Mounting an Active Defense Against Cyber Threats

A man studies a display of activities of a cybercrime "botnet." Frankfurt, Germany, July 31, 2015. (Boris Roessler/AFP/Getty Images)

Last week, the British government revealed a new five-year National Cyber Security Strategy that includes a £1.9 billion ($2.3 billion) commitment to defending and deterring attacks against the private sector, which are a leading threat to economic stability globally. Much of the strategy is familiar: reinforcing cybersecurity through “basic hygiene” and the adoption of best practices, defending critical infrastructure, investing in new technologies, and building international partnerships. Where it broke fresh ground, however, is in its call for an Active Cyber Defence Program to “strike back” at attackers and to even “go looking for badness and take it down.”

The strategy comes at a critical time. Forecasts have losses from data breaches reaching $2.1 trillion globally by 2019. Governments have been struggling so far to help private companies defend against unprecedented targeting of their most valuable assets and data. An Israeli audit released last week reported that the government is “largely unprepared” to protect “civilian cyberspace.” The more circumscribed the role of the state in the economy, the greater the challenge—though even countries with substantial state involvement in the market (such as Russia) are not immune.

Meanwhile, the cyber threat continues to expand and evolve. Last month, source code for Mirai, the malware responsible for the internet’s largest-ever distributed denial of service attacks, was posted publicly online, giving cybercriminals capabilities previously thought available only to sophisticated state actors. The global economy, networked and increasingly intertwined with the so-called internet of things, is ever more at risk of this type of disruption, or potentially worse.

Individual companies and industry sectors have begun grappling, both separately and in coalition, with how best to meet this challenge. In certain circumstances, the companies under attack may themselves be best placed to take defensive measures. A report released last month by the George Washington University Center for Cyber and Homeland Security (which we helped draft) proposes a risk-based framework, with both operational and conceptual dimensions, that seeks to help redress the mismatch between attackers’ relative freedom of action and the target’s capacity to responsibly defend its most valuable assets, either on its own or in partnership with law enforcement and other officials.

While the lack of a level playing field is problematic, rebalancing is a delicate exercise that requires, among other things, safeguards against disproportionate escalation and harm to innocent third parties. From a legal standpoint, international law primarily regulates the behavior of nation states and there is no treaty or rule of customary international law that explicitly prohibits or allows the use of active defense techniques (which, it should be noted, go beyond “traditional” information sharing) by the private sector.

Perhaps the most relevant agreement, the Council of Europe Convention on Cybercrime (commonly known as the Budapest Convention), is silent on the use of active defense, although the instrument may contemplate some exceptions to its prohibition on illegal access (“to the whole or any part of a computer system without right”) in cases of self-defense or defense of property. Any measure of clarity that the convention may provide is tempered, however, by the limited number of major signatories outside of the United States and Europe. Against this background, companies face a patchwork of domestic laws in different countries around the world, which may even conflict at times. The upshot is a difficult, if not untenable, position for companies operating worldwide on networks that transcend national borders.

As governments begin to think more carefully about companies’ use of measures to actively defend themselves, officials and decision-makers would do well to ground their deliberations in a broader transnational context. How governments (and businesses) choose to respond will establish, incrementally and collectively, a foundation for emerging parameters of acceptable behavior. Working to develop an informal international understanding of core principles governing active defense—with officials, executives, and technologists all accorded a seat at the table—would serve both public and private interests.

Consensus is already emerging that active defense techniques fall along a spectrum of impact and risk that can be used to separate acceptable techniques from unacceptable ones. Reaching agreement on those techniques that should clearly be excluded would be a constructive first step in the right direction.

Concerted and continued efforts directed at elaborating and implementing models of effective public-private partnerships would be another. International law enforcement cooperation with the private sector has already proven that multilateral partnerships drawing on diverse parties with a range of authorities and expertise can disrupt cybercrime and penalize criminals. In 2013, for instance, law enforcement teams from the US, United Kingdom, Germany, and Europol leveraged the expertise of private technology firms around the world to dismantle the command and control infrastructure of the Citadel “botnet”, which was responsible for bank account thefts worth more than $500 million.

Until significant consequences are visited upon perpetrators of threats there will be little incentive for them to change their ways. On the other hand, vigilantism, with the potential for expansive collateral damage, is not the answer. Carefully calibrated options are the better course, developed and thought through ahead of time (rather than in the heat of the moment) and tailored to the different phases at which a hostile intrusion can be thwarted, including, for example, before an attacker ever obtains a foothold in the target’s networks, or, after that occurs, but before the attacker escapes beyond the perimeter of its prey.

Done right, the exercise could change the adversary’s calculus, replacing a mindset of impunity with pause for thought. The challenge is substantial, but so too are the stakes—and the status quo favors no one more than the attacker.

Sharon L. Cardash is Associate Director of the George Washington University Center for Cyber and Homeland Security (CCHS). Taylor P. Brooks is an attorney who served as Policy Analyst for the CCHS project report Into the Gray Zone: the Private Sector and Active Defense against Cyber Threats.