Representatives Tom Graves (R-GA) and Kyrsten Sinema (D-AZ) have introduced a bill to amend the Computer Fraud and Abuse Act. The bill, titled the “Active Cyber Defense Certainty Act,” would allow the defensive use of “beaconing” technology (see H.R. 4036). A “beacon” is a program that causes traffic to leave a network at regular intervals. Beacons are frequently employed by malware to signal to the the malware’s proprietor that a network has been compromised so that it can be accessed or connected to a botnet. H.R. 4036 would allow the defensive use of malware to beacon information that could identify an attacker. It would immunize this activity from criminal CFAA culpability, but not from civil liability. It would require notification to the FBI National Cyber Investigative Joint Task Force before using a defensive beacon and would establish a voluntary pilot program through which the FBI would approve specific tools prior to notification.
There is some good reason for relaxing the CFAA in defensive contexts, but the requirement of prior FBI authorization seems highly problematic to me. Essentially, this amounts to the cyber-deputization of private entities, which raises privacy and oversight concerns.