Latest in Active Cyber Defense
With little fanfare and less public notice, Congress and the executive branch have cooperated effectively over the past decade to build a legal architecture for military cyber operations.
In 2016, Germany created its military cyber command. But legal restrictions could ultimately decrease its flexibility and operational effectiveness.
In May 2008, the U.S. Department of Defense and the German Ministry of Defence signed a memorandum of understanding concerning “Cooperation on Information Assurance and Computer Network Defense.” Computer network defense (CND) refers to actions taken on computer networks to monitor and protect those networks. It is not the only memorandum the U.S. Department of Defense has signed with allies on cyber defense.
The “hackback” debate has been with us for many years.
In February 2018, the German government’s network was attacked. Germany did not specify what kind of information was accessed by the foreign hackers, but it is publicly known that the hackers successfully attacked the IT system of the Ministry of Foreign Affairs.
In November 2016, the U.K. government launched its Active Cyber Defence (ACD) program with the intention of tackling “in a relatively automated [and transparent] way, a significant proportion of the cyber attacks that hit the U.K.” True to their word, a little over a year on, last week the U.K.’s National Cyber Security Centre (NCSC) published a full and frank account (over 60 pages long) of their progress to date.
The recent WannaCry and NotPetya global cyber incidents have fueled the debate already raging over the role of and limits on corporate self-defense in cyberspace. The emerging international practice of “active cyber defense” (ACD) moves this debate beyond the merely theoretical realm. Private sector active defense potentially shifts the balance in favor of defenders and would improve companies’ ability to complicate and disrupt attacks and mitigate damages.
Bobby Chesney raised a number of issues regarding the Active Defense Certainty Act, and I’m just getting into it now. I think Bobby’s comments are spot on, but I want to amplify some of his concerns.
Meaning of persistent intrusion
We are happy to report that Episode 7 of the National Security Law Podcast ("The Less Prep the Better") has just gone live. In about 42 minutes, we discuss:
- the Trump allegation about being wiretapped
- the Trump allegation about GTMO recidivism (and the Spicer follow-up about just when judges got involved in ordering GTMO releases)
- the Vault7/Wikileaks mess
Representative Tom Graves (R-GA) recently released a discussion draft of a bill that would create a defense to liability under the Computer Fraud and Abuse Act (CFAA) (18 USC 1030) f