active cyber defense determination act of the united states

Posted by fierce at 2020-03-01

On December 18, 2017, the United States released the first national security strategy of the United States of America 2017 under President trump. The strategy strengthens the priority of the United States, believes that transnational threats "actively" harm the interests of the United States, and takes the active identification and information sharing of threats as one of the priority areas of action to improve the capabilities of the United States. The strategy is a direct response to how the national defense authorization act for fiscal year 2018 (h.r.2810) has formulated the US national policy on cyberspace, cybersecurity and cyber war (sec. 1633).

The disputes of active defense in management and law have been going on for many years, especially the unpredictable internal and external consequences after the launch, which has long restricted its "active" discussion in legislation. The cyber security law research center of the Third Research Institute of the Ministry of public security translated the active Cyber Defense certainty act, which entered the legislative process in October 2017 in the United States. The act has not yet been formally passed, but it helps to explore the multiple scenarios of the concept of active defense at the legislative level in the United States and understand the attempt of the concept of active defense at the law enforcement level in the United States.  

Full text of the bill

Article 1 abbreviation

This law is cited as the active Cyber Defense Determination Act.

Article 2 resolutions of Congress

Congress resolved as follows:

(1) Cyber fraud and related cyber crimes pose a serious threat to the national security and economic vitality of the United States.

(2) Due to the characteristics of cyber crime, it is very difficult for law enforcement departments to respond and prosecute cyber crime in time, which leads to the low deterrent force of current laws and the rapid increase of cyber crime threat. In 2015, the Ministry of justice prosecuted only 153 cases of computer fraud. Congress believes that this situation is unacceptable, and if left unchecked, the trend of cybercrime will only continue to worsen.

(3) Cyber criminals have developed new strategies to monetize their criminal gains. If the current law is not reformed so as to provide defenders with new network tools and deterrence methods, criminal activities will be further stimulated.

(4) When American citizens or businesses become victims of such crimes, they should first report the crime to law enforcement agencies and seek to improve their defense measures.

(5) Congress also believes that many cyber attacks can be prevented through improved Cyber Defense Measures, including enhanced training, strong passwords, and regular updates and repairs to computer systems.

(6) Congress believes that appropriate use of active Cyber Defense Technology will also help improve defense capabilities and curb cybercrime.

(7) Congress also believes that many private entities are increasingly concerned about curbing the growth of cybercrime caused by the development of dark networks. The Department of justice should try to define reasonable rules of conduct for entities implementing active defense measures in the dark network so that the defender can return private property acquired by fault, such as intellectual property and financial records.

(8) Congress also believes that the lack of timely response to many cybercrime reports has led to serious uncertainty in the measures taken by many businesses and individuals to deal with the crime. While federal agencies need to prioritize cyber incidents of national importance, assisting the private sector is also a potential trend by responding more actively to crimes reported through various reporting mechanisms.

(9) Computer defenders should also take extra care to avoid violating the laws of the country where the attacker's computer is located.

(10) Congress believes that active network defense technology can only be used by qualified defenders, who should be highly confidential when using attribution technology, and should be extremely careful to avoid affecting the intermediate computer or leading to the upgrading of network activities.

(11) The purpose of this law is to provide legal certainty by clarifying the types of tools and technologies that defenders can use to transcend their own computer network boundaries.

Article 3 exemption from the use of attribution Technology

18 U.S.C. § 1030, add the following:

"(k) exemption from the use of attribution techniques——

(1) this article does not apply to the situation that a defender uses a program, code or order to identify the attribution technology of a signal source by returning a signal, location or specific data in response to a specific purpose of a network intrusion, if:

(A) The program, code or command comes from the defender's computer but is copied or removed by an unauthorized user, and;

(B) The program, code or command will not damage the data in the attacker's computer system or damage the basic operation function of the computer system, or deliberately create a back door to invade the computer system.

(2) definition - "attribute data" refers to all kinds of digital information, such as log files, text strings, time stamps, malware samples, identifiers (including user name, IP address, etc.), metadata and other digital files collected through forensic analysis technology.

Article 4 exemption from prosecution for specific computer crimes that have taken active network defense measures

18 U.S.C. § 1030, add the following:

"(1) no violation of active network defense measures——

(1) General provisions. If an act belongs to the active network defense measures specified in this article, it may constitute a defense against criminal prosecution.

(2) Not applicable to civil action - the defense of a prosecution under this section does not preclude the right of a U.S. person or entity to seek civil relief, including compensatory or injunctive relief under subsection (g), against which the active defense is directed.

(3) definitions - in this paragraph:

(A) Defender refers to a person or entity who is the victim of continuous and unauthorized computer intrusion;

(B) Active network defense measures

(i) Means any of the following:

(1) By or under the direction of the defender; and

(2) Unauthorized access to the attacker's computer to collect information for the purpose of:

(AA) determine the nature of criminal activity for sharing with law enforcement agencies responsible for cybersecurity and other U.S. government agencies;

(BB) block continuous, unauthorized access to the defender's network; or

(CC) monitor the behavior of attackers to assist in the development of intrusion prevention or network defense technologies in the future;

(II) but excluding:

(1) Deliberately destroying or causing to be stored on other personal or physical computers, the information not belonging to the victim is not available;

(2) Personal injury or economic loss as described in paragraph (c) (4) due to negligence;

(3) A threat to public health or safety;

(4) Intentionally exceeding the behavior limit required for reconnaissance on the intermediate computer to allow continuous intrusion into the network.

(5) Deliberately intruding or remotely accessing the intermediate computer;

(6) Deliberately continuing to disrupt a person's or entity's network connection, resulting in damage as defined in paragraph (c) (4); or

(7) A computer that affects access to national security information under subsection (a) (1), (a) (3), or (c) (4) (a) (I) (V) that is or is used by a government entity for the administration of justice, national defense, or national security.

(C) Attacker refers to the person or entity who continuously intrudes into the victim's computer without authorization;

(D) Intermediate computer refers to the computer that does not belong to the attacker and is not under its main control, but is used to initiate or cover up the root cause of persistent network attacks.

Article 5 notice requirements on the implementation of network defense measures

18 U.S.C. § 1030, add the following:

"(m) notification requirements for the implementation of cyber protection measures:

(1) general provisions. Defenders who implement active Cyber Defense Measures in accordance with the preceding article must notify the FBI National Cyber investigative joint task force in advance and receive a reply from the FBI confirming receipt of the notice.

(2) necessary information. The notification must include: the type of cyber violation that causes an individual or entity to become a victim, the intended goal of the active Cyber Defense Measures, the measures that the defender plans to take to preserve evidence of the criminal act of the attacker's cyber intrusion, the measures planned to prevent damage to intermediate computers that are not owned by the attacker, and the measures that the FBI requires to assist in monitoring His message.

Article 6 voluntary pre review of active defense measures

(a) Pilot program. The FBI, in coordination with other federal agencies, should develop a pilot program, to be piloted for two years after the implementation of this law, to allow for voluntary prior review of active defense measures.

(b) Prior review. Defenders who plan to implement active defense measures in accordance with Article 4 may notify the FBI's joint national network investigation working group in advance so that the FBI and other agencies can review the notice and evaluate how to modify the proposed active defense measures to better comply with federal law and Article 4, as well as the technical operation of the improved measures.

(c) Priority request. Depending on the availability of resources, the FBI can decide how to prioritize the issuance of such guidance to defenders.

Article 7 annual report on the federal government's progress in curbing cyber fraud and cyber crime

The Department of justice, in consultation with the Department of Homeland Security and other relevant federal agencies, shall submit an annual report to Congress by March 31 of each year. The report should detail the results of law enforcement actions in the previous year to curb cybercrime.

The report shall include:

(1) The number of computer fraud cases reported by U.S. citizens and businesses to FBI agencies, secret service e-crime task forces, Internet Crime Complaint Center (IC3) websites, and other federal law enforcement agencies;

(2) The number of publicly reported investigations of computer fraud offences, and the number of investigations of any specific offence independent of the report;

(3) The number of online fraud cases prosecuted under 18 U.S.C. § 1030 and other relevant laws and regulations involving cybercrime, including the outcome of the cases;

(4) Find out the number of computer fraud committed by us suspects, the number of fraud committed by foreign suspects and the nationality details of foreign suspects;

(5) The number of dark network criminal markets and criminal networks prohibited by law enforcement activities;

(6) Assess the overall financial losses suffered by U.S. citizens and businesses as a result of extortion software and other fraudulent cyber attacks;

(7) The number of law enforcement officers assigned to investigate and prosecute cybercrime; and

(8) The number of active network defense notices submitted in accordance with the requirements of this law, as well as a comprehensive assessment of the notice procedure and the pilot scheme of voluntary pre review.

Article 8 requires the Ministry of justice to update the guidelines for prosecution of Cybercrime

(a) The Ministry of justice shall, in accordance with the amendment of this law, update the Handbook on prosecution of computer crimes.

(b) The Ministry of justice is encouraged to seek more opportunities to clarify manuals and other guidelines to the public to reflect evolving defence and cyber technologies. The use of these technologies shall not violate 18 U.S.C. § 1030, and other federal laws and international treaties.

Article 9 term of validity

The limitation of immunity from prosecution provided for in this Law shall expire two years after the effective date of this law.

Here is the original English

Link to the original bill:

This article is reprinted from: three research centers of network security law of Public Security Institute

▲ slide up

Security assessment Alliance

More about security assessment

Long press right QR code

Pay attention to us ˉ