Concerned about the ability of rogue actors and malignant nation-states to take down the power grid and disrupt the critical financial, transportation, and telecommunications infrastructure of the nation, top U.S. defense strategists are now proposing a strategy of “active cyber defense” that would employ, among other things, a network of bounty hunters and private sector hackers. What’s needed, they say, is an alternative to the traditional options of “inaction” and “hacking back. According to a new Atlantic Council report by two former Department of Defense officials, active cyber defense would represent a welcome compromise between doing nothing and going on the offensive.
The need for active cyber defense
The Atlantic Council report, authored by Frank Kramer, Assistant Secretary for International Security Affairs for the Clinton administration, and Bob Butler, Deputy Assistant Secretary for Space and Cyber in the Obama administration, makes a convincing case that the current model of cyber security is outdated. There is simply not enough capacity in the government to handle all of the threats facing the nation’s critical infrastructure. At the same time, adversaries are becoming much more sophisticated about all of the ways that they can use cyber attacks as a real threat to the national security of much stronger rivals. For example, Iran or North Korea might be no match for the U.S. militarily, but in the realm of cyber space, it’s no longer out of the question that Iranian hackers might find a way to bring down the national energy grid.
In response to the onslaught of new threats and new attack vectors, one option might be the creation of a new type of coordinating authority that could fuse together all of the various governmental organizations and agencies – such as the Department of Defense, Department of Homeland Security, U.S. Treasury, FBI, and State Department – into one giant cyber defense monolith. Such efforts, according to the Atlantic Council report, could be coordinated by a new entity like the National Cybersecurity Fusion Center.
But even this step would not be enough, say the authors. Thus, they propose what some skeptics and critics might see as a radical move: they propose deputizing everyday hackers as “certified active defenders” who would then be able to help the government create an active cyber defense strategy. Essentially, the U.S. government would be reaching out to “white hat” hackers in the private sector, giving them certain powers and authority to implement active cyber defense initiatives, while coordinating all of their activities via an entity like the National Cybersecurity Fusion Center.
This obviously raises a lot of questions. For example, how will these hackers be certified or “deputized”? And, perhaps more importantly, how can the U.S. government ensure that these bounty hunters won’t act too aggressively when it comes to adversaries? Critics compare these modern day bounty hunters to the 18th century’s privateers, who were granted extraordinary power by the U.S. government to carry out maritime attacks in the name of national security.
So is active cyber defense legal?
While the notion of active cyber defense certainly makes sense, legal scholars say that it is resting on shaky legal ground. They point to the Computer Fraud and Abuse Act (CFAA), which specifically declares that active hacking measures are illegal. Even if an entity or organization in the private sector has been hacked by an outside entity, there is no legal basis for “hacking back.”
Active cyber defense (ACD), in order to be legal, would need to operate within the legal confines of the CFAA. It’s perfectly OK to carry out defensive measures – such as “hardening” the computer defenses of soft targets – but it’s not OK to carry out operations that require unauthorized access on computer systems that are outside the legitimate span of control of the hacked entity.
Of course, there are various forms of active cyber defense, and it’s quite likely that one or more of these defensive measures would be legal under the CFAA. Take, for example, the classic “honeypot” defense, in which attackers think they are infiltrating a real computer system, but have actually fallen into a trap (i.e. the honeypot). The packets of information the attackers are sending back to their own computers are corrupted or inaccurate, and it’s quite possible that the defenders could flip the tables and actually use the attacker’s own cyber activity in order to gain access to the attacker’s computer systems. Without actually carrying out an actual offensive attack, the defender could simply use this access to study the opponent and figure out how the attacks are happening.
The big question, of course, is whether active cyber defense is really any different from defenses in the real world. For example, if a property owner puts up a sign like “Enter at your own risk” or “Beware of dog,” this is fair warning to any intruder that any attack will be met with a show of force. So, proponents of active cyber defense say that all they are doing is putting up a similar type of “Enter at your own risk” sign on the nation’s computers. Instead of a guard dog ready to pounce on an intruder, there are honeynets, beacons, botnet takedowns and sanctions.
Moving toward a more offensive cyber strategy
And, just in case these arguments fail to win over critics, proponents of a more vigorous defense operation that involves direct engagement with the enemy are starting to lay the legal groundwork for a change in U.S. defense posture. For example, the 2017 Active Cyber Defense Certainty Act was one such attempt to make active cyber defense legal. And the Department of Defense released a new Cyber Strategy in 2018 that clearly made the case that there would be some cases in which offensive cyber attacks would be the preferred mode of operation.
The problem with offensive cyber threats, of course, is that matters can quickly escalate – and that’s especially the case if you are relying on bounty hunters and mercenary white hat hackers. In the cyber world, it’s notoriously difficult to trace back the original source of an attack, and it’s also very difficult to develop a proportional response. If rogue hackers from Nation A bring down the power grid in Nation B, can Nation B retaliate by bringing down the power grid of Nation A?
Clearly, there is a lot of “gray area” here. Operations that involve actively searching out and taking down a nation’s computer systems might be still outside the bounds of what is considered the norm today. However, active cyber defense is increasingly part of a broader cyber strategy that includes concepts like “defend forward,” in which it is theoretically justifiable to hack your way into an adversary’s computers, as long as you don’t “break” anything. But, in the final analysis, isn’t this exactly the sort of behavior that the U.S. has accused Russia and China of in the past? That’s exactly why active cyber defense remains so controversial today.