Almost everyone is familiar with the adage that “the best defense is a good offense.” But what happens when your good offense might also be illegal?
That’s more than an academic question for organizations seeking to counter the deluge of cyber attacks plaguing our highly connected, digitally dependent world. In the face of these assaults, companies are showing increased interest in so-called “active cyber defense (ACD).” ACD measures aim to proactively combat attackers rather than simply build static perimeter defenses.
The problem: some ACD activities can cross the line between legal defensive measures and prohibited offense techniques. This uneasy balance is reflected in the fact that people often associate ACD with the notion of “hacking back” against attackers.
This ambiguity is evident in how the Defense Advanced Research Projects Agency (DARPA) summarizes its own ACD program. DARPA says ACD gives defenders “the ability to perform defensive operations that involve direct engagement with sophisticated adversaries in DOD-controlled cyberspace.” At the same time, DARPA cautions, “These capabilities would be solely defensive in nature…”
In practice, the concept of ACD encompasses a range of activities from those that are fairly common and benign to those that are more aggressive and currently illegal. Dr. Irving Lachow, a visiting fellow at Stanford University’s Hoover Institution recently gave a presentation to U.S. congressional staffers in which he laid out a spectrum of ACD activities. Lachow is also deputy director of cyber strategy and execution at The MITRE Corp.
On the safe side of the ACD spectrum, Lachow said, are activities such as installing software patches that address security vulnerabilities, or subscribing to threat intelligence services and modifying cyber defenses in response to newly identified threats.
At the aggressive end of the spectrum are hack-back attempts to recover stolen digital assets, the temporary or extended disruption of an adversary’s networks, and efforts to damage an adversary’s assets. These and other activities are prohibited by various U.S. laws, including the Computer Fraud and Abuse Act.
There are various efforts underway to lessen the legal limbo that organizations will find themselves in if they undertake certain ACD activities. Most notably, Representative Tom Graves has introduced a bill called the Active Cyber Defense Certainty Act (ACDCA) for consideration by the U.S. House of Representatives Judiciary Committee. The bill aims “to provide a defense to prosecution for fraud and related activity in connection with computers for persons defending against unauthorized intrusions into their computers…”
The ACDCA would establish a two-year pilot program managed by the FBI in coordination with other federal agencies. During this program companies that voluntarily engage in ACD actions authorized by the bill would be immune from criminal – though not civil – prosecution. Among the permitted activities, defenders could access without authorization an attacker’s computer:
- To gather information to establish attribution of criminal activity
- To disrupt the continued unauthorized activity by the attacker
- To monitor the behavior of an attacker
At the same time, the bill would prohibit a number of actions (all of which are already illegal). Some, but not all, of the prohibitions include:
- Intentionally destroying information that does not belong to the victim and is stored on another entity’s computer
- Recklessly causing physical injury or financial loss
- Creating a threat to public safety or health
- Intentionally accessing or intruding into an intermediary’s computer
In part, to avoid an “escalatory cycle of cyber activity,” the ACDCA sets forth a requirement that defenders notify the FBI’s National Cyber Investigative Joint Task Force about their plans to initiate an ACD action, and receive an acknowledgement from the task force before they initiate any action. As part of this notification, the would-be defender must describe the nature of the cyber breach they’ve experienced, the intended target of their ACD action, their plans to preserve evidence of the intrusion, and the steps they will take to prevent damage to intermediary computers.
As should be evident, even as it attempts to deliver the legal “certainty” its name promises, the ACDCA implicitly makes clear that many legally gray areas are likely to remain even should it ultimately become law.
For example, the act charges the Department of Justice with determining what protocols ACD defenders should follow for returning intellectual property, financial records, and other private property “gathered inadvertently. It also cautions that ACD techniques should only be used by “qualified defenders” – without establishing any certification program – and warns defenders to avoid violating the laws of any other nation “where an attacker’s computer may reside.”
Perhaps inadvertently, the ACDCA does as much to illuminate the complexity and risks associated with ACD actions as it does to carve out a safe space within the ACD realm. As noted, however, the proposed bill is just one of several efforts to better define acceptable ACD actions and to give organizations the means to better protect their cyber assets. For example, the secretary of the U.S. Department of Homeland Security recently told a Senate panel that DHS is providing undefined ACD “tools and resources” to private companies so that they can more proactively defend themselves.
Organizations seeking to navigate within the ever-shifting ACD landscape can safely do so by employing those ACD measures that proactively bolster their internal defenses when existing vulnerabilities and emerging threats are identified. Before embarking on efforts that, per DARPA, directly engage with sophisticated adversaries, however, it would still be wise to err on the side of caution rather than aggression.