Legalising Forms of Active Cyber Defense (ACD)
The Theory and Practice of Private Cybersecurity Provisioning
DOI:
https://doi.org/10.12797/Politeja.21.2024.93.06Keywords:
cybersecurity, active cyber defence, ACD, hack-backAbstract
The article analyzes the legality and implications of active cyber defense (ACD), including the controversial practice of retaliatory hacking (hack-back), by private entities. The author presents the current legal restrictions in the United States, where companies are essentially barred from taking aggressive defense measures beyond their own networks, despite growing cyber threats. The paper discusses the arguments for and against legalizing ACD, including issues of attack attribution, company readiness, the risk of escalating international conflicts, and potential legal consequences. The article focuses on legislative proposals, such as the Active Cyber Defense Certainty Act, aimed at mitigating these restrictions, while pointing out the associated challenges and dangers.
Downloads
References
“9-48.000 – Computer Fraud and Abuse Act,” U.S. Department of Justice, at https://www.justice.gov/jm/jm-9-48000-computer-fraud.
“Active Defense Strategy for Cyber,” MITRE, 1 July 2012, at https://www.mitre.org/newsinsights/publication/active-defense-strategy-cyber.
Alperovitch D., “The Case for Cyber-Realism: Geopolitical Problems Don’t Have Technical Solutions,” Foreign Affairs, 14 December 2021, at https://www.foreignaffairs.com/articles/united-states/2021-12-14/case-cyber-realism.
Berengaut A., Austin T., “Litigation Options for Post-Cyberattack ‘Active Defense,’” LAW360, 29 October 2018, at https://www.cov.com/-/media/files/corporate/publications/2018/10/litigation_options_for_postcyberattack-_active_defense.pdf.
Baker S., “The Case for Limited Hackback Rights,” The Washington Post, 22 July 2016, at https://www.washingtonpost.com/news/volokh-conspiracy/wp/2016/07/22/the-casefor-limited-hackback-rights/.
Baker S., “RATs and Poison II – The Legal Case for Counterhacking,” The Volokh Conspiracy, 14 October 2012, at https://volokh.com/2012/10/14/rats-and-poison-ii-the-legalcase-for-counterhacking/.
Berinato S., “Active Defense and ‘Hacking Back’: A Primer,” Harvard Business Review, 21 May 2018, at https://hbr.org/2018/05/active-defense-and-hacking-back-a-primer#:~:text=%E2%80%9CThis%20is%20a%20moment%20when.
Berris P.G., “Cybercrime and the Law: Primer on the Computer Fraud and Abuse Act and Related Statutes,” Congressional Research Service, 16 May 2023, at https://crsreports.congress.gov/product/pdf/R/R47557.
Boateng B.A., “Hack Back,” Medium, 3 July 2023, at https://medium.com/@benjaminaffengboateng/hack-back-5bada6357d5.
Broeders D., “Private Active Cyber Defense and (International) Cyber Security—Pushing the Line?,” Journal of Cybersecurity, vol. 7, no. 1 (2021), https://doi.org/10.1093/cybsec/tyab010. DOI: https://doi.org/10.1093/cybsec/tyab010
Christen M., Gordjin B., Loi M., The Ethics of Cybersecurity, Cham 2020, https://doi.org/10.1007/978-3-030-29053-5. DOI: https://doi.org/10.1007/978-3-030-29053-5
Cook Ch., “Cross-Border Data Access and Active Cyber Defense: Assessing Legislative Options for a New International Cybersecurity Rulebook,” Stanford Law & Policy Review, vol. 29, no. 2 (2018), pp. 205-236.
Daines S., “S.2292 – Study on Cyber-Attack Response Options Act,” Congress, 24 June 2021, at https://www.congress.gov/bill/117th-congress/senate-bill/2292/text?s=1&r=14.
Dewar R.S., CSS Cyber Defence Trend Analysis 1: Active Cyber Defense, Zürich 2017, at https://css.ethz.ch/content/dam/ethz/special-interest/gess/cis/center-for-securities-studies/pdfs/Cyber-Reports-2017-03.pdf.
Dewar R.S., “The ‘Triptych of Cyber Security’: A Classification of Active Cyber Defence,” in 2014 6th International Conference on Cyber Conflict (ICCC), Tallinn 2014, pp. 7-21, https://doi.org/10.1109/CYCON.2014.6916392. DOI: https://doi.org/10.1109/CYCON.2014.6916392
Duffy R., “Private Sector Warms to U.S. Cyber Command Carrying out ‘Hack Backs,’” Cyber-Scoop, 19 June 2018, at https://cyberscoop.com/cyber-command-hack-back/.
Dziwisz D., USA and the International Cybersecurity, Cracow 2010.
Emilio I., “Private Sector Hack-Backs Are a Recipe for Disaster,” Strike Source, 24 November 2023, at https://strikesource.com/2023/11/24/private-sector-hack-backs-are-a-recipe-fordisaster/.
Fischerkeller M.P., Goldman E.O., Harknett R.J., Cyber Persistence Theory: Redefining National Security in Cyberspace, Oxford 2022, https://doi.org/10.1093/oso/9780197638255.001.0001. DOI: https://doi.org/10.1093/oso/9780197638255.001.0001
Fisher M., “Should the U.S. Allow Companies to ‘Hack Back’ against Foreign Cyber Spies?,” The Washington Post, 23 May 2013, at https://www.washingtonpost.com/news/worldviews/wp/2013/05/23/should-the-u-s-allow-companies-to-hack-back-against-foreigncyber-spies/.
Gerke K., “Canadian Hack-Back?: A Consideration of the Canadian Legal Framework for Private‑Sector
Active Cyber Defence,” Alberta Law Review, vol. 59, no. 1 (2021), pp. 171-200, https://doi.org/10.29173/alr2668. DOI: https://doi.org/10.29173/alr2668
Giles M., “Five Reasons ‘Hacking Back’ Is a Recipe for Cybersecurity Chaos,” MIT Technology Review, 21 June 2019, at https://www.technologyreview.com/2019/06/21/134840/cybersecurity-hackers-hacking-back-us-congress/.
Gordon S., Rosenbach E., “America’s Cyber-Reckoning: How to Fix a Failing Strategy,” Foreign Affairs, vol. 101, no. 1 (2022), pp. 10-21.
Graves T., “H.R.3270 – Active Cyber Defense Certainty Act,” Congress, 13 June 2019, at https://www.congress.gov/bill/116th-congress/house-bill/3270/actions.
Graves T., “Let’s Make Hackers Think Twice,” The Hill, 25 October 2017, at https://thehill.com/opinion/cybersecurity/357004-lets-make-hackers-think-twice/.
Healey J., A Nonstate Strategy for Saving Cyberspace, Washington, D.C. 2017, at https://www.atlanticcouncil.org/wp-content/uploads/2015/08/AC_StrategyPapers_No8_Saving_Cyberspace_WEB.pdf.
Healey J., Shaping American Cyber Security Policy, interview by D. Dziwisz, November 2013.
Hoffman W., Levite A.E., Private Sector Cyber Defense: Can Active Measures Help Stabilize Cyberspace?, Washington, D.C. 2017, at https://carnegieendowment.org/files/Cyber_Defense_INT_final_full.pdf.
Ikeda S., “CISA Expands Public-Private Partnerships for Cyber Defense, Calls on Silicon Valley to Bolster Cloud Security & Fight Ransomware Attacks,” CPO Magazine, 11 August 2021, at https://www.cpomagazine.com/cyber-security/cisa-expands-public-private-partnerships-for-cyber-defense-calls-on-silicon-valley-to-bolster-cloud-security-fight-ransomware-attacks/.
“Into the Gray Zone: The Private Sector and Active Defense against Cyber Threats,” Center for Cyber and Homeland Security, October 2016, at https://perma.cc/SAX8-4LW3.
Kello L., “Private-Sector Cyberweapons: Strategic and Other Consequences,” SSRN Electronic Journal, 2016, pp. 1-24, https://doi.org/10.2139/ssrn.2836196. DOI: https://doi.org/10.2139/ssrn.2836196
Kello L., The Virtual Weapon and International Order, New Haven 2017, https://doi.org/10.2307/j.ctt1trkjd1. DOI: https://doi.org/10.2307/j.ctt1trkjd1
Lachow I., “Active Cyber Defense: A Framework for Policymakers,” Center for a New American Security, 22 February 2013, at https://www.cnas.org/publications/reports/active-cyber-defense-a-framework-for-policymakers.
Lee R.M., The Sliding Scale of Cyber Security: A SANS Analyst Whitepaper, August 2015, at https://perma.cc/TU3K-XEFU.
Lemos R., “Why the Hack-Back Is Still the Worst Idea in Cybersecurity,” TechBeacon, at https://techbeacon.com/security/why-hack-back-still-worst-idea-cybersecurity.
Lin P., “Ethics of Hacking Back: Six Arguments from Armed Conflict to Zombies,” A Policy Paper on Cybersecurity, 26 September 2016, pp. 1-34, http://dx.doi.org/10.2139/ssrn.4682398. DOI: https://doi.org/10.2139/ssrn.4682398
Lynn III W.J. “Remarks on Cyber at the RSA Conference,” U.S. Department of Defence, 15 February 2011, at http://www.defense.gov/speeches/speech.aspx?speechid=1535.
McGee S., Sabett R.V., Shah A., “Adequate Attribution: A Framework for Developing a National Policy for Private Sector Use of Active Defense,” Journal of Business & Technology Law, vol. 8, no. 1 (2013), pp.1-47, at https://digitalcommons.law.umaryland.edu/jbtl/vol8/iss1/3/.
Miller J.N., Butler R.J., National Cyber Defense Center: A Key Next Step toward a Whole-of-Nation Approach to Cybersecurity, Baltimore 2021, at https://www.jhuapl.edu/sites/default/files/2022-12/NationalCyberDefenseCenter.pdf.
Mueller III R.S. “Combating Threats in the Cyber World,” Federal Bureau of Investigation, 1 March 2012, at https://archives.fbi.gov/archives/news/speeches/combating-threats-inthe-cyber-world-outsmarting-terrorists-hackers-and-spies.
The National Bureau of Asian Research, The IP Commission Report: The Report of the Commission on the Theft of American Intellectual Property, May 2013, at https://www.nbr.org/wpcontent/uploads/pdfs/publications/IP_Commission_Report.pdf.
“National Cybersecurity Strategy,” White House, March 2023, at https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf.
“NSA Director on Cybersecurity Threats,” C-SPAN, 2 April 2015, at https://www.c-span.org/video/?325152-1/nsa-director-cybersecurity-threats.
Nusca A., “Hayden: ‘Digital Blackwater’ May Be Necessary for Private Sector to Fight Cyber Threats,” ZDNET, 31 July 2011, at https://www.zdnet.com/article/hayden-digitalblackwater-may-be-necessary-for-private-sector-to-fight-cyber-threats/.
Office of Legal Education Executive Office for United States Attorneys, Prosecuting Computer Crimes, Washington, D.C. 2010, at https://www.justice.gov/d9/criminal-ccips/legacy/2015/01/14/ccmanual_0.pdf.
Pattison J., “From Defence to Offence: The Ethics of Private Cybersecurity,” European Journal of International Security, vol. 5, no. 2 (2020), pp. 233-254, https://doi.org/10.1017/eis.2020.6. DOI: https://doi.org/10.1017/eis.2020.6
“Press Briefing on the Attribution of the WannaCry Malware Attack to North,” White House, 19 December 2017, at https://trumpwhitehouse.archives.gov/briefings-statements/pressbriefing-on-the-attribution-of-the-wannacry-malware-attack-to-north-korea-121917/.
Rosenzweig P., “International Law and Private Actor Active Cyber Defensive Measures,” Stanford Journal of International Law, vol. 47, no. 2 (2013), pp. 1-13, https://doi.org/10.2139/ssrn.2270673. DOI: https://doi.org/10.2139/ssrn.2270673
Rudden J., “Business Risks Globally 2020,” Statista, 22 August 2023, at https://www.statista.com/statistics/422171/leading-business-risks-globally/.
Santistevan G., “The Case against Hacking Back,” Georgetown Security Studies Review, 11 December 2017, at https://georgetownsecuritystudiesreview.org/2017/12/11/the-case-againsthacking-back/.
Shackelford S., Charoen D., Waite T., Zhang N., “Rethinking Active Defense: A Comparative Analysis of Proactive Cybersecurity Policymaking,” University of Pennsylvania Journal of International Law, vol. 41, no. 2 (2018), pp. 377-427, https://doi.org/10.2139/ssrn.3303407. DOI: https://doi.org/10.2139/ssrn.3303407
United States Department of Defense, Department of Defense Dictionary of Military and Associated Terms: Joint Publication 1-02, November 2010, at https://irp.fas.org/doddir/dod/jp1_02.pdf.
United States Department of Defense, Department of Defense Strategy for Operating in Cyberspace, July 2011, at https://csrc.nist.gov/CSRC/media/Projects/ISPAB/documents/DOD-Strategy-for-Operating-in-Cyberspace.pdf. DOI: https://doi.org/10.21236/ADA545385
United States Department of Justice, Best Practices for Victim Response and Reporting of Cyber Incidents, Washington, D.C. 2018, at https://www.justice.gov/sites/default/files/opa/speeches/attachments/2015/04/29/criminal_division_guidance_on_best_practices_for_victim_response_and_reporting_cyber_incidents2.pdf.
Van Dine A., “When Is Cyber Defense a Crime? Evaluating Active Cyber Defense Measures Under the Budapest Convention,” Chicago Journal of International Law, vol. 20, no. 2 (2020), pp. 530-564, at https://chicagounbound.uchicago.edu/cgi/viewcontent.cgi?article=1777&context=cjil.
Winstead N., “Hack-Back: Toward a Legal Framework for Cyber Self-Defense,” American University, 26 June 2020, at https://www.american.edu/sis/centers/security-technology/hackback-toward-a-legal-framework-for-cyber-self-defense.cfm.
Wolff J., “Attack of the Hack Back: The Worst Idea in Cybersecurity Is Back Again,” Slate, 17 October 2017, at https://slate.com/technology/2017/10/hacking-back-the-worst-ideain-cybersecurity-rises-again.html.
Downloads
Published
Issue
Section
License
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
