I 116TH CONGRESS 1ST SESSION H R 3270 To amend title 18 United States Code to provide a defense to prosecution for fraud and related activity in connection with computers for persons defending against unauthorized intrusions into their computers and for other purposes IN THE HOUSE OF REPRESENTATIVES JUNE 13 2019 Mr GRAVES of Georgia for himself Mr GOTTHEIMER Mr AUSTIN SCOTT of Georgia Mr CUELLAR Mr CARTER of Georgia Mr FERGUSON Mr RIGGLEMAN Mr LOUDERMILK Mr STEWART Mr PALAZZO Mr HILL of Arkansas Mr BUDD Mr FORTENBERRY Mrs MURPHY Mr RESCHENTHALER and Miss RICE of New York introduced the following bill which was referred to the Committee on the Judiciary A BILL To amend title 18 United States Code to provide a defense to prosecution for fraud and related activity in connection with computers for persons defending against unauthorized intrusions into their computers and for other purposes 1 Be it enacted by the Senate and House of Representa- 2 tives of the United States of America in Congress assembled kjohnson on DSK79L0C42 with BILLS 3 SECTION 1 SHORT TITLE 4 This Act may be cited as the ‘‘Active Cyber Defense 5 Certainty Act’’ VerDate Sep 11 2014 04 22 Jun 18 2019 Jkt 089200 PO 00000 Frm 00001 Fmt 6652 Sfmt 6201 E BILLS H3270 IH H3270 2 1 SEC 2 CONGRESSIONAL FINDINGS kjohnson on DSK79L0C42 with BILLS 2 Congress finds the following 3 1 Cyber fraud and related cyber-enabled 4 crimes pose a severe threat to the national security 5 and economic vitality of the United States 6 2 As a result of the unique nature of 7 cybercrime it is very difficult for law enforcement to 8 respond to and prosecute cybercrime in a timely 9 manner leading to the existing low level of deter- 10 rence and a rapidly growing threat In 2017 the De- 11 partment of Justice prosecuted only 165 cases of 12 computer fraud Congress determines that this sta- 13 tus quo is unacceptable and that if left unchecked 14 the trend in cybercrime will only continue to deterio- 15 rate 16 3 Cybercriminals have developed new tactics 17 for monetizing the proceeds of their criminal acts 18 making it likely that the criminal activity will be fur- 19 ther incentivized in the absence of reforms to cur- 20 rent law allowing for new cyber tools and deterrence 21 methods for defenders 22 4 When a citizen or United States business is 23 victimized as the result of such crime the first re- 24 course should be to report the crime to law enforce- 25 ment and seek to improve defensive measures •HR 3270 IH VerDate Sep 11 2014 04 22 Jun 18 2019 Jkt 089200 PO 00000 Frm 00002 Fmt 6652 Sfmt 6201 E BILLS H3270 IH H3270 kjohnson on DSK79L0C42 with BILLS 3 1 5 Congress also acknowledges that many 2 cyberattacks could be prevented through improved 3 cyber defensive practices including enhanced train- 4 ing strong passwords and routine updating and 5 patching to computer systems 6 6 Congress determines that the use of active 7 cyber defense techniques when properly applied can 8 also assist in improving defenses and deterring 9 cybercrimes 10 7 Congress also acknowledges that many pri- 11 vate entities are increasingly concerned with stem- 12 ming the growth of dark web based cyber-enabled 13 crimes The Department of Justice should attempt 14 to clarify the proper protocol for entities who are en- 15 gaged in active cyber defense in the dark web so 16 that these defenders can return private property 17 such as intellectual property and financial records 18 gathered inadvertently 19 8 Congress also recognizes that while Federal 20 agencies will need to prioritize cyber incidents of na- 21 tional significance there is the potential to assist the 22 private sector by being more responsive to reports of 23 crime through different reporting mechanisms Many 24 reported cybercrimes are not responded to in a time- •HR 3270 IH VerDate Sep 11 2014 04 22 Jun 18 2019 Jkt 089200 PO 00000 Frm 00003 Fmt 6652 Sfmt 6201 E BILLS H3270 IH H3270 4 1 ly manner creating significant uncertainty for many 2 businesses and individuals 3 9 Computer defenders should also exercise ex- 4 treme caution to avoid violating the law of any other 5 nation where an attacker’s computer may reside 6 10 Congress holds that active cyber defense 7 techniques should only be used by qualified defend- 8 ers with a high degree of confidence in attribution 9 and that extreme caution should be taken to avoid 10 impacting intermediary computers or resulting in an 11 escalatory cycle of cyber activity 12 11 It is the purpose of this Act to provide 13 legal certainty by clarifying the type of tools and 14 techniques that defenders can use that exceed the 15 boundaries of their own computer network 16 SEC 3 EXCEPTION FOR THE USE OF ATTRIBUTIONAL 17 18 TECHNOLOGY Section 1030 of title 18 United States Code is 19 amended by adding at the end the following 20 ‘‘ k EXCEPTION FOR THE USE OF ATTRIBUTIONAL kjohnson on DSK79L0C42 with BILLS 21 TECHNOLOGY — 22 ‘‘ 1 This section shall not apply with respect to 23 the use of attributional technology in regard to a de- 24 fender who uses a program code or command for 25 attributional purposes that beacons or returns loca- •HR 3270 IH VerDate Sep 11 2014 04 22 Jun 18 2019 Jkt 089200 PO 00000 Frm 00004 Fmt 6652 Sfmt 6201 E BILLS H3270 IH H3270 5 1 tional or attributional data in response to a cyber in- 2 trusion in order to identify the source of an intru- 3 sion if— 4 ‘‘ A the program code or command origi- 5 nated on the computer of the defender but is 6 copied or removed by an unauthorized user and 7 ‘‘ B the program code or command does 8 not result in the destruction of data or result 9 in an impairment of the essential operating 10 functionality of the attacker’s computer system 11 or intentionally create a backdoor enabling in- 12 trusive access into the attacker’s computer sys- 13 tem 14 ‘‘ 2 DEFINITION —The term ‘attributional 15 data’ means any digital information such as log files 16 text strings time stamps malware samples identi- 17 fiers such as user names and Internet Protocol ad- 18 dresses and metadata or other digital artifacts gath- 19 ered through forensic analysis ’’ 20 SEC 4 EXCLUSION FROM PROSECUTION FOR CERTAIN 21 COMPUTER CRIMES FOR THOSE TAKING AC- 22 TIVE CYBER DEFENSE MEASURES 23 Section 1030 of title 18 United States Code is kjohnson on DSK79L0C42 with BILLS 24 amended by adding at the end the following •HR 3270 IH VerDate Sep 11 2014 04 22 Jun 18 2019 Jkt 089200 PO 00000 Frm 00005 Fmt 6652 Sfmt 6201 E BILLS H3270 IH H3270 6 1 ‘‘ l ACTIVE CYBER DEFENSE MEASURES NOT A 2 VIOLATION — 3 ‘‘ 1 GENERALLY —It is a defense to a criminal 4 prosecution under this section that the conduct con- 5 stituting the offense was an active cyber defense 6 measure 7 ‘‘ 2 INAPPLICABILITY 8 defense against prosecution created by this section 9 does not prevent a United States person or entity 10 who is targeted by an active defense measure from 11 seeking a civil remedy including compensatory dam- 12 ages or injunctive relief pursuant to subsection g 13 ‘‘ 3 DEFINITIONS —In this subsection— 14 ‘‘ A the term ‘defender’ means a person 15 or an entity that is a victim of a persistent un- 16 authorized intrusion of the individual entity’s 17 computer 18 ‘‘ B the term ‘active cyber defense meas- 19 ure’— 20 ‘‘ i means any measure— 21 ‘‘ I undertaken by or at the di- 22 rection of a defender and 23 kjohnson on DSK79L0C42 with BILLS TO CIVIL ACTION —The ‘‘ II consisting of 24 without authorization the computer of 25 the attacker to the defender’s own •HR 3270 IH VerDate Sep 11 2014 accessing 04 22 Jun 18 2019 Jkt 089200 PO 00000 Frm 00006 Fmt 6652 Sfmt 6201 E BILLS H3270 IH H3270 7 1 network to gather information in 2 order to— 3 ‘‘ aa establish attribution of 4 criminal activity to share with 5 law 6 United States Government agen- 7 cies responsible for cybersecurity 8 ‘‘ bb disrupt continued un- 9 authorized activity against the 10 and 11 ‘‘ cc monitor the behavior 12 of an attacker to assist in devel- 13 oping future intrusion prevention 14 or cyber defense techniques but 15 ‘‘ ii does not include conduct that— 16 ‘‘ I intentionally destroys or ren- 17 ders inoperable information that does 18 not belong to the victim that is stored 19 on another person or entity’s com- 20 puter 21 ‘‘ II recklessly causes physical 22 injury or financial loss as described 23 under subsection c 4 ‘‘ III creates a threat to the 25 public health or safety •HR 3270 IH VerDate Sep 11 2014 other defender’s own network or 24 kjohnson on DSK79L0C42 with BILLS enforcement 04 22 Jun 18 2019 Jkt 089200 PO 00000 Frm 00007 Fmt 6652 Sfmt 6201 E BILLS H3270 IH H3270 kjohnson on DSK79L0C42 with BILLS 8 1 ‘‘ IV intentionally exceeds the 2 level of activity required to perform 3 reconnaissance on an intermediary 4 computer to allow for attribution of 5 the origin of the persistent cyber in- 6 trusion 7 ‘‘ V intentionally results in in- 8 trusive or remote access into an 9 intermediary’s computer 10 ‘‘ VI intentionally results in the 11 persistent disruption to a person or 12 entities internet connectivity resulting 13 in damages defined under subsection 14 c 4 or 15 ‘‘ VII impacts any computer de- 16 scribed under subsection a 1 re- 17 garding access to national security in- 18 formation subsection a 3 regarding 19 government computers or to sub- 20 section c 4 A i V regarding a 21 computer system used by or for a 22 Government entity for the furtherance 23 of the administration of justice na- 24 tional defense or national security •HR 3270 IH VerDate Sep 11 2014 04 22 Jun 18 2019 Jkt 089200 PO 00000 Frm 00008 Fmt 6652 Sfmt 6201 E BILLS H3270 IH H3270 9 1 ‘‘ C the term ‘attacker’ means a person or 2 an entity that is the source of the persistent un- 3 authorized intrusion into the victim’s computer 4 and 5 ‘‘ D the term ‘intermediary computer’ 6 means a person or entity’s computer that is not 7 under the ownership or primary control of the 8 attacker but has been used to launch or obscure 9 the origin of the persistent cyber-attack ’’ 10 SEC 5 NOTIFICATION REQUIREMENT FOR THE USE OF AC- 11 TIVE CYBER DEFENSE MEASURES 12 Section 1030 of title 18 United States Code is 13 amended by adding the following 14 kjohnson on DSK79L0C42 with BILLS 15 ‘‘ m NOTIFICATION REQUIREMENT OF FOR THE ACTIVE CYBER DEFENSE MEASURES — 16 ‘‘ 1 GENERALLY —A defender who uses an ac- 17 tive cyber defense measure under the preceding sec- 18 tion must notify the FBI National Cyber Investiga- 19 tive Joint Task Force and receive a response from 20 the FBI acknowledging receipt of the notification 21 prior to using the measure 22 ‘‘ 2 REQUIRED INFORMATION —Notification 23 must include the type of cyber breach that the per- 24 son or entity was a victim of the intended target of 25 the active cyber defense measure the steps the de- •HR 3270 IH VerDate Sep 11 2014 USE 04 22 Jun 18 2019 Jkt 089200 PO 00000 Frm 00009 Fmt 6652 Sfmt 6201 E BILLS H3270 IH H3270 10 1 fender plans to take to preserve evidence of the 2 attacker’s criminal cyber intrusion as well as the 3 steps they plan to prevent damage to intermediary 4 computers not under the ownership of the attacker 5 and other information requested by the FBI to as- 6 sist with oversight ’’ 7 SEC 6 VOLUNTARY PREEMPTIVE REVIEW OF ACTIVE 8 9 CYBER DEFENSE MEASURES a PILOT PROGRAM —The Federal Bureau of Inves- 10 tigation hereinafter in this section referred to as the 11 ‘‘FBI’’ in coordination with other Federal agencies shall 12 create a pilot program to last for 2 years after the date 13 of enactment of this Act to allow for a voluntary preemp14 tive review of active defense measures 15 b ADVANCE REVIEW —A defender who intends to 16 prepare an active defense measure under section 4 may 17 submit their notification to the FBI National Cyber Inves18 tigative Joint Task Force in advance of its use so that 19 the FBI and other agencies can review the notification and 20 provide its assessment on how the proposed active defense 21 measure may be amended to better conform to Federal 22 law the terms of section 4 and improve the technical op- kjohnson on DSK79L0C42 with BILLS 23 eration of the measure •HR 3270 IH VerDate Sep 11 2014 04 22 Jun 18 2019 Jkt 089200 PO 00000 Frm 00010 Fmt 6652 Sfmt 6201 E BILLS H3270 IH H3270 11 1 c PRIORITIZATION OF REQUESTS —The FBI may 2 decide how to prioritize the issuance of such guidance to 3 defenders based on the availability of resources 4 SEC 7 ANNUAL REPORT ON THE FEDERAL GOVERNMENT’S 5 PROGRESS IN DETERRING CYBER FRAUD 6 AND CYBER-ENABLED CRIMES 7 The Department of Justice after consultation with 8 the Department of Homeland Security and other relevant 9 Federal agencies shall deliver an annual report to Con10 gress not later than March 31 of each year detailing the 11 results of law enforcement activities pertaining to 12 cybercriminal deterrence for the previous calendar year kjohnson on DSK79L0C42 with BILLS 13 The report shall include— 14 1 the number of computer fraud cases re- 15 ported by United States citizens and United States 16 businesses to FBI Field Offices the Secret Service 17 Electronic Crimes Task Force the Internet Crimes 18 Complaint Center IC3 website and other Federal 19 law enforcement agencies 20 2 the number of investigations opened as a re- 21 sult of public reporting of computer fraud crimes 22 and the number of investigations open independently 23 of any specific crimes being reported 24 3 the number of cyber fraud cases prosecuted 25 under section 1030 of title 18 United States Code •HR 3270 IH VerDate Sep 11 2014 04 22 Jun 18 2019 Jkt 089200 PO 00000 Frm 00011 Fmt 6652 Sfmt 6201 E BILLS H3270 IH H3270 12 1 and other related statutes involving cybercrime in- 2 cluding the resolution of the cases 3 4 the number of computer fraud crimes deter- 4 mined to have originated from United States sus- 5 pects and the number determined to have originated 6 from foreign suspects and details of the country of 7 origin of the suspected foreign suspects 8 5 the number of dark web cybercriminal mar- 9 ketplaces and cybercriminal networks disabled by kjohnson on DSK79L0C42 with BILLS 10 law enforcement activities 11 6 an estimate of the total financial damages 12 suffered by United States citizens and businesses re- 13 sulting from ransomware and other fraudulent 14 cyberattacks 15 7 the number of law enforcement personnel 16 assigned to investigate and prosecute cybercrimes 17 and 18 8 the number of active cyber defense notifica- 19 tions filed as required by this Act and a comprehen- 20 sive evaluation of the notification process and vol- 21 untary preemptive review pilot program •HR 3270 IH VerDate Sep 11 2014 04 22 Jun 18 2019 Jkt 089200 PO 00000 Frm 00012 Fmt 6652 Sfmt 6201 E BILLS H3270 IH H3270 13 1 SEC 8 REQUIREMENT FOR THE DEPARTMENT OF JUSTICE 2 TO UPDATE THE MANUAL ON THE PROSECU- 3 TION OF CYBERCRIMES 4 a The Department of Justice shall update the 5 ‘‘Prosecuting Computer Crimes Manual’’ to reflect the 6 changes made by this legislation 7 b The Department of Justice is encouraged to seek 8 additional opportunities to clarify the manual and other 9 guidance to the public to reflect evolving defensive tech10 niques and cyber technology that can be used in manner 11 that does not violate section 1030 of title 18 United 12 States Code or other Federal law and international trea13 ties 14 SEC 9 SUNSET 15 The exclusion from prosecution created by this Act 16 shall expire 2 years after the date of enactment of this 17 Act kjohnson on DSK79L0C42 with BILLS Æ •HR 3270 IH VerDate Sep 11 2014 04 22 Jun 18 2019 Jkt 089200 PO 00000 Frm 00013 Fmt 6652 Sfmt 6301 E BILLS H3270 IH H3270