INTO THE GRAY ZONE: The Private Sector and Active Defense Against Cyber Threats

Co-Author:  Christopher Ballister, Security & Privacy, IBM

It provides a practical framework to develop active defense strategies and offers a set of 15 policy recommendations to the public and private sectors to support implementation of more effective cybersecurity defenses that will enhance the private sector’s ability to defend its most valuable data and assets in the context of modern cybersecurity imperatives.  Too often, policy is being made in reaction to an incident, that’s why this report is so important – it provides the context for developing policy, based on the risks and benefits of taking measured actions, at the appropriate time.

To produce this report, the Center brought together a diverse group of expert stakeholders, convening a Task Force whose members have backgrounds in the private and public sectors, and are thought leaders in the areas of technology, security, privacy, law, and business. The report was developed and written by the Center’s Active Defense Task Force led by the four Task Force co-chairs: Adm. Dennis C. Blair, former Director of National Intelligence & Chairman and CEO Sasakawa Peace Foundation; The Honorable Michael Chertoff, former Secretary of the Department of Homeland Security & Co-Founder and Executive Director, the Chertoff Group; Nuala O’Connor, President and CEO Center for Democracy and Technology; and Frank Cilluffo, GWU Associate Vice President & Director, Center for Cyber and Homeland Security (CCHS).  The project is supported by the William and Flora Hewlett Foundation and the Smith Richardson Foundation.  Chris Ballister is a Member of the Active Defense Task Force & a Senior Fellow of the CCHS and John Lainhart and Daniel Chenok serve on the Board of Directors of the CCHS.

The report defines Active Defense as follows:

“Active defense is a term that captures a spectrum of proactive cybersecurity measures that fall between traditional passive defense and offense. These activities fall into two general categories, the first covering technical interactions between a defender and an attacker. The second category of active defense includes those operations that enable defenders to collect intelligence on threat actors and indicators on the Internet, as well as other policy tools (e.g. sanctions, indictments, trade remedies) that can modify the behavior of malicious actors. The term active defense is not synonymous with “hacking back” and the two should not be used interchangeably.” 

Today’s cyber threat protection efforts includes the expanded use of capabilities such as security intelligence, which provide organizations with both the information and means to protect themselves well beyond their own enterprise environment to include intrusive actions into an aggressors network environment.  By clarifying the gray area between defensive and offensive cybersecurity activity, the report emphasizes the need to carefully navigate the gray zone in a manner that keeps organizations and individuals from violating statutory law or violating foreign government rules for privacy or computer crimes.  The report further prompts the need for development of policies and guidance to assist organizations with successful navigation of the gray zone.

The initial section of the report provides background and context to this discussion. The next section provides a historical perspective on the evolution of the term “active defense.” This section also discusses the upper and lower boundaries of active defense and examines the spectrum of activities that fall within it, including honeypots, beacons, and sinkholing malicious traffic. It makes clear that certain types of high-risk activities by the private sector should be not be performed due to risks of collateral damage and privacy-related concerns, but pushes for greater clarity on whether and how the private sector can utilize lower-risk active defense measures. Next, the report provides additional policy context to the issue of active defense, examining the impact of current U.S. laws (e.g., the Computer Fraud and Abuse Act), assessing the impact of emerging technologies such as cloud computing and the Internet of Things, and outlining the evolving international framework for active defense.

The final sections of the report provide the proposed framework for the private sector to use in addressing cyber threats. “The core of this framework is the spectrum of active defense measures defined earlier in the report, embedded within a broader set of policy, legal, technical, and governance-related considerations, which provide the basis for risk-driven deliberation and decision-making both within companies and between the government and the private sector on active defense.” It also attempts to balance the need to enable private sector active defense measures with other important considerations such as the protection of individual civil liberties, privacy, and the risks of collateral damage. A key aspect of this framework is a risk-driven methodology that can be used to weigh the risks and benefits of action vs. inaction, and help organizations choose appropriate tools when deemed appropriate.

This overview of the framework is followed by a detailed discussion of what is needed to operationalize it. After this section, the report puts forward a set of near-term policy recommendations for the U.S. executive branch, Congress, and the private sector that are intended to facilitate the implementation and adoption of this framework. These policy recommendations are included in their entirety below.

Actions for the Executive Branch

1. The Department of Justice (DOJ) should issue public guidance to the private sector with respect to active defense measures that it interprets to be allowable under current law, indicating that DOJ would not pursue criminal or civil action for such measures assuming that they are related to the security of a company’s own information and systems. This guidance should be updated on a regular basis consistent with ongoing technology developments.
2. DOJ and the Federal Trade Commission should update their “Antitrust Policy Statement on Cybersecurity Information Sharing” (2014) to state clearly that antitrust laws should not pose a barrier to intra-industry coordination on active defense against cyber threats. 
3. The Department of Homeland Security should coordinate the development of operational procedures for public-private sector coordination on active defense measures, utilizing existing mechanisms for cooperation such as the industry-led Information Sharing and Analysis Centers (ISACs) and Information Sharing and Analysis Organizations (ISAOs), and the National Cybersecurity and Communications Integration Center (NCCIC) at DHS.
4. The National Institute for Standards and Technology (NIST) should develop guidelines, best practices, and core capabilities for private sector activity with respect to assessing the risk of and carrying out active defense measures, with 3-5 different levels of technical maturity linked to certification to carry out certain types of measures, or in the case of third-party vendors, to protect other companies. Such guidelines may be distinct for different industry sectors, and this effort at NIST shall be consistent with the work done in 2013-2014 to develop the Cybersecurity Framework.
5. Federal agencies that fund cybersecurity-related research and development, including the Departments of Defense, Homeland Security, the Intelligence Community, and the National Science Foundation, should prioritize R&D on the development of new active defense measures (including capabilities that may improve attribution) and assess efficacy of current active defense measures.
6. The Department of State should engage with foreign partners in developing common standards and procedures for active defense measures. This is particularly relevant given the fact that many of the large companies who are affected by cyber threats operate globally, and thus need to protect information on systems in dozens of countries.
7. The Privacy and Civil Liberties Oversight Board (PCLOB) should carry out a review of current and proposed federal government activities related to active defense activities by the private sector, and release a public report on the results of this review.
8. The White House should develop a policy that provides guidance to federal agencies on when and how they should provide support to the private sector with respect to active defense activities, addressing such factors such as the maturity of private sector entities, the nature of the threat actors (if known), and the economic and security- related importance of the infrastructure or information targeted. This latter factor could perhaps be linked to the list of “critical infrastructure at greatest risk” as identified by DHS pursuant to Section 9 of Executive Order 13636.128 Types of support that are envisioned include information sharing, coordinated planning, intelligence support, and training.
9. The President should issue a directive that codifies the requirements in items 1-6 above and sets clear deadlines for the adoption of them.

Actions for the U.S. Congress

1. Congress should pass legislation to oversee the implementation of the activities in action items 1-7 above, and reinforce the deadlines in statute. Congress should also mandate that the Government Accountability Office review the implementation of this legislation.
2. Congress should reassess language in the CFAA and the Cybersecurity Act of 2015 that constrains private sector activity on active defense, to ensure that low and medium-risk active defense measures are not directly prohibited in statute.
3. Congress should examine whether and how other tools established in law (e.g. indictments, sanctions, trade remedies) can be utilized in support of protecting the private sector against malicious cyber actors. Executive Order 13694 (“Sanctions Related to Significant Malicious Cyber-Enabled Activities”) from 2015 is a good example of this principle in practice, but there are other tools that can be utilized in support of cyber deterrence and active defense.

Actions for the Private Sector

1. Private sector companies should work together and take the lead in developing industry standards and best practices with respect to active defense measures within their sectors and industries. Such efforts should be undertaken on an international basis, involving a broad set of major companies from all regions of the world.
2. Companies should develop policies at the C-Suite level for whether they want to engage in certain types of active defense measures in response to hypothetical future attacks, instead of simply reacting after they have suffered a data breach or other form of cyber attack. Companies should develop an operational template, based upon a thorough risk assessment and analysis of industry standards and best practices, that can be integrated into a broader cyber strategy and incident response protocols. These policies must be incorporated within the companies’ broader commitment to and investment in their own traditional cyber defense programs.
3. Industry groups should examine best practices for coordination between Internet service providers, web hosting services, and cloud service providers and their clients on active defense, leveraging the fact that these service providers often have contractual, pre-authorized access to their clients’ networks for routine business purposes. Such service providers may be well positioned to carry out active defense measures against cyber threats to their clients.

The report concludes with a call to action - a brief examination of future trends that may impact the evolution and development of active defense policy and procedures. 

In addition, there are several appendices that support the report’s core analysis, including additional views of Nuala O’Connor, a Legal Analysis courtesy of Covington & Burling, LLP, a global perspective on active defense (in the United Kingdom, France, Estonia and Israel), and a glossary of terms.

At the report’s briefing conference, Frank Cilluffo emphasized that “Businesses cannot simply firewall their way out of this problem and must instead have greater leeway to more proactively respond to cyber threats.  Active defense – done right – offers a viable path forward.”  Christian Beckner, CCHS Deputy Director, concluded that “The framework that we provide in this report offers a sustainable path forward for responsible private sector active defense.  An informed and equipped private sector, supported by this framework, is necessary to improving America’s cybersecurity posture moving forward.”

The full report can be downloaded at: https://cchs.gwu.edu/sites/cchs.gwu.edu/files/downloads/CCHS-ActiveDefenseReportFINAL.pdf