Herb Lin of the National Research Council has just published an informative, brief article entitled, "Defining Self-Defense for the Private Sector in Cyberspace." It's a good primer on active cyberdefense. It opens:
It is the United States’ stated policy to employ an “active cyberdefense” capability to defend U.S. military networks and systems and to conduct “full-spectrum military cyberspace operations” when directed to assist in that defense. Active cyberdefense is a term of art widely understood to include offensive actions in cyberspace taken with defensive purposes in mind. Such actions are tactical operations with the limited goal of mitigating an immediate hostile act.
In addition, U.S. Cyber Command, the U.S. military’s combatant command tasked with cyberoperations, is reportedly planning to create “national mission forces” that would protect the computer systems undergirding “electrical grids, power plants and other infrastructure deemed critical to national and economic security.” It is not clear whether the conduct of offensive operations for “protective purposes” would be considered, but the Washington Post report clearly underscores the importance that Cyber Command ascribes to protecting critical infrastructure.
This all raises an obvious question: If offensive cyber operations as thought to be helpful in mitigating the cyberthreat to Defense Department assets, how and to what extent would such operations be useful in mitigating the cyberthreat to assets in the private sector?
Lin's answer? It's less clear whether offensive operations would be helpful than it is clear that they would raise a bunch on thorny problems.