OK, USians, possibly time to talk to your Congresscritters.
"Congress determines that the use of active cyber defense techniques, when properly applied, can also assist in improving defenses and deterring cybercrimes."
The rest of the rationale seems to be that attackers are dangerous and fast, and waiting around for law enforcement to help you is just going to give the bad guys time to destroy your systems and get away.
OK, I don't understand all of the wording in this bill. (I rather suspect that the author isn't entirely certain of it, either.) But the overall upshot seems to be that, yes, you can attack anyone who is attacking you (or who you think is attacking you) if you tell the FBI you are going to do it.
Come to think of it, good luck with finding, before the bad guys destroy your systems and get away, someone in the FBI who understands the situation and will give you official permission to mount an active defence attack.
(10) Congress holds that active cyber defense techniques should only be used by qualified defenders with a high degree of confidence in attribution, and that extreme caution should be taken to avoid impacting intermediary computers or resulting in an escalatory cycle of cyber activity.
No chance of them being explicit with who they feel are qualified then? And attribution is always easy, isn't it?!
It's been a much discussed issue here too (UK) in terms of "Attacking the Attackers". While it seems to be a great idea at first, there are so many inherent issues to consider that it becomes problematic to even consider.
While the merits and pitfalls of such activities could be argued for years to come, there will inevitably be more and more reasons to sanction such activities. However, careful consideration would be needed in terms of where lines of remit, boundaries of responsibility and where the law sits in regards to it all.
Reporting into someone prior to taking action is likely the bet course of action, if it was at all feasible... but as you rightly point out, there is no guarantee that the person you report into would have any idea what you were about to do anyway, let alone have the power to critique or monitor it....
As you rightly point out, at this moment, it is unlikely that any such legislation will come to pass....but maybe one day..........
Imagine the future history book describing the early beginnings of World War III being started by a well meaning intern attacking and hacking back an unknown adversary. Setting off a chain of continuing chain of events that quickly escalates to the government level with all parties reacting accordingly. Hack, counter-hack and attack. Rinse and repeat.
All we need is an electronic version of Gavrilo Princip to assassinate the next Franz Ferdinand. This bill needs to die quietly and never see the light of day or committee - whichever comes first.
It's the modern version of a shoot out in front of the saloon-whoever has the quicker draw (compute power), better aim (strategy), and ability to dodge the bullet (think Neo in Matrix), would win the battle.
Beyond a few nation states, and some large corporations, namely Apple, IBM, Dell, HP, etc. that does have the compute power to execute a counter attack, the little guy has no chance.
I agree with @Beads that this is silly at best and demonstrates a complete lack of understanding of the dark web. This bill is a waste of time.
A friend (who is just finishing up his PhD on the topic) and I are working on a presentation on "Ethics of Active Defence," and looking for conferences to present it at.
Let us know where you do get to present.
Thanks, I'll try to remember to stick it in here. (I've spent most of the morning reading my co-presenter's draft dissertation on "ACD" [during a boring vendor seminar] [for which I'll have to remember to submit CPEs] and making notes for him to address issues there.)
It would be of high interest to many I'm sure! If I see any call for such things I will pass details on to you.
Thanks much. I've done a number of presentations on ethics over the years, and this makes a really interesting case study. I also think it is an area that a lot more people should be thinking about, with implications for a wide range, such as artificial intelligence, network design, forensics, etc.
(The vendor this morning works in the network security space. We had a VP giving us top secret information about future product lines. I asked a question about active defence, and expected he wouldn't answer because it might be too political/controversial even for a closed group like this one. I didn't get an answer--because he didn't understand the question ...)
Hey, admins and ISC2 HQ type people: you guys interested in a Webinar on the Ethics of Active Defence?
Let us know where you do get to present.
(We still haven't tested the connection to the conference venue ...)