Cross-Border Data Access and Active Cyber Defense: Assessing Legislative Options for a New International Cybersecurity Rulebook
Abstract
With the ceaseless headlines about cyber-attacks against both private industry and governments, and the especially wide-reaching data breach of Equifax as well as the hacking of the American election in 2016, there is a growing discussion regarding what to do about the cybersecurity problem in America. Members in Congress are now actively debating ‘hack back’ authority. A bill in Congress, known as the Active Cyber Defense Certainty Act (ACDC) (H.R. 4036) would, in essence, allow private entities to go into networks outside of their own to gather intelligence and do research on unauthorized intruders to determine who is responsible for a cyber-penetration and how it occurred. While it is understandable that legislators and the public are debating the feasibility of this type of tactic, the real question is what price would the U.S. pay in exchange for deploying this capability?
This paper discusses the problems associated with ‘hacking back’ and with the current legislative proposal in particular. It begins with a conceptual discussion about active cyber defense, and provides a legal background explaining various theories for why certain active cyber defense tactics may or may not be lawful. The paper then analyzes ACDC specifically, and emphasizes the definitional ambiguity in the bill, its problems with oversight mechanisms, its failure to address other laws prohibiting hack back, and also the policy and strategic peril the bill introduces, particularly as it relates to international norms.
Given these concerns, the paper asks whether there are other legislative and policy options Congress should be considering with regards to cybersecurity. The paper argues that the recently enacted CLOUD Act, which deals with cross-border data access and mutual legal assistance reform, is underappreciated as a piece of cybersecurity legislation. It argues that successfully addressing data access between allies more broadly, can help facilitate more efficient international cyber investigations where electronic data is involved.
The paper outlines how the previous legal construct, prior to the CLOUD Act’s enactment, was outdated, and it discusses why cross-border data access reform was necessary given the previous inefficiencies. The paper explains why the final version of the CLOUD Act successfully addressed the most strident privacy and civil liberties concerns, and argues that successful implementation of the CLOUD Act (which should be the focus going forward) may prove to be a less problematic way of attacking the attribution problem than ACDC, will help set the international norm we seek to establish in cyberspace, and could, if executed properly along with other cybersecurity advancements, be a more helpful strategic deterrence mechanism over the long-term.