A new report from the GW Center for Cyber and Homeland Security offers the most comprehensive assessment to date of the legal, policy and technological contexts that surround private sector cybersecurity and active defense measures to improve U.S. responses to evolving threats. The report provides a framework to develop active defense strategies and offers a set of policy recommendations to the public and private sectors to support implementation of more effective cybersecurity defenses.
The report draws on knowledge from a task force co-chaired by Sasakawa USA Chairman and CEO Adm. Dennis Blair, former Director of National Intelligence and also includes experts in the public and private sectors who are thought leaders in technology, security, privacy, law and business. This report has brought these diverse – and sometimes conflicting – interests closer together and toward productive solutions to common challenges. The aim of the report is to help chart a constructive course forward through the complicated terrains of law, technology and policy as they relate to private sector active defense.
The other Active Defense Task Force co-chairs are Michael Chertoff, former secretary of Homeland Security and executive chairman and co-founder of The Chertoff Group; Nuala O’Connor, president and CEO of the Center for Democracy and Technology; and Frank Cilluffo, director of the GW Center for Cyber and Homeland Security. Within the center, the task force is co-directed by Mr. Cilluffo and Christian Beckner, deputy director of the GW Center for Cyber and Homeland Security.
A key difference between cybersecurity threats and other security threats is the mismatch between public and private capabilities and levels of authority in responding to these threats. The report states that while the U.S. government will always play an important role in cybersecurity, it lacks the resources to fully defend the private sector in the digital realm. This places businesses on the front lines of the cyber conflict. Three areas most vulnerable to cyberattacks are national security, economic vitality and privacy, according to the report.
The task force examined current cybersecurity practices commonly found in the private sector and provided case studies that lay out the strengths and weaknesses of such practices in addition to less common, active defense measures. The report dissects the complex web of the legal gray areas of cyber defense that make it difficult for the private sector and policymakers to work together.
In addition, the report provides a new definition of “active defense” that reflects the evolution of cybersecurity capabilities, including operations that allow defenders to gather intelligence and policy tools aimed at deterring hacks. With proper balance, the private sector can be a vital player in ensuring the nation’s economic and national security, the report finds. The study differentiates between active defense and “hacking back,” which refers to offensive cyber measures that are beyond the scope of what is defined as permissible activity in this report. It also balances the need to enable private sector active defense measures with other important considerations such as the protection of individual liberties, privacy and risks of collateral damage when implementing active defense.
The authors develop a framework for active defense against cyber threats that seeks to maximize the effectiveness of the private sector’s ability to defend its most valuable data and assets through technical and non-technical tools. This framework is risk-driven in that it seeks to inform decision-makers about the relative legal, reputational and collateral risks associated with specific active defense measures.
The report’s recommendations are broken down by actions for the executive branch, Congress and the private sector. Recommendations include:
• Developing procedures for public-private coordination on active defense measures through existing industry-led cooperation mechanisms.
• Amending the Computer Fraud and Abuse Act and the Cybersecurity Act of 2015 to affirmatively allow low- and medium-impact active defense measures.
• Developing C-suite level operational templates based on risk assessment, industry standards and best practices to integrate into broader cyber strategy and incident response protocols.
The report calls for increased collaboration between the public and private sectors to use available tools more effectively to disrupt and deter cyber threats, noting that the collaboration between the private sector and policymakers is long overdue.
The report cites sources including a blog post by Sasakawa USA’s William “Bud” Roth, who wrote on the possibility of deputizing licensed private sector cybersecurity firms to engage in limited intelligence gathering techniques on external networks “in situations where government is incapable” of keeping pace with cyberattacks.
Another primary source is “The IP Commission Report: The Report of the Commission on the Theft of American Intellectual Property,” a report by Adm. Blair and Dennis Blair and John M. Huntsman Jr. published by The National Bureau of Asian Research in 2013.
The project is supported by the William and Flora Hewlett Foundation and the Smith Richardson Foundation.