CROSS-BORDER DATA ACCESS AND ACTIVE CYBER DEFENSE: ASSESSING LEGISLATIVE OPTIONS FOR A NEW INTERNATIONAL CYBERSECURITY RULEBOOK.

• Author: Cook, Chris

Introduction 206 I. Active Cyber Defense: Conceptual Framework 209 II. The Legal Background 211 A. U.S. Law 211 B. International Law 213 C. The Laws of Other Countries 215 III. The Active Cyber Defense Certainty Act - ACDC (H.R. 4036) 215 A. Definitional and other Language Ambiguity 216 B. Insufficient Liability Protection 218 C. Uncertainty under International Law, Potential Unwanted Escalation and the Breakdown of International Norms 220 IV. Cross-Border Data Access Reform: A Potential Legislative Alternative 221 A. The Stored Communications Act and the Problem of Cross-Border Access to Data 222 B. The Microsoft-Ireland Case 223 C. What Was at Stake and Why There Was a Need for Legal Reform 224 V. The Clarifying Lawful Overseas Use of Data (CLOUD) Act 226 A. Important Protections Included in the New Legislation 228 VI. Why Cross-Border Data Access Reform is a Better Legislative Option to Address Cyber Threats than ACDC 231 Conclusion 234 INTRODUCTION

The cyber threat against the United States is real and growing. In the last few years alone, Sony, Google, JP Morgan, Target, Yahoo, and countless others have suffered serious hacks. (1) This past summer, the ransomware known as WannaCry showed how computer code can shut down industries and cripple their ability to provide basic services. (2) The breach of Equifax, a credit reporting agency that holds the social security numbers and other personal information of more than 140 million Americans, has fueled a conversation about how to respond. (3) Increasingly, private entities are asking for the authority to defend themselves, the public is calling for action, and members of Congress have begun debating the issue of active cyber defense and "hacking back" on networks where hostile cyber activity originates. On October 13th, 2017, Representatives Tom Graves (R-GA) and Kyrsten Sinema (D-AZ) introduced a bill that would allow private entities to defend themselves by breaching the computer networks of their attackers. (4) The proposal is known as the Active Cyber Defense Certainty Act, or ACDC (H.R. 4036). While few doubt the severity of the threat, there must also be serious discussion about the implications of this proposal if enacted.

The law currently bans "hacking back." Should the United States enable the private sector to defend itself and change the law? If so, how? If not, what can we expect going forward and are there things that Congress can do besides enable "hack back" that could bolster the defense of the America's private sector against hostile cyber actors?

Active cyber defense, and ACDC more specifically, involves a spectrum of capabilities that seeks to help American companies identify their hackers. The proposal would allow private companies (and individuals) to go into foreign networks to gather intelligence and do research on unauthorized intruders and determine who is responsible and how the penetration occurred. A key question is whether this legislation would incentivize entities from other countries to do the same thing against our own networks, potentially making an already serious problem worse. Additionally, there are key questions about whether this proposal would be consistent with the rules and norms we seek to establish on the cyber battlefield. If strengthening attribution capabilities, enhancing cyber investigations, and gaining access to data from systems primarily based overseas is at the core of ACDC, there are other policy options besides "hacking back" that may help with this problem.

Another piece of legislation, enacted into law in early 2018 addresses these issues. The legislation is known as the Clarifying Lawful Overseas Use of Data (CLOUD) Act, (5) which codifies the main framework of a similar earlier proposal by the U.S. Department of Justice to address what is known as the cross-border data access problem. (6) The legislation paves the way for bi-lateral agreements between countries that would allow law enforcement to access computer data (in furtherance of cyber as well as other investigations) that is stored on foreign soil so long as certain criteria are met and agreed upon by allied nations. Though the exact limits of such agreements are still being developed and debated, there is broad consensus that cross-border investigations involving data stored abroad and the process by which those investigations are facilitated needs reform. (7) The CLOUD Act sets the framework by which these executive agreements will be structured, and in sum, substantially improves upon the cross-border data access problem.

This paper will discuss these legislative pieces, which both sit at a fascinating cross-section of criminal law, cybersecurity, data privacy, the Fourth Amendment, international law, private industry, foreign relations and national security. It will begin by discussing "hacking back" and active cyber defense as a concept, and illustrate how active cyber defense involves a spectrum of cyber defense capabilities. It will then discuss the legal background surrounding "hack back" authority, and show how the law, as currently written, prohibits most of the active cyber defense measures and "hack back" tactics being discussed today. The paper will then show how the current legislative proposal, ACDC, fails to address the law prohibiting "hacking back." It will also show how, from a policy perspective, enabling such activity is ripe with hazards, in particular as it relates to the American interest in establishing international norms to discourage private entities and individuals from unlawfully accessing computer networks overseas.

Alternatively, the paper will then discuss the CLOUD Act, which can also help with cyber attribution when such crimes involve digital evidence held abroad. The paper will illustrate how the legal landscape prior to the enactment of the CLOUD Act was a problem for American law enforcement seeking access to computer data held across international borders, and why foreign governments were similarly frustrated with pre-existing law. It will outline how successful implementation of the CLOUD Act can facilitate access to data across borders and can help solve some of the most significant crimes of our age, such as hacking. It will argue that unlike ACDC, the CLOUD Act strengthens international norms and agreements with regards to cyber-crime. Along the same lines, it will argue that it is less clear how helpful "hacking back" will be than it is clear that it introduces a myriad of complex legal, policy and strategic issues, particularly if the United States continues to advocate for a rules-based international order. The paper will show how the CLOUD Act is underappreciated as a cybersecurity proposal and how its basic framework for revising cross-border data access is a less problematic way of attacking the attribution problem, will help set the international norm we seek to establish in cyberspace, and could, if implemented properly along with other cybersecurity advancements, be a more helpful strategic deterrence mechanism over the long-term.

1. ACTIVE CYBER DEFENSE: CONCEPTUAL FRAMEWORK

   The term "hack back" can be misleading. Active cyber defense can entail a spectrum of capabilities that organizations can use to defend themselves against hostile cyber activity, any number of which could fall short of "hacking back." In October of 2016, George Washington University's Center for Cyber and Homeland Security assembled a task force on the issue and published a report on its conclusions. (8) The participants on the taskforce included a wide-range of experts in government, academia, and the private sector. Task force co-chairs included retired Admiral Dennis C. Blair, the Former Director of National Intelligence, and Secretary Michael Chertoff, the Former Secretary of Homeland Security. The detailed study offered the following definition of active defense:

   Active defense is a term that captures a spectrum of proactive cybersecurity measures that fall between traditional passive defense and offense. These activities fall into two general categories, the first covering technical interactions between a defender and an attacker. The second category of active defense includes those operations that enable defenders to collect intelligence on threat actors and indicators on the internet, as well as other policy tools (e.g. sanctions, indictments, trade remedies) that can modify the behavior of malicious actors. The term active defense is not synonymous with "hacking back" and the two should not be used interchangeably. (9) The Center arrived at this definition after looking at activities that fall across the range of actions that cyber defenders can use on their own networks and on the networks of the attacker. On one end of the spectrum are activities that produce effects solely within an actor's own networks. These low-risk options include defensive measures such as information sharing and the use of honeypots or tarpits (techniques that serve as decoys for attackers and allow the defender to observe attack techniques to inform defenses). These activities are characterized as potentially insufficient by themselves to defend against the most advanced cyber aggressors. (10) On the other end of the spectrum are activities that occur outside the actor's network, and are aimed at coercing the aggressor, imposing costs, degrading capabilities, or accessing protected information without authorization. The report characterizes these activities as "offensive." (11) Examples of this type of offensive activity could include "hacking back" to retrieve stolen data, or to retaliate with malware to damage an intruding system or even steal intellectual property. The report states that private sector actors should not be authorized to use these tactics except in very limited circumstances in cooperation with or under the delegated authority of a national government. (12) The report goes on to argue however, that...