Self-Help in Cyberspace: A Path Forward

[InfoSec News <alerts () infosecnews org>]

https://www.lawfareblog.com/self-help-cyberspace-path-forward

By Wyatt Hoffman, Ariel E. Levite
Lawfare.com
September 16, 2019

Recent years have seen sustained calls to “unleash” the private sector to more 
assertively combat cyber threats. The argument has gained some sympathy in 
Congress, where Rep. Tom Graves (R-Ga.) recently reintroduced the Active Cyber 
Defense Certainty Act (ACDCA). As Bobby Chesney summarizes, the act, if passed, 
would amend the Computer Fraud and Abuse Act (CFAA) to allow private entities, 
under certain conditions, to engage in defensive measures that intrude into 
attackers’ networks for purposes of attributing, disrupting or monitoring 
malicious activity.

Motivating this renewed push for active defense is a growing recognition of the 
magnitude of the peril that cyberattacks present to the private sector, along 
with limits on the government’s ability to arrest its growth and bring the 
perpetrators to justice. As former director of the National Security Agency 
Gen. Michael Hayden put it, “[T]he cyber cavalry ain’t coming.” However, 
notwithstanding the benefits of harnessing private-sector expertise to improve 
cyber defense, the ACDCA is premature and of uncertain efficacy, and is 
potentially even risky from both domestic and international perspectives. A 
dual-track approach is therefore essential: The United States should prudently 
explore acceptable domestic parameters for the practice of private-sector 
“self-help” in cyberspace and engage other nations to harmonize these standards 
internationally. The Justice Department can lead such an approach and—by 
exercising prosecutorial discretion within the limits of existing law—begin to 
define the scope and parameters for responsible private-sector conduct in this 
domain.

The reintroduction of the ACDCA has predictably elicited two familiar sets of 
objections. One is that any effort to create space for more assertive defenses 
is dangerous; the other is that such efforts are unnecessary or even 
irrelevant. The former objection resurfaces the opposition to private-sector 
engagement in “hacking back,” citing risks of collateral damage from 
misattribution, escalation, abuse by corporations for competitive advantage, 
getting in the way of governmental operating space, and the potential for 
triggering an international incident when defensive measures cross national 
boundaries. The other source of opposition stems from the belief that such a 
move would have dubious utility, as it would hardly change the calculus for 
most corporations considering engaging in active cyber defense. In this view, 
what holds corporations back from practicing more assertive cyber defense at 
present is not only legal constraints (which companies can bypass if they wish 
by using proxies and foreign operating bases) but also concerns over uncertain 
efficacy, liability and reputational damages. Moreover, the ACDCA addresses 
only criminal liability under the CFAA, giving corporations little clarity 
regarding other state laws and a number of statutes relating to electronic 
surveillance potentially in play.

These are all certainly valid considerations. Yet they do not necessarily weigh 
equally with all forms of active cyber defense—which is often conflated with 
the most extreme “hack backs.” Moreover, opponents and proponents of active 
cyber defense alike should recognize that the current ambiguous legal 
boundaries neither enable effective private-sector defense nor prevent more 
risk-acceptant actors from engaging in reckless conduct. This is especially 
true given the trajectory of the cybersecurity landscape.

[...]

--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_