Today the GW Center for Cyber and Homeland Security released a report entitled, Into the Gray Zone: The Private Sector and Active Defense Against Cyber Threats.
The report was the work of a task force of experts from the technology, security, privacy, law and business communities (including Lawfare’s own Bobby Chesney and Stewart Baker). The Active Defense Task Force is co-chaired by former DNI Dennis Blair, former DHS Secretary Michael Chertoff, Center for Democracy and Technology (CDT) CEO Nuala O’Connor and Frank Cilluffo, the Director of GW’s Center for Cyber and Homeland Security.
Here’s one snippet from the report:
“America is at an inflection point in cyberspace. U.S. government agencies and private sector companies have developed and benefited from some of the most advanced capabilities in cyberspace. But these same entities are vulnerable to disruptive cyber incidents, and are under constant threat from a variety of actors. One key element of a broad effort to address this challenge is more clearly defining the private sector’s role in cybersecurity, not only with respect to information sharing and defensive activities, but more broadly with respect to “active defense,” a set of operational, technical, policy, and legal measures that are the subject of this report.”
A few highlights: The report is based, in significant part, on the premise that, while government has a role, the private sector carries the bulk of the responsibilities and resources to defend itself. It therefore aims to assist the private sector in this effort by providing a new framework for how to incorporate “active defense” into broader cybersecurity thinking, designing and implementing. In doing so, the report makes a serious effort at moving the cybersecurity community beyond the so-called “hacking back” debate. The report makes a substantive contribution to the law, policy and business considerations in implementing a cybersecurity program, emphasizing the gap in guidance provided to the private sector on how to incorporate “active defense.” To that end, the report offers a new working definition of “active defense”:
“Active defense is a term that captures a spectrum of proactive cybersecurity measures that fall between traditional passive defense and offense. These activities fall into two general categories, the first covering technical interactions between a defender and an attacker. The second category of active defense includes those operations that enable defenders to collect intelligence on threat actors and indicators on the Internet, as well as other policy tools (e.g. sanctions, indictments, trade remedies) that can modify the behavior of malicious actors. The term active defense is not synonymous with “hacking back” and the two should not be used interchangeably.”
The task force places “active defense” in a large “gray zone” that operates in the middle of “passive defense” and the more controversial “offensive cyber” activities. It then makes substantial policy recommendations for steps that the Executive Branch and Congress need to take to make its new framework usable. Among other recommendations, the task force calls for much greater clarity and guidance from the federal government to the private sector about what is and what is not permissible under the law. Perhaps due in part to these existing ambiguities and concerns about pushing boundaries of “active defense” too far, the report includes additional written views of one of its co-chairs, Nuala O’Connor.
In addition to the main text of the report, scholars, practitioners and students will find the legal outline and additional appendices of great use in understanding this issue more deeply. Overall, I expect that the Lawfare community will find that the GW report makes a meaningful contribution by placing “active defense” in context of broader cybersecurity policies and initiatives, and it will likely encourage additional debate and proposals.