Ariel E. Levite is a nonresident senior fellow with the Nuclear Policy Program and the Cyber Policy Initiative at the Carnegie Endowment for International Peace.
Subscribe to this Lawfare contributor via RSS.
Recent years have seen sustained calls to “unleash” the private sector to more assertively combat cyber threats. The argument has gained some sympathy in Congress, where Rep. Tom Graves (R-Ga.) recently reintroduced the Active Cyber Defense Certainty Act (ACDCA).
Markets have been slow to adjust to the multidimensional perils of cyber risk.
For many businesses, cyber risk was once either an amorphous threat or an occasional nuisance. But with reliance on all things digital skyrocketing, cyber threats now pose grave, even existential, dangers to corporations as well as the entire digital economy. In response, companies have begun to develop a cyber insurance market, offering corporations a mechanism to manage their exposure to these risks. Yet the prospects for this market now seem uncertain in light of a major court battle.
The recent WannaCry and NotPetya global cyber incidents have fueled the debate already raging over the role of and limits on corporate self-defense in cyberspace. The emerging international practice of “active cyber defense” (ACD) moves this debate beyond the merely theoretical realm. Private sector active defense potentially shifts the balance in favor of defenders and would improve companies’ ability to complicate and disrupt attacks and mitigate damages.
On March 18, 2017, the G20 finance ministers and central bank governors issued a communiqué highlighting that: