全球智库信息集成服务系统

The cyber revolution and ever-growing transfer of human activities into the virtual world are undermining the social contract between modern states and their citizens. Most governments are becoming unable and unwilling to protect citizens and private enterprises against numerous, sophisticated cyber predators seeking to disrupt, manipulate, or destroy their digital equities. Inevitably, states are focused on protecting governmental assets and national infrastructure, leaving themselves with modest residual capacity and resolve to underwrite other cybersecurity risks. Faced with this reality, private entities are reluctantly but increasingly complementing their passive cybersecurity practices with more assertive “active cyber defense” (ACD) measures. This approach carries substantial risks, but if guided by bounding principles and industry models, it also has the potential for long-term, cumulative benefits.

Regulating an Emerging International Market

The limitations of governance. States are struggling to find a viable formula to regulate emerging private sector cyber activity. The challenge is compounded by the global and rapidly evolving nature of the cyber domain. Consequently, in many countries, national laws governing this space are either absent, vague, or difficult to operationalize. International understanding and conventions to harmonize national responses are also largely absent, complicating efforts to manage cross-border incidents with political ramifications.

The benefit of experience. The shipping industry’s experience with resurging piracy offers valuable insights. After it became clear that governments’ military efforts were insufficient responses to the problem, the demand for private sector security services increased dramatically. While governments initially resisted their involvement, they begrudgingly accepted that the active defense measures deployed by shipowners, in consultation with insurance providers, were helping to deter attacks and that the tradeoffs in risk were unavoidable. The bottom line—the private sector filled a critical gap in protection.

Incentivizing Behavior for Minimum Risk, Maximum Benefit

A principles-based approach. To fill the vacuum in the cyber domain, companies are engaging attackers within and outside of the defender’s network to preempt, interfere with, or mitigate the consequences of cyberattacks. Rather than trying to enforce ineffectual laws and regulations, governments and stakeholders should seek to develop guiding principles for a spectrum of ACD, excluding “hacking back.”  Such principles could be embedded in a range of mechanisms, for example a voluntary code of conduct for employing ACD.

An industry-driven model. International and domestic market mechanisms, including a corporate social responsibility initiative, could provide the incentives to ensure voluntary adherence to the principles and code and a degree of accountability. The insurance industry in particular could play a large role in minimizing risk and generating economic advantages for not just defenders but also those working with them or receiving their services.

Introduction

The cybersecurity domain has reached a critical juncture. Human and commercial reliance on Information and Communications Technology (ICT) has become absolutely germane in both commercial and private life. This dependence keeps on growing by the day. But with it has come rapid growth in criminal, terrorist, ideological, and security driven attacks on the ICT infrastructure and the functions it serves. At least for now, attackers seem to have the upper hand. And the prospects for the near term hardly look better.

Cybersecurity threats are multiplying. Costs and liabilities associated with cyberattacks are escalating. And while some governments are proving successful in deterring attacks and protecting governmental assets and critical national infrastructure, almost all are proving unwilling and/or unable to extend cybersecurity to the private sector. Most governments eschew a formal commitment to defend the private sector against cyberattacks, manifesting serious shortcomings in pursuing cyber offenders while also exercising deliberative restraint in responding to external threats and attacks directed at private entities based on their soil. Further compounding the cyber threat challenge facing private sector entities is the serious difficulty of obtaining adequate insurance to cover for substantial risks or potential losses (beyond physical damages) incurred. Evolving tactics by malicious actors to cripple the services of private entities (a la Dyn),¹ steal their intellectual property (as was the case with the 2014 Sony hack), or hold their critical data hostage (such as the most recent widespread use of ransomware) only illustrate how severe the consequences of successful cyberattacks have become.

With the deteriorating state of law and order in cyberspace, domestically and internationally, it is little wonder that significant corporate entities are no longer content limiting themselves to passive cybersecurity and are increasingly resorting to more aggressive forms of self-defense. This is reminiscent of the dynamics in earlier times and places where governments have proven unable to fulfill the fundamental social contract between modern states and their citizens and other entities under their jurisdiction. Typical of these situations is considerable legal ambiguity and fluidity regarding measures private entities can legitimately undertake in self-defense. Naturally, this state of affairs is far more acute when such dynamics are occurring in an increasingly interdependent and globalized international system. The quasi-anarchic nature of cyberspace further impedes quick fixes and other possible remedies.

A gray market for relatively assertive, even aggressive, active cyber defense measures is burgeoning globally.

Various private sector entities have been responding to this situation by developing, undertaking, or contracting out for a range of practices—some of them controversial—commonly referred to as active cyber defense (ACD).² Furthermore, numerous entrepreneurs scattered around the world have apparently been entering this field, offering their ACD services to corporations seeking such support. A gray market for relatively assertive, even aggressive, active cyber defense measures is burgeoning globally. Companies worldwide are contemplating and, in some cases, engaging in or contracting for practices of uncertain legality in the ACD domain.³ Many are taking advantage of the ambiguous legislation and regulations on cyber activities in the United States, and even more amorphous ones in many other countries, to offer or employ ACD services.⁴ Reluctance of governments to prosecute those involved in such activities even when they presumably violate current national laws only strengthens the incentive structure to contemplate such actions.

More assertive than passive defenses and other forms of cyber hygiene such as firewalls, ACD measures allow defenders to engage adversaries within and outside of the defender’s networks. They may do so in order to gather intelligence, disrupt planned or ongoing attacks, attempt to reverse the damage from successful attacks, or (in extreme cases) punish attackers. There are diverse assessments of the ad hoc and systemic utility inherent in these practices. Yet it is clear that with the rapidly mounting costs and risks exacted by offensive attacks, the appeal of private sector ACD to complement basic passive security measures is hard to dismiss.

For some financial sector entities and others facing the most severe and persistent threats, such measures appear to be an especially attractive option. Yet this activity is occurring without much effective oversight and accountability, let alone international harmonization.

There are valid reasons to believe that ACD (excluding hacking back), if done professionally and responsibly, could prove a useful addition to the tool kit available to private sector entities to protect their key equities and minimize damages of attacks. Private sector ACD could even potentially benefit law enforcement, intelligence, and other national security agencies. Yet some ACD measures also have serious potential to cause collateral damage, escalation, and other unintended consequences for the defender and third parties, as well as adverse effects on certain other intelligence and law enforcement efforts. Such practice could also potentially carry systemic risks, were private companies to engage in vigilantism across national boundaries or even target foreign state actors. Yet there are mounting pressures, most evident in the United States, to further liberalize the restrictions banning or restricting some forms of ACD.⁵

The challenges in regulating private sector cyber activity reveal a fundamental friction between states’ desires to monopolize cyber measures and the imperatives of the private sector to defend itself in a space where it has the capabilities, opportunities, and strong incentives to do so. This friction is not unique to the cyber domain; it is evident in analogous historical experiences. One recent instructive case is the rise of the private maritime security industry in response to piracy in the Gulf of Aden in the late 2000s, and the subsequent dilemmas it posed for governments trying to regulate the practice. This experience demonstrates the importance of legal and ethical debates over the desirable nature and extent of private sector self-defense, yet it also cautions against letting the irresolution of such debates paralyze practical efforts to shape norms of behavior that will otherwise be driven purely by dynamics of supply and demand.

This report explores the right balance between private sector ACD and state(s’) ultimate responsibility to provide law and order, including in cyberspace. It discusses a limited spectrum of ACD practices that, if conducted within certain constraints and subject to some conditions, could prove a net positive, serving to minimize the risks and costs of cyber incidents facing companies without creating excessive harm. It examines ways to manage the potential consequences of private sector ACD, including revisiting domestic legal regimes governing ACD activity alongside mechanisms to harmonize these requirements internationally. The pitfalls inherent in unilateral state solutions, even in powerful and influential states such as the United States, are simply untenable. Creative mechanisms to regulate this activity globally will be crucial for the creation of legitimate space for private sector ACD.

The report begins by examining the characteristics of ACD practices—especially those emerging from the private sector—and the benefits and dilemmas they engender for governments and corporations. It then proceeds to (1) identify a spectrum of ACD measures (short of extreme practices like hacking back) that could strike the right balance between private sector self-defense and state action in cyberspace; (2) propose generic principles to govern this activity; and (3) discuss an incentive structure and other mechanisms to promote adherence with and harmonization of these governing principles internationally. It is informed by an analysis of the challenges posed by private sector use of force in the maritime security industry and the mechanisms that evolved to mitigate risks and promote principled behavior among security providers. 

The Spectrum of Active Cyber Defense

The very term “active defense” commonly elicits visions of launching counterhacks against adversaries and, in certain circles, fosters strong objection to ACD as a legitimate private sector activity. However, in practice, the phenomenon is more nuanced. ACD includes a diverse range of cyber measures and practices from the relatively innocuous—such as setting up decoy targets in a defender’s network—to more assertive measures that take place outside the defender’s network but are nonetheless designed to frustrate incoming cyberattacks or mitigate their consequences.⁶ The most extreme forms include highly offensive measures involving retaliatory, disruptive, or even destructive responses against the attacker. Moreover, ACD measures are not necessarily confined to the cyber domain and potentially involve other behaviors in the physical world designed to harass, disrupt, or punish cyberattacks. ACD may take different forms with varying consequences depending on whether conducted by governments or private companies.

There is no consensus on a definition of ACD encompassing the range of measures examined here. It is important to deduce the nuances of the technical nature and scope of ACD. Robert Dewar’s definition provides several useful distinctions between ACD and other forms of passive cyber defenses:

[A]n approach to achieving cyber security predicated upon the deployment of measures to detect, analyse, identify and mitigate threats to and from communications systems and networks in real-time, combined with the capability and resources to take proactive or offensive action against threats and threat entities including action in those entities’ home networks.⁷

Various ACD measures may be employed preemptively, during an ongoing attack at various points along the “cyber kill-chain,”⁸ and/or in the aftermath of an attack to reverse or mitigate damage. They can affect both the defender’s networks and external networks and computers belonging to the attacker or an intermediary. Paul Rosenzweig offers a useful typology of ACD measures based on the types of effects they have on networks and computers—including observation, access, disruption, and destruction—and whether the actions are internal to the defender’s network or external.⁹ Rather than provide an exhaustive list of ACD measures, the following selection of less aggressive to more aggressive measures merely demonstrates the broad spectrum and characteristics of some of the best-known current techniques ascribed to ACD.

Less aggressive ACD measures that are typically taken within the defender’s network include intrusion-prevention systems that detect hostile traffic and revise firewalls to block it. Deception techniques (for example, planting false data to disguise targets or creating entire decoy networks) make it difficult for the attacker to access the desired information. “Honeypots” or “honeynets” lure the attacker into an isolated system through a deliberate vulnerability, preventing access to other areas. “Sandboxes” or “tarpits” provide barriers that slow or halt and examine incoming traffic that may be suspicious. And various means of intelligence gathering, including in the “dark net,” can collect information on cyber threats inside and outside one’s systems.¹⁰

More aggressive measures that typically access and alter third-party networks include “sinkholing,” which redirects malicious traffic to a system under control of the defender, and “patching” vulnerabilities in a third party’s hijacked computer. Measures analogous to LoJack recovery systems or “digital dye-packets” allow the defender to track data exfiltrated from its network. “Digital beacons” or watermarks similarly alert the defender when stolen data resurfaces elsewhere. Defenders can also temporarily disrupt the servers the attacker relies on or dismantle botnets, which use networks of infected machines to launch attacks.

Finally, the most aggressive actions include forward intelligence gathering (including in external networks and systems) to collect evidence or information about the attacker (for example, capturing their image through their webcam). “Hack backs” into the attacker’s networks can retrieve, alter, or erase stolen data. The attacker’s own systems can be disrupted temporarily to impede their ability to launch attacks or over an extended duration (for example, by locking down a computer). Most controversially, hack backs could even damage the attacker’s networks or computers to prevent further loss or punish the attacker.

The grouping of these measures is a necessary simplification—individual measures could be conducted in more or less aggressive ways or in combination with others. For instance, a honeypot could be used to launch measures with disruptive impacts on the attacker’s systems.¹¹ 

The degree to which a particular ACD measure is considered aggressive depends on a number of dimensions. In addition to Rosenzweig’s typology of effects and the degree to which measures affect external networks, other factors include the profile of the targets (unwitting participants in an attack, innocent third parties, or adversary networks); the temporal nature of effects (temporary, extended, or permanent) and their scope (localized or broader); and the degree to which the ACD measures are automatic and autonomous. Naturally these dimensions do not always correlate, but it is possible to place common measures on a spectrum according to how aggressive they are (see Figure 1 for a visual representation).

The red dashed line in Figure 1 indicates approximately where measures begin to generate effects outside of the defender’s network. However, the distinction between internal and external is often blurred; some measures may be deployed and/or directed at the target in the defender’s network but still have the potential (and even intent) to affect external networks. Further, even the boundary between networks is disputable.¹²

Advantages and Risks of Active Cyber Defense

Active cyber defense serves as a potential complement, rather than alternative, to passive cyber defense. When responsibly undertaken, ACD can enhance cybersecurity by offering unique functions, or advantages, to the defender (as well as some strategic systemic benefits) that passive defenses do not. Some ACD measures, however, carry inherent risks that will vary depending on the capacity of the defender and the threat. The advantages and liabilities appear at both the tactical and broader strategic levels (see Table 1).

Active Cyber Defense as a Cybersecurity Strategy

Active cyber defense is not a purely technical phenomenon, and its merits and drawbacks must be weighed in the context within which ACD measures are or could be conducted. Given the lack of clarity around roles and responsibilities for private sector defense, it is pertinent to distinguish how and toward what ends governments and private actors could conduct ACD.

The first distinction is the function that ACD measures are designed to serve:

• Gathering intelligence on threats and assisting with attribution;
• protecting assets within the defender’s network;
• disrupting imminent and ongoing attacks;
• imposing costs directly or indirectly on the adversary;
• denying gains by tracing and recovering assets that have been exfiltrated;
• blocking or disabling attack vectors, and complicating attack planning; and
• preventing future attacks by inhibiting the adversary’s capabilities or by diminishing the appeal of future attacks (deterrence by denial).

Taken together, these functions represent a broad strategy toward cybersecurity predicated upon altering the calculus of malicious actors through reshaping the environment and corresponding incentive structure in which they operate. In this sense, the functions of government and private sector ACD are not mutually exclusive, but they can be distinguished in several ways.

Active cyber defense, as a conceptual approach to cybersecurity, can be compared to a concept in criminology known as Situational Crime Prevention (SCP).¹³ SCP focuses on altering the settings that provide opportunities and incentives for crimes rather than focusing on the criminals per se. This is done through a wide range of actions to increase the effort required and risks associated with committing a crime, reduce rewards, and mitigate the situational factors that provoke criminals or provide excuses for crime. Critically, this includes not just efforts via the criminal justice system but also efforts via public and private organizations that manage and shape the environment in which criminals operate. Thus, SCP does not depend on eliminating criminal threats or changing the motives of criminals. Because this approach focuses on environmental and circumstantial factors, the benefits of such efforts often extend to both those targeted and those not targeted that also occupy that environment.¹⁴

As in the SCP case, government and private sector ACD offer distinct opportunities to combat malicious activity in cyberspace—each of which could potentially produce positive externalities. Governments may employ ACD for a wider set of functions, including defense of “friendly” systems and networks under their authority and in combination with other activities inside or outside of cyberspace. While governments may undertake activities that are punitive in nature (including law enforcement action), such activities reside outside any conceivable legitimate scope of permissible private sector ACD. 

However, major companies that shape the environment of cyberspace will inevitably play a more salient role in protecting it. This is in part because increasing reliance on cloud-based services and the interconnection of devices, among other trends, are raising the potential for a major cyberattack to cause cascading effects. As stated in a 2016 World Economic Forum white paper, “it is an understatement to say that the government and industry are struggling to understand and prepare for the magnitude of systemic cyber risk.”¹⁵ 

The functions or roles of government and the private sector also differ on a procedural level—in terms of the authority under which an activity is conducted and the degree of consent to potential actions affecting third parties. Governments undertake ACD under a broad mandate in the law enforcement, homeland security, intelligence, and military contexts. The authority of private sector ACD, insofar as it affects third parties, may be derived from a company’s end-user license agreement or digital rights management protocols or procedures. In other cases, private sector ACD may be conducted with cooperation and oversight by governments or under the authority of a court order. This authority directly pertains to the legitimacy of private sector ACD. Generally speaking, the legitimacy of private sector engagement in ACD becomes more contentious as it moves across the scale toward more aggressive acts, particularly when crossing from internal to external network actions.

The debate over private sector ACD is not merely whether to allow companies to conduct a certain set of technical activities. At the broadest level, it is about the respective roles and contributions of the government and private sector in cybersecurity in managing systemic risk and how ACD could or should fit into these. Both the technical and contextual dimensions are relevant in considering the desirable scope, conditions, and procedures surrounding the conduct of ACD in the private sector. Selective private sector ACD could be harnessed in a situational approach to shaping this dynamic environment to decrease the opportunities and incentives for malicious activity. The benefits of doing so would extend beyond the immediate companies conducting ACD to the broader public reliant on their services and vulnerable to systemic risks.

The Case for Private  Sector Active Cyber Defense

Globally, as well as domestically in the United States, the private sector is currently suffering from critical gaps in cybersecurity. At one level, there are “nuisance” cyberattacks that companies can mitigate through adequate cyber hygiene and passive defense, such as firewalls and routine scanning and monitoring. At a higher level are sophisticated, criminal and state-sponsored (and hybrid) cyberattacks on companies on the scale of national security threats, which governments are inclined to address through their own means (both cyber and noncyber). Between these levels are the increasingly sophisticated, targeted cyberattacks that governments cannot (or will not) take action to mitigate but that exceed the ability of passive defenses to prevent.

The imperative of all forms of defense—passive and active, governmental and private—is especially acute as current commercial and technical trends concentrate ever larger amounts of critical assets in the cloud, away from their physical corporate spaces and owned and operated by a handful of cloud service providers.

Yet governments have limited resources and personnel to thoroughly protect against, investigate, and respond to cyberattacks. These resources are already strained by the primary responsibility of defending government systems and networks. In some cases, governments might not be able to match the private sector’s capacity to respond to attacks. Even if governments could muster the capacity to adequately defend the private sector, companies may not want government agencies to have the degree of access to and control over their networks and data needed to defend them. From a broader perspective, it may not be desirable to use public resources to protect private companies, particularly if it has the effect of driving down the incentive for companies to spend scarce resources to protect themselves (in other words, a moral hazard).

The borderless nature of cyberspace raises further legal and ethical questions for governments. Should the state accept responsibility for defending networks and computers of its companies that lie outside of its territory? Should it defend those of foreign-owned companies or multinational corporations located within its territory? Should it extend its defense to cloud-based assets? States pursuing such strategies will inevitably face dilemmas regarding who and what to prioritize and how far to go in their defense.

Internationally, the role of governments in defending private entities varies greatly. Some states assume significant responsibility for cybersecurity of the private sector (including ACD), while others reserve the right to intervene only when absolutely necessary, such as in the defense of critical infrastructure. The leeway that states give to the private sector to engage in ACD similarly varies and is evolving. Yet considerable state responsibility for defense of the private sector may become untenable, even for countries where this is currently the norm. The expansion of companies’ vulnerabilities due to, among other factors, increasing standardization of products, the exponential growth of the Internet of Things,¹⁶ and tremendous reliance on cloud-based and remote access services will motivate businesses to fill gaps in the defensive coverage that governments provide. Furthermore, the onus of responding to cyberattacks is already emerging as a tall order for governments because of the difficult policy choices associated with any type of response or inaction against the perpetrators, even in situations where they can be confidently identified.

The unevenness of the international regulatory environment exacerbates the dilemma that many governments face. They can try to maintain a monopoly on legitimate engagement in ACD—despite their limited ability to deliver on it and to regulate a growing international market for ACD services—or they can step aside and allow companies to engage in activities with the substantial risks described above.

Should governments try to restrict the space for private sector ACD without offering a credible alternative to protect the interests of corporations, they risk incentivizing corporations to relocate resources to environments more hospitable to freedom of action or to avail thems