A Heritage Foundation report released last Friday supports allowing private U.S. actors to take more aggressive active cyber defensive actions.
The report, “Next Steps for U.S. Cybersecurity in the Trump Administration: Active Cyber Defense,” by Paul Rosenzweig, Steven Bucci, and David Inserra said the U.S. government’s failure to provide adequate cyber protection and deterrence for private sector organizations is pushing them to consider taking more active defensive measures.
“The private sector may wish to take actions that go beyond protective software, firewalls, and other passive screening methods—and instead actively deceive, identify, or retaliate against hackers to raise their costs for conducting cyberattacks,” the report said. The authors named several examples of government cyber deterrence failures including the Office of Personnel Management (OPM), Democratic National Committee (DNC), Target [TGT], Sony [SNE], and 140 U.S. companies that experienced intrusions by Chinese hackers affiliated with the Chinese People’s Liberation Army (PLA).
Although the report did not endorse letting private sector actors being so aggressive that they can “hack back” once attacked, it examined a range of potential active cyber defense actions and the legal issues involved.
“If the government is unable or unwilling to take or threaten credible offensive actions to deter cyberattacks or to punish those who engage in them, it may be incumbent upon private-sector actors to take up an active defense,” the Heritage Foundation said.
The authors said “the U.S. should expressly allow active defenses that annoy adversaries while allowing only certified actors to engage in attribution-level active defenses” More aggressive actions that might be construed as a counterattack should only be taken by law enforcement or in collaboration with them, the authors said.
The report looked at several models for what active cyber defense could look like, settling on a limited security guard model that forbids hacking back but allows limited use of certain actions. Those more aggressive actions include white-hat ransomware as a trap activated when data is stolen and permitting botnet takedowns coordinated with law enforcement authorities.
“It seems that the best way forward is to authorize private security protection inside a limited framework,” the authors said.
The report specified that under a new legal regime, private cyber guards should have no authority to “return fire” but only use tools that act more as a defensive annoyance or an attribution technique. Such a regime would require Congress to amend the Computer Fraud and Abuse Act of 1986 and the Wiretap Act to let a certified cyber private responder be given legal protections from techniques like beaconing, which is like a tracking device.
The report highlighted current cyber security companies like CrowdStrike, FireEye [FEYE], Cylance, and others could be the new private cyber security guards.
“In the absence of an effective system of cybersecurity provided by the government, it is in some sense immoral to prohibit private-sector actors from protecting themselves,” the report claimed.
However, the authors advised caution and said that “while the U.S. government should establish a program for active cyber defense, it also needs to begin building an international consensus regarding private-sector active cyber defense.”