 Fmt 6652 Sfmt 6201 C:\USERS\HRBRAZ~1\APPDATA\ROAMING\SOFTQUAD\XMETAL\7.0\GEN\C\GRAVGA~1.X G:\M\16\GRAVGA\GRAVGA_007.XML 2 1 2 SEC. 2. CONGRESSIONAL FINDINGS. Congress finds the following: 3 (1) Cyber fraud and related cyber-enabled 4 crimes pose a severe threat to the national security 5 and economic vitality of the United States. 6 (2) As a result of the unique nature of 7 cybercrime, it is very difficult for law enforcement to 8 respond to and prosecute cybercrime in a timely 9 manner, leading to the existing low level of deter- 10 rence and a rapidly growing threat. In 2017, the De- 11 partment of Justice prosecuted only 165 cases of 12 computer fraud. Congress determines that this sta- 13 tus quo is unacceptable and that if left unchecked, 14 the trend in cybercrime will only continue to deterio- 15 rate. 16 (3) Cybercriminals have developed new tactics 17 for monetizing the proceeds of their criminal acts, 18 making it likely that the criminal activity will be fur- 19 ther incentivized in the absence of reforms to cur- 20 rent law allowing for new cyber tools and deterrence 21 methods for defenders. 22 (4) When a citizen or United States business is 23 victimized as the result of such crime, the first re- 24 course should be to report the crime to law enforce- 25 ment and seek to improve defensive measures. g:\VHLC\061119\061119.425.xml June 11, 2019 (3:34 p.m.) VerDate 0ct 09 2002 15:34 Jun 11, 2019 Jkt 000000 (719331 2) PO 00000 Frm 00002 Fmt 6652 Sfmt 6201 C:\USERS\HRBRAZ~1\APPDATA\ROAMING\SOFTQUAD\XMETAL\7.0\GEN\C\GRAVGA~1.X G:\M\16\GRAVGA\GRAVGA_007.XML 3 1 (5) Congress also acknowledges that many 2 cyberattacks could be prevented through improved 3 cyber defensive practices, including enhanced train- 4 ing, strong passwords, and routine updating and 5 patching to computer systems. 6 (6) Congress determines that the use of active 7 cyber defense techniques, when properly applied, can 8 also assist in improving defenses and deterring 9 cybercrimes. 10 (7) Congress also acknowledges that many pri- 11 vate entities are increasingly concerned with stem- 12 ming the growth of dark web based cyber-enabled 13 crimes. The Department of Justice should attempt 14 to clarify the proper protocol for entities who are en- 15 gaged in active cyber defense in the dark web so 16 that these defenders can return private property 17 such as intellectual property and financial records 18 gathered inadvertently. 19 (8) Congress also recognizes that while Federal 20 agencies will need to prioritize cyber incidents of na- 21 tional significance, there is the potential to assist the 22 private sector by being more responsive to reports of 23 crime through different reporting mechanisms. Many 24 reported cybercrimes are not responded to in a time- g:\VHLC\061119\061119.425.xml June 11, 2019 (3:34 p.m.) VerDate 0ct 09 2002 15:34 Jun 11, 2019 Jkt 000000 (719331 2) PO 00000 Frm 00003 Fmt 6652 Sfmt 6201 C:\USERS\HRBRAZ~1\APPDATA\ROAMING\SOFTQUAD\XMETAL\7.0\GEN\C\GRAVGA~1.X G:\M\16\GRAVGA\GRAVGA_007.XML 4 1 ly manner creating significant uncertainty for many 2 businesses and individuals. 3 (9) Computer defenders should also exercise ex- 4 treme caution to avoid violating the law of any other 5 nation where an attacker’s computer may reside. 6 (10) Congress holds that active cyber defense 7 techniques should only be used by qualified defend- 8 ers with a high degree of confidence in attribution, 9 and that extreme caution should be taken to avoid 10 impacting intermediary computers or resulting in an 11 escalatory cycle of cyber activity. 12 (11) It is the purpose of this Act to provide 13 legal certainty by clarifying the type of tools and 14 techniques that defenders can use that exceed the 15 boundaries of their own computer network. 16 SEC. 3. EXCEPTION FOR THE USE OF ATTRIBUTIONAL 17 18 TECHNOLOGY. Section 1030 of title 18, United States Code, is 19 amended by adding at the end the following: 20 ‘‘(k) EXCEPTION FOR THE USE OF ATTRIBUTIONAL 21 TECHNOLOGY.— 22 ‘‘(1) This section shall not apply with respect to 23 the use of attributional technology in regard to a de- 24 fender who uses a program, code, or command for 25 attributional purposes that beacons or returns loca- g:\VHLC\061119\061119.425.xml June 11, 2019 (3:34 p.m.) VerDate 0ct 09 2002 15:34 Jun 11, 2019 Jkt 000000 (719331 2) PO 00000 Frm 00004 Fmt 6652 Sfmt 6201 C:\USERS\HRBRAZ~1\APPDATA\ROAMING\SOFTQUAD\XMETAL\7.0\GEN\C\GRAVGA~1.X G:\M\16\GRAVGA\GRAVGA_007.XML 5 1 tional or attributional data in response to a cyber in- 2 trusion in order to identify the source of an intru- 3 sion; if— 4 ‘‘(A) the program, code, or command origi- 5 nated on the computer of the defender but is 6 copied or removed by an unauthorized user; and 7 ‘‘(B) the program, code or command does 8 not result in the destruction of data or result 9 in an impairment of the essential operating 10 functionality of the attacker’s computer system, 11 or intentionally create a backdoor enabling in- 12 trusive access into the attacker’s computer sys- 13 tem. 14 ‘‘(2) DEFINITION.—The term ‘attributional 15 data’ means any digital information such as log files, 16 text strings, time stamps, malware samples, identi- 17 fiers such as user names and Internet Protocol ad- 18 dresses and metadata or other digital artifacts gath- 19 ered through forensic analysis.’’. 20 SEC. 4. EXCLUSION FROM PROSECUTION FOR CERTAIN 21 COMPUTER CRIMES FOR THOSE TAKING AC- 22 TIVE CYBER DEFENSE MEASURES. 23 Section 1030 of title 18, United States Code, is 24 amended by adding at the end the following: g:\VHLC\061119\061119.425.xml June 11, 2019 (3:34 p.m.) VerDate 0ct 09 2002 15:34 Jun 11, 2019 Jkt 000000 (719331 2) PO 00000 Frm 00005 Fmt 6652 Sfmt 6201 C:\USERS\HRBRAZ~1\APPDATA\ROAMING\SOFTQUAD\XMETAL\7.0\GEN\C\GRAVGA~1.X G:\M\16\GRAVGA\GRAVGA_007.XML 6 1 ‘‘(l) ACTIVE CYBER DEFENSE MEASURES NOT A 2 VIOLATION.— 3 ‘‘(1) GENERALLY.—It is a defense to a criminal 4 prosecution under this section that the conduct con- 5 stituting the offense was an active cyber defense 6 measure. 7 ‘‘(2) INAPPLICABILITY 8 defense against prosecution created by this section 9 does not prevent a United States person or entity 10 who is targeted by an active defense measure from 11 seeking a civil remedy, including compensatory dam- 12 ages or injunctive relief pursuant to subsection (g). 13 ‘‘(3) DEFINITIONS.—In this subsection— 14 ‘‘(A) the term ‘defender’ means a person 15 or an entity that is a victim of a persistent un- 16 authorized intrusion of the individual entity’s 17 computer; 18 ‘‘(B) the term ‘active cyber defense meas- 19 ure’— 20 ‘‘(i) means any measure— 21 ‘‘(I) undertaken by, or at the di- 22 rection of, a defender; and 23 ‘‘(II) consisting of accessing 24 without authorization the computer of 25 the attacker to the defender’s own g:\VHLC\061119\061119.425.xml June 11, 2019 (3:34 p.m.) VerDate 0ct 09 2002 TO CIVIL ACTION.—the 15:34 Jun 11, 2019 Jkt 000000 (719331 2) PO 00000 Frm 00006 Fmt 6652 Sfmt 6201 C:\USERS\HRBRAZ~1\APPDATA\ROAMING\SOFTQUAD\XMETAL\7.0\GEN\C\GRAVGA~1.X G:\M\16\GRAVGA\GRAVGA_007.XML 7 1 network to gather information in 2 order to— 3 ‘‘(aa) establish attribution of 4 criminal activity to share with 5 law 6 United States Government agen- 7 cies responsible for cybersecurity; 8 ‘‘(bb) disrupt continued un- 9 authorized activity against the 10 and other defender’s own network; or 11 ‘‘(cc) monitor the behavior 12 of an attacker to assist in devel- 13 oping future intrusion prevention 14 or cyber defense techniques; but 15 ‘‘(ii) does not include conduct that— 16 ‘‘(I) intentionally destroys or ren- 17 ders inoperable information that does 18 not belong to the victim that is stored 19 on another person or entity’s com- 20 puter; 21 ‘‘(II) recklessly causes physical 22 injury or financial loss as described 23 under subsection (c)(4); 24 ‘‘(III) creates a threat to the 25 public health or safety; g:\VHLC\061119\061119.425.xml June 11, 2019 (3:34 p.m.) VerDate 0ct 09 2002 enforcement 15:34 Jun 11, 2019 Jkt 000000 (719331 2) PO 00000 Frm 00007 Fmt 6652 Sfmt 6201 C:\USERS\HRBRAZ~1\APPDATA\ROAMING\SOFTQUAD\XMETAL\7.0\GEN\C\GRAVGA~1.X G:\M\16\GRAVGA\GRAVGA_007.XML 8 1 ‘‘(IV) intentionally exceeds the 2 level of activity required to perform 3 reconnaissance on an intermediary 4 computer to allow for attribution of 5 the origin of the persistent cyber in- 6 trusion; 7 ‘‘(V) intentionally results in in- 8 trusive or remote access into an 9 intermediary’s computer; 10 ‘‘(VI) intentionally results in the 11 persistent disruption to a person or 12 entities internet connectivity resulting 13 in damages defined under subsection 14 (c)(4); or 15 ‘‘(VII) impacts any computer de- 16 scribed under subsection (a)(1) re- 17 garding access to national security in- 18 formation, subsection (a)(3) regarding 19 government computers, or to sub- 20 section (c)(4)(A)(i)(V) regarding a 21 computer system used by or for a 22 Government entity for the furtherance 23 of the administration of justice, na- 24 tional defense, or national security; g:\VHLC\061119\061119.425.xml June 11, 2019 (3:34 p.m.) VerDate 0ct 09 2002 15:34 Jun 11, 2019 Jkt 000000 (719331 2) PO 00000 Frm 00008 Fmt 6652 Sfmt 6201 C:\USERS\HRBRAZ~1\APPDATA\ROAMING\SOFTQUAD\XMETAL\7.0\GEN\C\GRAVGA~1.X G:\M\16\GRAVGA\GRAVGA_007.XML 9 1 ‘‘(C) the term ‘attacker’ means a person or 2 an entity that is the source of the persistent un- 3 authorized intrusion into the victim’s computer; 4 and 5 ‘‘(D) the term ‘intermediary computer’ 6 means a person or entity’s computer that is not 7 under the ownership or primary control of the 8 attacker but has been used to launch or obscure 9 the origin of the persistent cyber-attack.’’. 10 SEC. 5. NOTIFICATION REQUIREMENT FOR THE USE OF AC- 11 TIVE CYBER DEFENSE MEASURES. 12 Section 1030 of title 18, United States Code, is 13 amended by adding the following: 14 15 ‘‘(m) NOTIFICATION REQUIREMENT OF USE ACTIVE CYBER DEFENSE MEASURES.— 16 ‘‘(1) GENERALLY.—A defender who uses an ac- 17 tive cyber defense measure under the preceding sec- 18 tion must notify the FBI National Cyber Investiga- 19 tive Joint Task Force and receive a response from 20 the FBI acknowledging receipt of the notification 21 prior to using the measure. 22 ‘‘(2) REQUIRED INFORMATION.—Notification 23 must include the type of cyber breach that the per- 24 son or entity was a victim of, the intended target of 25 the active cyber defense measure, the steps the de- g:\VHLC\061119\061119.425.xml June 11, 2019 (3:34 p.m.) VerDate 0ct 09 2002 FOR THE 15:34 Jun 11, 2019 Jkt 000000 (719331 2) PO 00000 Frm 00009 Fmt 6652 Sfmt 6201 C:\USERS\HRBRAZ~1\APPDATA\ROAMING\SOFTQUAD\XMETAL\7.0\GEN\C\GRAVGA~1.X G:\M\16\GRAVGA\GRAVGA_007.XML 10 1 fender plans to take to preserve evidence of the 2 attacker’s criminal cyber intrusion, as well as the 3 steps they plan to prevent damage to intermediary 4 computers not under the ownership of the attacker 5 and other information requested by the FBI to as- 6 sist with oversight.’’. 7 SEC. 6. VOLUNTARY PREEMPTIVE REVIEW OF ACTIVE 8 9 CYBER DEFENSE MEASURES. (a) PILOT PROGRAM.—The Federal Bureau of Inves- 10 tigation (hereinafter in this section referred to as the 11 ‘‘FBI’’), in coordination with other Federal agencies, shall 12 create a pilot program to last for 2 years after the date 13 of enactment of this Act, to allow for a voluntary preemp14 tive review of active defense measures. 15 (b) ADVANCE REVIEW.—A defender who intends to 16 prepare an active defense measure under section 4 may 17 submit their notification to the FBI National Cyber Inves18 tigative Joint Task Force in advance of its use so that 19 the FBI and other agencies can review the notification and 20 provide its assessment on how the proposed active defense 21 measure may be amended to better conform to Federal 22 law, the terms of section 4, and improve the technical op23 eration of the measure. g:\VHLC\061119\061119.425.xml June 11, 2019 (3:34 p.m.) VerDate 0ct 09 2002 15:34 Jun 11, 2019 Jkt 000000 (719331 2) PO 00000 Frm 00010 Fmt 6652 Sfmt 6201 C:\USERS\HRBRAZ~1\APPDATA\ROAMING\SOFTQUAD\XMETAL\7.0\GEN\C\GRAVGA~1.X G:\M\16\GRAVGA\GRAVGA_007.XML 11 1 (c) PRIORITIZATION OF REQUESTS.—The FBI may 2 decide how to prioritize the issuance of such guidance to 3 defenders based on the availability of resources. 4 SEC. 7. ANNUAL REPORT ON THE FEDERAL GOVERNMENT’S 5 PROGRESS IN DETERRING CYBER FRAUD 6 AND CYBER-ENABLED CRIMES. 7 The Department of Justice, after consultation with 8 the Department of Homeland Security and other relevant 9 Federal agencies, shall deliver an annual report to Con10 gress not later than March 31 of each year, detailing the 11 results of law enforcement activities pertaining to 12 cybercriminal deterrence for the previous calendar year. 13 The report shall include— 14 (1) the number of computer fraud cases re- 15 ported by United States citizens and United States 16 businesses to FBI Field Offices, the Secret Service 17 Electronic Crimes Task Force, the Internet Crimes 18 Complaint Center (IC3) website, and other Federal 19 law enforcement agencies; 20 (2) the number of investigations opened as a re- 21 sult of public reporting of computer fraud crimes, 22 and the number of investigations open independently 23 of any specific crimes being reported; 24 (3) the number of cyber fraud cases prosecuted 25 under section 1030 of title 18, United States Code, g:\VHLC\061119\061119.425.xml June 11, 2019 (3:34 p.m.) VerDate 0ct 09 2002 15:34 Jun 11, 2019 Jkt 000000 (719331 2) PO 00000 Frm 00011 Fmt 6652 Sfmt 6201 C:\USERS\HRBRAZ~1\APPDATA\ROAMING\SOFTQUAD\XMETAL\7.0\GEN\C\GRAVGA~1.X G:\M\16\GRAVGA\GRAVGA_007.XML 12 1 and other related statutes involving cybercrime, in- 2 cluding the resolution of the cases; 3 (4) the number of computer fraud crimes deter- 4 mined to have originated from United States sus- 5 pects and the number determined to have originated 6 from foreign suspects, and details of the country of 7 origin of the suspected foreign suspects; 8 (5) the number of dark web cybercriminal mar- 9 ketplaces and cybercriminal networks disabled by 10 law enforcement activities; 11 (6) an estimate of the total financial damages 12 suffered by United States citizens and businesses re- 13 sulting from ransomware and other fraudulent 14 cyberattacks; 15 (7) the number of law enforcement personnel 16 assigned to investigate and prosecute cybercrimes; 17 and 18 (8) the number of active cyber defense notifica- 19 tions filed as required by this Act and a comprehen- 20 sive evaluation of the notification process and vol- 21 untary preemptive review pilot program. g:\VHLC\061119\061119.425.xml June 11, 2019 (3:34 p.m.) VerDate 0ct 09 2002 15:34 Jun 11, 2019 Jkt 000000 (719331 2) PO 00000 Frm 00012 Fmt 6652 Sfmt 6201 C:\USERS\HRBRAZ~1\APPDATA\ROAMING\SOFTQUAD\XMETAL\7.0\GEN\C\GRAVGA~1.X G:\M\16\GRAVGA\GRAVGA_007.XML 13 1 SEC. 8. REQUIREMENT FOR THE DEPARTMENT OF JUSTICE 2 TO UPDATE THE MANUAL ON THE PROSECU- 3 TION OF CYBER CRIMES. 4 (a) The Department of Justice shall update the 5 ‘‘Prosecuting Computer Crimes Manual’’ to reflect the 6 changes made by this legislation. 7 (b) The Department of Justice is encouraged to seek 8 additional opportunities to clarify the manual and other 9 guidance to the public to reflect evolving defensive tech10 niques and cyber technology that can be used in manner 11 that does not violate section 1030 of title 18, United 12 States Code, or other Federal law and international trea13 ties. 14 SEC. 9. SUNSET. 15 The exclusion from prosecution created by this Act 16 shall expire 2 years after the date of enactment of this 17 Act. g:\VHLC\061119\061119.425.xml June 11, 2019 (3:34 p.m.) VerDate 0ct 09 2002 15:34 Jun 11, 2019 Jkt 000000 (719331 2) PO 00000 Frm 00013 Fmt 6652 Sfmt 6201 C:\USERS\HRBRAZ~1\APPDATA\ROAMING\SOFTQUAD\XMETAL\7.0\GEN\C\GRAVGA~1.X