The Proposed Computer Intrusion and Abuse Act (CIAA)
1030(a)(1)
Criminal Computer Intrusion
Whoever, without the express or implied consent from the owner or operator of the protected computer, accesses a protected computer and
(A) knowingly degrades the confidentiality, integrity, or availability of the protected computer or information contained in the protected computer; or
(B) intentionally degrades the confidentiality, integrity, or availability of the protected computer or information contained in the protected computer.
shall be punished as provided in . . .
Security Research Affirmative Defense
(C) An affirmative defense to knowingly degrading the confidentiality, integrity, or availability of a protected computer or information contained in a protected computer, without the express or implied consent of the owner or operator of the protected computer, shall be established if a defendant proves that:
(i) the actions taken by the defendant constituted good-faith testing, investigation and/or correction of a security flaw or vulnerability;
(ii) such activity is carried out in a controlled environment[1] designed to avoid any harm to individuals or the public; and
(iii) the information derived from the activity is used primarily to promote the security or safety of the class of devices or machines on which the computer program operates, or those who use such devices or machines.
1030(a)(2)
Criminal Impersonation with a Credential
Whoever—
(A) knowingly uses a credential without the express or implied consent of the owner of the credential to access a protected computer and views or uses information that is not intended for viewing or use without the credential shall be punished as provided in…; or
(B) knowingly and with intent to defraud traffics (as defined in section 1029) in any credential or similar information through which a computer may be accessed without the express or implied consent of the rightful owner of the credential, if—
(i) such trafficking affects interstate or foreign commerce; or
(ii) such credential is used by or for the Government of the United States;
shall be punished as provided in . . .
1030(a)(3)
Abuse of Government Position of Trust
Whoever, having signed a duty of confidentiality as a requirement for government employment, or for authorization to access a government computer, or information contained in government computers or systems not otherwise available to the public and—
(A) accesses a government computer for a non-government purpose that would violate the proscribed duty of confidentiality; or
(B) obtains, transmits, or uses information contained in a government computer not otherwise available to the public for a non-government purpose that would violate the proscribed duty of confidentiality;
shall be punished as provided in . . .
(C) Rule of Construction--Nothing in this provision may be construed as limiting whistleblower protections provided by state or federal laws.
1030(a)(4)
Epidemic Malware
Procedure for the takedown of epidemic malware by a private entity in partnership with the Government
(1) A private entity that is experiencing a degradation caused by epidemic malware or whose customers are experiencing or are likely to experience a degradation caused by epidemic malware may, in consultation with the Government, make an application to for an order authorizing the takedown of the epidemic malware. Each application shall include the following information—
(a) An epidemic malware designation: a certification by (**What level of official at DHS? Any delegation authority necessary?) that the malware identified by the private party is epidemic malware;
(i) When making an epidemic malware designation, the certifying official shall consider but not be limited to the following factors:
(A) a recent increase in amount or virulence of the malware;
(B) the recent introduction of the malware into a setting where it has not been before;
(C) an enhanced mode of transmission so that more susceptible machines and systems are exposed;
(D) A change in the susceptibility of the targeted systems, and/or
factors that increase target exposure or involve introduction through new methods of transmission.
(b) An explanation of the how the epidemic malware is affecting the products, services or systems of the private entity or its customers;
(c) A certification of agreement signed by the Attorney General, the Deputy Attorney General, the Assistant Attorney General for the Criminal Division, or the National Security Advisor that, in weighing the relevant information security, cyber security, national security or law enforcement interests and equities at stake, the prosed takedown or disruption is the most reasonable course of action to prevent further or future harm;
(i) The certification of agreement should represent the combined agreement of the DOJ, the DHS and the FTC. [SP1] When any of these agencies disagrees with the judgment of the other, the Government’s certification authority is automatically elevated to the National Security Advisor, who may delegate the authority to Cybersecurity coordinator of the National Security Council.
(d) A joint certification by the private entity seeking the order signed by the private entity and the Attorney General, the Deputy Attorney General, the Assistant Attorney General for the Criminal Division, or the National Security Advisor that all less invasive means have been exhausted;
(i) The Government’s part of the certification should represent the combined agreement of the DOJ, the DHS and the FTC. [SP2] When any of these agencies disagrees with the judgment of the other, the Government’s certification authority is automatically elevated to the National Security Advisor, who may delegate the authority to the Cybersecurity coordinator of the National Security Council.
(e) A plan of dissolution and notice, approved by a technical advisor from a court-appointed list, that contains—
(i) an assessment of the harm or potential harms to the private entity, its customers, other members of the public, or other networks or systems if the epidemic malware at issue is not taken down;
(ii) an assessment of the harm or potential harm to members of the public or other networks or systems if the epidemic malware takedown is allowed;
(iii) a description of how the private party plans to execute the takedown of the epidemic malware, to include any cooperation or assistance to be provided by the Government or other third parties;
(iv) a description of how the private entity making the application and any government agencies or third parties assisting in the takedown effort will protect personally identifiable information of affected members of the public;
(v) a description of steps or processes that will be taken to minimize foreseeable harms identified in (ii), along with remediation and escalation processes that will be put in place to remediate any unintended impact on a private entity’s customers, other members of the pubic, or other networks or systems; and
(vi) a description of how notice will be provided to all reasonably foreseeable impacted parties, to include any cooperation or assistance to be provided by the Government or other third parties.
(2) Upon such application, either the private entity making the application or the Government may make a motion to seal the application, which the court shall grant if the court determines that disclosure of the application could result in the following—
(A) endangering the life or physical safety of an individual;
(B) flight from prosecution;
(C) destruction of or tampering with evidence;
(D) thwarting or disrupting the takedown plan proposed in the application; or
(E) otherwise seriously jeopardizing an investigation.
(3) Upon such application, the judge may issue an order granting the application for takedown of epidemic malware or may schedule an ex parte hearing to obtain additional testimony or other evidence from the private entity making the application, the Government or the technical advisor. If a hearing is scheduled, the private party making the application or the Government may make a motion to seal the courtroom, which the court shall grant if it finds that a public hearing could result in any of the factors described in paragraph (2).
(4) Technical Advisor—the position of technical advisor referenced in paragraph (1)(e) is a neutral party with the appropriate technical expertise to review and approve plans for dissolution and notice, and to advise the court on technical matters arising in the course of assessing and granting a private entity’s application to takedown epidemic malware. The DHS shall assist the Administrative Office of the Courts in recruiting a group of non-government individuals who can serve as technical advisors for courts around the country. The Administrative Office of the Courts shall publish and keep an up-to-date a list of approved technical advisors on its website. Private entities that are preparing applications to takedown epidemic malware should contact the Administrative Office of the Courts about making arrangements for a technical advisor to become engaged in the pre-application preparation process with the private entity and the Government. At the end of the engagement of the technical advisor, the private entity making the application or who utilized the services of a technical advisor for the purpose of making an application, shall reimburse the Administrate Office of the Courts for the services performed by the technical advisor. The DHS shall complete an annual review of the technical advisor list to ensure that an appropriate number of technical advisors with the appropriate skill level are available.
(5) Guidance—the Secretary of Homeland Security, in consultation with the Attorney General and the Federal Trade Commission, shall create and publish on the DHS website guidance and rules for the epidemic malware designation process and best practices and procedures for notice to parties that may be impacted by takedown efforts.
(6) Annual report—beginning one year after the enactment of the epidemic malware provision, the DHS, in conjunction with the Administrative Office of the Courts, shall publish an annual report containing the following information—
(a) How many applications for takedown of epidemic malware were applied for and how many were granted;
(b) How long each individual takedown effort took with respect to each application;
(c) For each individual takedown effort:
(i) how may individual third party or consumer computers, devices or systems were defended;
(ii) how many individual consumer or third party computers, devices, systems, or networks experienced confidentiality, integrity, or availability harms in the course of the takedown effort that were anticipated and discussed by the plan of dissolution approved by the technical ombudsman;
(iii) how many individual consumer or third party computers, devices systems, or networks experienced confidentiality, integrity or availability harms in the course of the takedown effort that were not anticipated and discussed by the plan of dissolution approved by the technical ombudsman;
(d) Any other information, which can be presented in the form of a summary if appropriate, that will educate Congress and the public on benefits, risks and lessons learned from the year’s takedown efforts. DHS should consult with the technical advisors involved the year’s takedown efforts and relevant government agencies, to include the DOJ and the FTC. DHS may also consult with any other experts, affected third parties or foreign partners that assisted with or were impacted by the takedown efforts.
(e) Both DHS and the Administrative Office Court’s shall assist with the collection of information necessary for DHS to complete the analysis in (a)-(d) above. Private entities that receive court authorization to takedown epidemic malware shall provide DHS or the Administrative Office of the Courts with information necessary for DHS to complete the analysis in (a)-(d) above.
(7) Definitions
As used in this chapter—
(a) Epidemic malware means malicious software whose primary function is to (1) cause a change in confidentiality, integrity or availability of multiple computers, devices, systems, or networks and; (2) take partial control over their operation without the consent of the owner for purposes of using the computers, devices, systems or networks in coordinated criminal activity;
(b) Personally identifiable information, as defined in OMB Memorandum M-07-1616, refers to information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. In performing this assessment, it is important for a private entity or government agency to recognize that non-PII can become PII whenever additional information is made publicly available — in any medium and from any source — that, when combined with other available information, could be used to identify an individual.[2]
[1] We would recommend that Congress add a sunset provision for the purpose “forcing” a congressional-level evaluation of how the statute actually worked in practice and the consideration of any needed reforms for re-authorization.
[2] https://www.gsa.gov/reference/gsa-privacy-program/rules-and-policies-protecting-pii-privacy-act