- Radio hour
- About us
Co-Author: Christopher Ballister, Security & Privacy, IBM
It provides a practical framework to develop active defense strategies and offers a set of 15 policy recommendations to the public and private sectors to support implementation of more effective cybersecurity defenses that will enhance the private sector’s ability to defend its most valuable data and assets in the context of modern cybersecurity imperatives. Too often, policy is being made in reaction to an incident, that’s why this report is so important – it provides the context for developing policy, based on the risks and benefits of taking measured actions, at the appropriate time.
To produce this report, the Center brought together a diverse group of expert stakeholders, convening a Task Force whose members have backgrounds in the private and public sectors, and are thought leaders in the areas of technology, security, privacy, law, and business. The report was developed and written by the Center’s Active Defense Task Force led by the four Task Force co-chairs: Adm. Dennis C. Blair, former Director of National Intelligence & Chairman and CEO Sasakawa Peace Foundation; The Honorable Michael Chertoff, former Secretary of the Department of Homeland Security & Co-Founder and Executive Director, the Chertoff Group; Nuala O’Connor, President and CEO Center for Democracy and Technology; and Frank Cilluffo, GWU Associate Vice President & Director, Center for Cyber and Homeland Security (CCHS). The project is supported by the William and Flora Hewlett Foundation and the Smith Richardson Foundation. Chris Ballister is a Member of the Active Defense Task Force & a Senior Fellow of the CCHS and John Lainhart and Daniel Chenok serve on the Board of Directors of the CCHS.
The report defines Active Defense as follows:
“Active defense is a term that captures a spectrum of proactive cybersecurity measures that fall between traditional passive defense and offense. These activities fall into two general categories, the first covering technical interactions between a defender and an attacker. The second category of active defense includes those operations that enable defenders to collect intelligence on threat actors and indicators on the Internet, as well as other policy tools (e.g. sanctions, indictments, trade remedies) that can modify the behavior of malicious actors. The term active defense is not synonymous with “hacking back” and the two should not be used interchangeably.”
Today’s cyber threat protection efforts includes the expanded use of capabilities such as security intelligence, which provide organizations with both the information and means to protect themselves well beyond their own enterprise environment to include intrusive actions into an aggressors network environment. By clarifying the gray area between defensive and offensive cybersecurity activity, the report emphasizes the need to carefully navigate the gray zone in a manner that keeps organizations and individuals from violating statutory law or violating foreign government rules for privacy or computer crimes. The report further prompts the need for development of policies and guidance to assist organizations with successful navigation of the gray zone.
The initial section of the report provides background and context to this discussion. The next section provides a historical perspective on the evolution of the term “active defense.” This section also discusses the upper and lower boundaries of active defense and examines the spectrum of activities that fall within it, including honeypots, beacons, and sinkholing malicious traffic. It makes clear that certain types of high-risk activities by the private sector should be not be performed due to risks of collateral damage and privacy-related concerns, but pushes for greater clarity on whether and how the private sector can utilize lower-risk active defense measures. Next, the report provides additional policy context to the issue of active defense, examining the impact of current U.S. laws (e.g., the Computer Fraud and Abuse Act), assessing the impact of emerging technologies such as cloud computing and the Internet of Things, and outlining the evolving international framework for active defense.
The final sections of the report provide the proposed framework for the private sector to use in addressing cyber threats. “The core of this framework is the spectrum of active defense measures defined earlier in the report, embedded within a broader set of policy, legal, technical, and governance-related considerations, which provide the basis for risk-driven deliberation and decision-making both within companies and between the government and the private sector on active defense.” It also attempts to balance the need to enable private sector active defense measures with other important considerations such as the protection of individual civil liberties, privacy, and the risks of collateral damage. A key aspect of this framework is a risk-driven methodology that can be used to weigh the risks and benefits of action vs. inaction, and help organizations choose appropriate tools when deemed appropriate.
This overview of the framework is followed by a detailed discussion of what is needed to operationalize it. After this section, the report puts forward a set of near-term policy recommendations for the U.S. executive branch, Congress, and the private sector that are intended to facilitate the implementation and adoption of this framework. These policy recommendations are included in their entirety below.
Actions for the Executive Branch
Actions for the U.S. Congress
Actions for the Private Sector
The report concludes with a call to action - a brief examination of future trends that may impact the evolution and development of active defense policy and procedures.
In addition, there are several appendices that support the report’s core analysis, including additional views of Nuala O’Connor, a Legal Analysis courtesy of Covington & Burling, LLP, a global perspective on active defense (in the United Kingdom, France, Estonia and Israel), and a glossary of terms.
At the report’s briefing conference, Frank Cilluffo emphasized that “Businesses cannot simply firewall their way out of this problem and must instead have greater leeway to more proactively respond to cyber threats. Active defense – done right – offers a viable path forward.” Christian Beckner, CCHS Deputy Director, concluded that “The framework that we provide in this report offers a sustainable path forward for responsible private sector active defense. An informed and equipped private sector, supported by this framework, is necessary to improving America’s cybersecurity posture moving forward.”
The full report can be downloaded at: https://cchs.gwu.edu/sites/cchs.gwu.edu/files/downloads/CCHS-ActiveDefenseReportFINAL.pdf