American businesses are under siege from cyber criminals and state-sponsored cyber spies. Despite the billions of dollars spent by companies on cyber defenses, the problem is getting worse.
There are many reasons for this, including the inherent advantage of offense over defense in the cyber game, the poor implementation of basic security practices in enterprises and the growing sophistication and professionalization of cyber crime.
{mosads}Even those businesses that implement “best practices” are being breached by persistent and sophisticated cyber intruders. However, one factor that is often overlooked is the inability of the U.S. government to respond to the overwhelming scale of cyber attacks against U.S. entities.
It is simply not possible for the FBI, the Department of Homeland Security (DHS) and state and local police forces to hire and train enough people to protect our nation against the magnitude of the threat we are facing today. The net result of these factors is that businesses are increasingly under siege.
One option that may be able to help companies better protect themselves from cyber attacks falls under the umbrella term “active cyber defense.” This term is often associated with the idea of hacking back against those who attack you — an action that is illegal under the Computer Fraud and Abuse Act.
However, the concept can be broadly defined to include a rich set of options that do not violate U.S. law. A recent study of this issue defined active defense as “a term that captures a spectrum of proactive cybersecurity measures that fall between traditional passive defenses and offense.” These measures can include everything from honeynets and beacons to botnet takedowns and sanctions.
I believe that these and other proactive actions have the potential to improve cyber defenses and that we need to move beyond the false dichotomy of inaction vs. hacking back and develop appropriate risk-driven policies for active defense.
While active defenses are promising, they also raise a range of issues that need to be addressed by policymakers. Two possible risks include collateral damage to third parties and inadvertent escalation of tension with other countries.
To avoid such risks and realize the benefits of active defenses, Congress and the executive branch must begin providing guidance to companies that can both provide and consume active defense services.
Here is a list of a few key questions that need to be addressed:
- Who should be able to use active defense techniques?
- Can any person or organization use them or should there be a certification process to ensure that only “qualified” players can enter this space?
- What actions are allowable?
- Are there temporal limits on guidelines that bound when such actions can take place?
- Who is responsible if there is damage to a neutral third party?
- How does active defense activity fit within the broader set of global norms being pursued by the U.S. and other like-minded nations?
The good news is that both Congress and DHS have taken steps to begin exploring these issues. The former via the introduction of the Active Cyber Defense Certainty Act and the latter via Secretary Nielsen’s testimony to the Senate Judiciary Committee that “active defense” is part of DHS’ engagement with the private sector.
It may also be instructive for U.S. government officials to take a close look at what the British are doing on this topic. The U.K. government has been working closely with industry to implement an active cyber defense program via their National Cyber Security Center.
In February, the NCSC released a report detailing the progress they have made under the first year of the program. The results are impressive, and while the British approach is different in kind and scope than the industry-led active defense model being considered in the U.S., it may nevertheless provide useful insights that can influence our thinking on this issue.
Industry’s ability to take sophisticated actions in cyberspace is growing every day. Operations that were once thought to be beyond the reach of private firms are now commonplace in the global arena.
At the same time, companies are facing an onslaught of criminal and nation-state activity that is beyond the ability of government of deter or prevent. It is incumbent upon policymakers to determine what steps private actors can take to defend themselves using the full set of capabilities at their disposal.
Doing so will improve the nation’s cyber posture while decreasing the risks of undesirable actions. This is an outcome both government and industry can support.
Irving Lachow, Ph.D., is deputy director of cyber strategy and execution at The MITRE Corporation, which manages federally funded research and development centers supporting several U.S. government agencies. He’s a visiting fellow at The Hoover Institution at Stanford University. The author’s opinions are his own and not those of MITRE Corporation.