With the flurry of major cyberattacks and ramping up of IoT, two new pieces of legislation have recently been introduced:
- The Active Cyber Defense Certainty Act (ACDC), which would make it legal for victims of hackers to hack back; and
- The Cyber Shield Act of 2017, which is designed to address consumer IoT devices.
ACDC, also known as a ‘hack back’ revenge law (and a hard-rock ’80s band), is actually an amendment to the 31-year-old Computer Fraud and Abuse Act (CFAA). If passed, CISO MAG says it will allow “hacked organizations to venture outside their networks to identify an intruder and infiltrate their systems, destroy stolen data, and deploy a technology to trace the physical location of the perpetrator.”
But, as Joe Uchill clarifies in The Hill, that will be allowed “if the goal is to disrupt, monitor or attribute the attack, or destroy stolen files.” Accordingly, before actually taking any action, the hacked organization’s IT department would be required to notify the FBI National Cyber Investigative Joint Task Force.
The Cyber Shield Act of 2017 focuses specifically on consumer IoT connected devices, calling for more stringent standards and requiring more accountability. Given the forming IoT botnet storm and that the number of IoT devices expected to be in our pockets by 2020 could be as high as 50 billion, the bill is trying to preempt what could be a dangerous landscape.
Explaining the scope of the Act in Slash Gear, Chris Davies says, “Use of the standards would be voluntary, not mandatory, so it would be up to individual manufacturers to decide whether to participate in the scheme. According to the bill, there’s the potential for several ‘grades’ of compliance, which could mean different types of badge or label depending on how closely the product meets security benchmarks.”
For more about US cyber security regulations, check The American Bar Association’s Cybersecurity Resources site.