Rep. Tom Graves, House Appropriations Committee, "[Discussion Draft] Active Cyber Defense Certainty Act - 2.0," May 25, 2017. Unclassified.
National Security Archive
A 2017 House draft tried to legalize limited “hack‑back” actions, carving a narrow exemption to the CFAA for victims who probe attackers while mandating FBI notification.
Source: Rep. Tom Graves, House Appropriations Committee, "[Discussion Draft] Active Cyber Defense Certainty Act - 2.0," May 25, 2017. Unclassified. Date: May 25, 2017 Archive: TomGraves.house.gov.
Editorial Analysis
Original analysis by the DriftSeas editorial desk. The complete primary-source document, transcribed from the National Security Archive scan, appears in full below.
A Legislative Response to the ‘Hack‑Back’ Debate
In May 2017 Representative Tom Graves of Georgia placed a discussion draft of the “Active Cyber Defense Certainty Act” (ACDCA) before the House Appropriations Committee. The bill sought to carve out a narrow criminal‑law exemption for private entities that, after suffering a persistent intrusion, would “access without authorization” the attacker’s computer to gather attribution data, disrupt the intrusion, or observe the adversary’s tactics. The timing is unmistakable: just weeks after the 2016 U.S. presidential election, when revelations of Russian‑linked cyber‑espionage and the subsequent indictment of alleged Russian intelligence officers had thrust cyber‑offense policy into the national spotlight. Law‑makers, confronting a perception that existing statutes—chiefly 18 U.S.C. § 1030, the Computer Fraud and Abuse Act (CFAA)—were stifling defensive innovation, drafted a legislative fix that would give victims a limited shield from prosecution.
The Broader Cyber‑Security Context
The ACDCA sits at the intersection of two longer‑running policy currents. First, the “hack‑back” conversation, which dates back to the early 2000s, has oscillated between calls for private retaliation and warnings about escalation, collateral damage, and jurisdictional chaos. Second, the post‑2015 era saw a surge in high‑profile breaches—Office of Personnel Management, Sony Pictures, and the NotPetya ransomware attack—fueling demand for more proactive defensive tools. By 2017, the Department of Homeland Security’s “Cybersecurity Framework” had become a de‑facto industry standard, yet it offered no authority for offensive countermeasures. Graves’s draft therefore attempted to formalize a legal safe harbor, explicitly limiting the exemption to activities that do not destroy data, cause physical injury, or threaten public safety, and that are directed at the attacker’s own system rather than intermediary hosts.
What the Text Reveals About Congressional Intent
The bill’s language is painstakingly precise, reflecting an awareness of the CFAA’s broad reach. Section 2 creates an “exception for the use of attributional technology,” shielding a defender who inadvertently leaves a beacon‑type program on a compromised system, provided the code does not impair the attacker’s machine. Section 3 defines “active cyber defense measures” and enumerates permissible goals: attribution, disruption, and monitoring. Notably, the draft excludes any conduct that destroys third‑party data or creates a “backdoor,” underscoring a legislative desire to avoid the kind of collateral damage that critics fear from hack‑back operations.
The requirement in Section 4 that victims must notify the FBI’s National Cyber Investigative Joint Task Force before acting is a crucial oversight mechanism. It signals that lawmakers did not envision a free‑wheeling frontier of private cyber‑offense but rather a tightly monitored, government‑sanctioned channel. By demanding detailed information about the breach, target, evidence‑preservation steps, and safeguards for intermediary computers, the draft attempts to balance victim autonomy with national‑security oversight.
Limited Lifespan and Political Calculus
The sunset provision—two years from enactment—reveals the bill’s experimental character. Rather than enshrining a permanent right, Graves framed the exemption as a trial period, likely to gauge effectiveness and unintended consequences. This mirrors earlier, similarly time‑bound cyber‑policy experiments, such as the 2015 Cybersecurity Information Sharing Act, which also included sunset clauses to assuage privacy concerns.
Legacy and Ongoing Relevance
Although the ACDCA never progressed beyond the discussion‑draft stage, its language resurfaced in later debates. The 2020 “Defend Trade Secrets Act” and the 2021 “Active Cyber Defense Act” both echo Graves’s definitions of “active defense” and the notification requirement. Moreover, the draft prefigured the Department of Justice’s 2022 guidance that clarified when a private party’s response to a cyber intrusion might constitute a “reasonable” defensive act, a guidance that still references the notion of limited, non‑destructive attribution tools.
In the present moment—where ransomware groups routinely exfiltrate data and demand payment, and where state actors continue to use proxy servers to mask attacks—the question of whether victims may lawfully “hack back” remains unsettled. Graves’s 2017 draft provides a concrete legislative template that balances the desire for proactive defense with safeguards against escalation. As policymakers revisit the hack‑back debate, the ACDCA’s blend of narrow exemptions, mandatory FBI notification, and a built‑in sunset offers a pragmatic, if imperfect, roadmap for integrating private cyber‑defense into the broader U.S. security architecture.
1
[DISCUSSION DRAFT] ACTIVE CYBER DEFENSE CERTAINTY ACT – 2.0
To amend title 18, United States Code, to provide a defense to prosecution for fraud and related activity in connection with computers for persons defending against unauthorized intrusions into their computers, and for other purposes.
IN THE HOUSE OF REPRESENTATIVES
Mr. GRAVES of Georgia introduced the following bill; which was referred to the Committee on _______.
A BILL
To amend title 18, United States Code, to provide a defense to prosecution for fraud and related activity in connection with computers for persons defending against unauthorized intrusions into their computers, and for other purposes.
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the “Active Cyber Defense Certainty Act”.
SEC. 2. EXCEPTION FOR THE USE OF ATTRIBUTIONAL TECHNOLOGY
Section 1030 of title 18, United States Code, is amended by adding at the end the following: “(k) EXCEPTION FOR THE USE OF ATTRIBUTIONAL TECHNOLOGY. ---
“(1) The provisions of this section shall not apply with respect to the use of attributional technology in regard to a defender who uses a program, code, or command for attributional purposes that beacons or returns locational or attributional data in response to a cyber intrusion in order to identify the source of an intrusion; if
“(A) the program, code, or command originated on the computer of the defender but is removed by an unauthorized user; and
2
“(B) the program, code or command does not result in the destruction of data or result in an impairment of the functionality of the attacker’s computer system, or create a backdoor enabling intrusive access into the attacker’s computer system.”
SEC. 3. EXCLUSION FROM PROSECUTION FOR CERTAIN COMPUTER CRIMES FOR THOSE TAKING ACTIVE CYBER DEFENSE MEASURES.
Section 1030 of title 18, United States Code, is amended by adding at the end the following: “(l) ACTIVE CYBER DEFENSE MEASURES NOT A VIOLATION.—
“(1) GENERALLY.—It is a defense to a prosecution under this section that the conduct constituting the offense was an active cyber defense measure.
“(2) DEFINITIONS.—In this subsection—
“(A) the term ‘victim’ means an entity that is a victim of a persistent unauthorized intrusion of the individual entity’s computer;
“(B) the term ‘active cyber defense measure’—
“(i) means any measure—
“(I) undertaken by, or at the direction of, a victim; and
“(II) consisting of accessing without authorization the computer of the attacker to the victim’ own network to gather information in order to:
establish attribution of criminal activity to share with law enforcement and other United States Government agencies responsible for cybersecurity;
disrupt continued unauthorized activity against the victim’s own network; or
monitor the behavior of an attacker to assist in developing future intrusion prevention or cyber defense techniques, but;
3
“(ii) does not include conduct that—
“(I) destroys or renders inoperable information that does not belong to the victim that is stored on a computers of another;
“(II) causes physical or financial injury to another person;
“(III) creates a threat to the public health or safety; or
“(IV) exceeds the level of activity required to perform reconnaissance on an intermediary computer to allow for attribution of the origin of the persistent cyber intrusion;
“(C) the term ‘attacker’ means a person or an entity that is the source of the persistent unauthorized intrusion into the victim’s computer; and
“(D) the term ‘intermediary computer’ means a person or entity’s computer that is not under the ownership or control of the attacker but has been used to launch or obscure the origin of the persistent cyber-attack.”.
SEC. 4. NOTIFICATION REQUIREMENT FOR THE USE OF ACTIVE CYBER DEFENSE MEASURES
Section 1030 of title 18, Unites State Code, is amended by adding the following: “(m) NOTIFICATION REQUIREMENT FOR THE USE OF ACTIVE CYBER DEFENSE MEASURES -
“(1) GENERALLY. - A victim who uses an active cyber defense measure under this section must notify the FBI National Cyber Investigative Joint Task Force prior to using the measure.
“(2) REQUIRED INFORMATION. - Notification must include the type of cyber breach that the person or entity was a victim of, the intended target of the active cyber defense measure, the steps taken to preserve evidence of the attacker’s criminal cyber intrusion, as well as steps taken to prevent damage to intermediary computers not under the ownership of the attacker.”
SEC. 5. SUNSET.
The exclusion from prosecution created by this Act shall expire 2 years after the date of enactment of this Act.
NATIONAL SECURITY ARCHIVE
National Security Archive, Suite 701, Gelman Library, The George Washington University, 2130 H Street, NW, Washington, D.C., 20037, Phone: 202/994-7000, Fax: 202/994-7005, nsarchiv@gwu.edu