Into the Gray Zone: The Private Sector and Active Defense against Cyber Threats
A new report from the GW Center for Cyber and Homeland Security offers the most comprehensive assessment to date of the legal, policy and technological contexts that surround private sector cybersecurity and active defense measures to improve U.S. responses to evolving threats. The report provides a framework to develop active defense strategies and offers a set of policy recommendations to the public and private sectors to support implementation of more effective cybersecurity defenses.
A key difference between cybersecurity threats and other security threats is the mismatch between public and private capabilities and levels of authority in responding to these threats. The report states that while the U.S. government will always play an important role in cybersecurity, it lacks the resources to fully defend the private sector in the digital realm. This places businesses on the front lines of the cyber conflict. Three areas most vulnerable to cyber attacks are national security, economic vitality and privacy, according to the report.
“Given the scale and scope of the cyber threat, the digital equivalent of building higher walls and deeper moats alone is a reactive strategy doomed for failure,” said Frank Cilluffo, director of the Center for Cyber and Homeland Security. “Businesses cannot simply firewall their way out of this problem and must instead have greater leeway to more proactively respond to cyber threats. Active defense – done right – offers a viable path forward.”
The report draws on knowledge from a task force including experts in the public and private sectors who are thought leaders in technology, security, privacy, law and business. This report has brought these diverse – and sometimes conflicting – interests closer together and toward productive solutions to common challenges. The aim of the report is to help chart a constructive course forward through the complicated terrains of law, technology and policy as they relate to private sector active defense.
The task force examined current cybersecurity practices commonly found in the private sector and provided case studies that lay out the strengths and weaknesses of such practices in addition to less common, active defense measures. The report dissects the complex web of the legal gray areas of cyber defense that make it difficult for the private sector and policymakers to work together.
In addition, the report provides a new definition of “active defense” that reflects the evolution of cybersecurity capabilities, including operations that allow defenders to gather intelligence and policy tools aimed at deterring hacks. With proper balance, the private sector can be a vital player in ensuring the nation’s economic and national security, the report finds. The study differentiates between active defense and “hacking back”, which refers to offensive cyber measures that are beyond the scope of what is defined as permissible activity in this report. It also balances the need to enable private sector active defense measures with other important considerations such as the protection of individual liberties, privacy and risks of collateral damage when implementing active defense.
The authors develop a framework for active defense against cyber threats that seeks to maximize the effectiveness of the private sector’s ability to defend its most valuable data and assets through technical and non-technical tools. This framework is risk-driven in that it seeks to inform decision-makers about the relative legal, reputational and collateral risks associated with specific active defense measures. The report’s recommendations are broken down by actions for the executive branch, Congress and the private sector. Recommendations include:
· Developing procedures for public-private coordination on active defense measures through existing industry-led cooperation mechanisms.
· Amending the Computer Fraud and Abuse Act and the Cybersecurity Act of 2015 to affirmatively allow low- and medium-impact active defense measures.
· Developing C-suite level operational templates based on risk assessment, industry standards and best practices to integrate into broader cyber strategy and incident response protocols.
“The framework that we provide in this report offers a sustainable path forward for responsible private sector active defense,” said Mr. Beckner. “An informed and equipped private sector, supported by this framework, is necessary to improving America’s cybersecurity posture moving forward.”
The report calls for increased collaboration between the public and private sectors to use available tools more effectively to disrupt and deter cyber threats, noting that the collaboration between the private sector and policymakers is long overdue.