The Forty-Year Cyber Policy Failure Congress Refuses to Address

Late last month, the former deputy assistant director of the FBI's Cyber Division testified before the House Homeland Security Committee that the federal government should consider designating ransomware operators as terrorists and pursuing felony murder charges against attackers whose intrusions kill patients. The testimony was a serious response to a serious problem. It was also a measure of how far the cyber policy conversation has drifted from the question that would actually change the threat environment.

Terrorist designations are post-hoc. Homicide prosecutions are post-hoc. Sanctions are post-hoc. Indictments of foreign operators are post-hoc. The entire architecture of American cyber enforcement is built around consequences imposed after the harm has occurred — and for forty years, Congress has steadfastly refused to legislate the one consequence that would matter most to attackers and most to victims: the right to interrupt an attack while it is underway.

A homeowner in most American states may use deadly force to stop an intruder reaching for a television. A hospital CISO watching a confirmed exfiltration leave her network in real time may do exactly one thing: document the theft and call the FBI. If she does anything else — if she reaches one hop downstream to interrupt the transfer in progress — she has committed a federal crime under 18 U.S.C. § 1030.

This asymmetry is not the product of careful legislative deliberation. It is the product of forty years of legislative avoidance. And the avoidance, I will argue, is the most consequential cyber policy choice the United States has ever made.

A legislative record without a victim

Congress has not been idle on cyber. Since the mid-1980s, it has produced a continuous body of federal cyber legislation that is, by any reasonable measure, substantial.

The Computer Fraud and Abuse Act was enacted in 1986 and amended in 1994, 1996, 2001, and 2008. The Computer Security Act of 1987 (Public Law 100-235) established NIST's authority over federal civilian computer security and, in the process, drew the jurisdictional line between civilian and national-security systems that still governs federal cyber organization today. The Federal Information Security Management Act passed in 2002 and was modernized in 2014. The Cybersecurity Information Sharing Act was enacted in 2015. The Cybersecurity and Infrastructure Security Agency was stood up as an operational component of DHS in 2018. The Office of the National Cyber Director was established by statute in 2021.

This is a Congress that has been continuously engaged with cyber for four decades. It has legislated the boundaries of federal system security. It has criminalized unauthorized access in five separate statutory revisions. It has structured the federal-private information-sharing relationship. It has built and rebuilt the organizational architecture of national cyber defense.

In forty years, it has not once legislated whether the victim of an active exfiltration has the right to interrupt the transfer.

The Active Cyber Defense Certainty Act was introduced in 2017 by Representatives Tom Graves and Kyrsten Sinema. It was reintroduced in 2019. Neither version received a floor vote. The bill's existence proves Congress knows the question is on the table. The bill's fate proves Congress has decided to keep it there.

The shape of the asymmetry

The legal vacuum has produced an operational reality that, when stated plainly, is difficult to defend.

A ransomware operator working from a non-extradition jurisdiction faces, in practice, a probability of prosecution approaching zero. Successful prosecutions of foreign ransomware operators in 2025 numbered in the low double digits worldwide, against an industry whose estimated annual revenue exceeds one billion dollars. The victim — typically a hospital, a school district, a mid-market manufacturer, a municipal government — faces the full weight of regulatory liability, civil litigation, board accountability, and operational harm.

One side of this exchange bears nearly unlimited downside risk. The other side bears nearly none. This is not a threat environment. It is a market, and the market is functioning exactly as its incentive structure predicts.

The conventional response is to point to the things we have done. The Treasury Department has sanctioned mixers and exchanges. DOJ has clawed back ransom payments, most notably the partial Colonial Pipeline recovery. FBI and partners have disrupted Hive, LockBit (twice), and the ALPHV/BlackCat infrastructure. CISA has improved baseline guidance. None of this is nothing. All of it, taken together, is too small.

These are tactical wins inside a strategic loss. Sanctions disrupt laundering for measurable but brief windows before volume routes around them. Takedowns are followed by re-branding inside a quarter. Indictments of foreign operators function as press releases. The asymmetry between attacker risk and defender risk is not closing. It is widening.

What the "next hop" means, and what it doesn't

Let me be precise about the legal change I am arguing for, because precision is the only thing that protects this argument from being misread as a call for vigilantism.

I am not arguing for hack-back authorities. I am not arguing for retaliation. I am not arguing for the right to compromise an attacker's infrastructure as a punitive measure, to recover data through offensive operations, or to engage in any conduct whose purpose is to inflict harm on the attacker.

I am arguing for the legal recognition of a category that exists in every other domain of self-defense and exists nowhere in cyber: the right to interrupt a crime in progress.

When an exfiltration is underway, the defender can typically observe the immediate next hop — the command-and-control server, the staging system, the relay — through which the data is transiting. Current law permits the defender to log this traffic, to characterize it, to share indicators of compromise, and to report it. Current law forbids the defender from taking any action against that next-hop system to interrupt the transfer in progress, even when attribution to the attacker's infrastructure is unambiguous and even when the action contemplated is narrowly scoped to interrupting that specific transfer.

This is the gap. Not punishment. Not retaliation. Interruption.

The doctrinal analogue is the long-settled law of defense of property and defense of self. American common law has never required a victim to wait until a crime is completed before responding. The reasonableness standard — proportionality, immediacy, scope — is the mechanism by which we distinguish legitimate interruption from vigilantism. We apply this standard to homeowners, to merchants, to security guards, and to law enforcement. We have declined, uniquely, to apply it to cyber defenders.

The objections, and where they fail

The standard objections to active cyber defense are serious and I want to take them seriously.

Attribution is hard. Sometimes. It is also sometimes trivial. The exfiltration to a known command-and-control server with a known operator and a known wallet, observed in real time from the victim's own network, does not present the attribution problem that the objection imagines. The objection conflates the hardest cases with all cases. A reasonableness standard — the same standard we apply in every other domain of self-defense — would distinguish them.

Collateral damage is real. Yes. The attacker's infrastructure frequently transits compromised third-party systems — hospitals, universities, small businesses whose servers have been weaponized without their knowledge. An action against the next hop could disrupt the operations of an innocent party. This is a genuine concern. It is also a concern that applies, in different forms, to every domain of self-defense we currently permit. The legal response is not prohibition. The legal response is a proportionality requirement.

The CFAA was written for good reasons. It was. The CFAA in 1986 was a response to a specific set of harms — unauthorized access, fraud, malicious intrusion — that the existing criminal code did not adequately address. Its drafters were not contemplating the question of whether a victim observing real-time exfiltration has any right to interrupt the transfer. They could not have been. The threat environment that question arises in did not yet exist. A statute written for one purpose, applied four decades later to a question its drafters did not contemplate, is not legislative wisdom. It is legislative inertia.

Active defense will escalate. Possibly. The same argument was made against every expansion of self-defense doctrine in American legal history. The empirical question of whether a narrowly defined interruption right would produce more harm than it prevented is exactly the question Congress has declined to investigate, by declining to hold the hearings, declining to advance the bill, declining to commission the study.

What the silence costs

The forty-year silence on this question is not a neutral position. It is itself a policy choice, and the choice has a price.

The price is paid in the asymmetry. Every additional year the question goes unanswered, the gap between attacker risk and defender risk grows. The ransomware industry's revenue trajectory is not a mystery and it is not unpredictable. It is a rational market response to a legal environment in which the cost of attacking is approximately zero and the cost of defending is approximately unlimited.

The price is paid in moral coherence. A legal regime that permits deadly force in defense of a four-hundred-dollar television and forbids software-based interruption in defense of a hospital's entire patient record system is not internally consistent. The inconsistency does not become coherent because we have grown used to it.

The price is paid in deterrence. Deterrence requires consequence. There is no deterrence in cyber today, against any actor of any sophistication, because there is no consequence. The consequence that matters most — the one the attacker actually fears — is interruption of the operation in progress. Sanctions, indictments, and takedowns are post-hoc. They impose costs that the attacker can model and price in. Interruption is the consequence the attacker cannot model, because the attacker does not know when, by whom, or how it will arrive.

That is the consequence Congress has declined to authorize for forty years.

A modest proposal

I am not proposing that Congress pass the Active Cyber Defense Certainty Act as written. The 2017 and 2019 versions of that bill were imperfect, and reasonable people disagreed about specific provisions. I am proposing that Congress hold the hearing.

Forty years of avoidance is enough.

The question on the table is narrow, specific, and legally tractable. Does the victim of an active exfiltration, under a reasonableness standard, have the right to take action against the immediate next hop in the transfer chain to interrupt the transfer in progress? It is a yes-or-no question. Congress has answered every other cyber question it has been asked since 1986. It can answer this one.

I expect that when Congress finally holds that hearing, the answer will involve a tightly scoped right, a high reasonableness standard, a mandatory reporting requirement, and meaningful liability for abuse. That is what the legislative process is for. The current answer — that the question is too uncomfortable to ask — is not a legal position. It is an abdication.

The grandmother in Ohio has more enforceable rights tonight than the hospital CISO watching her patient records leave the building.

That is not a security policy. That is a forty-year-old silence.

It is time to break it.

The author is a former Commander of the U.S. Army Computer Emergency Response Team with 25 years experience in information technology, cyber operations, cybersecurity and compliance. The views expressed are his own.