Because government lacks the resources to fully defend the private sector, businesses will remain on the front lines of the cyber conflict.
That was one of the results of a report assessing the legal, policy and technological contexts that surround private sector cybersecurity and active defense measures to improve U.S. responses to evolving threats.
Three areas most vulnerable to cyberattacks are national security, economic vitality and privacy, according to the report from the GW Center for Cyber and Homeland Security at George Washington University.
“Given the scale and scope of the cyber threat, the digital equivalent of building higher walls and deeper moats alone is a reactive strategy doomed for failure,” said Frank Cilluffo, director of the Center for Cyber and Homeland Security. “Businesses cannot simply firewall their way out of this problem and must instead have greater leeway to more proactively respond to cyber threats. Active defense – done right – offers a viable path forward.”
A task force consisting of experts in the public and private sectors who are thought leaders in technology, security, privacy, law and business were behind the report. The aim of the report is to help chart a constructive course forward through the law, technology and policy as they relate to private sector active defense.
The task force examined current cybersecurity practices found in the private sector and provided case studies that lay out the strengths and weaknesses of such practices in addition to less common, active defense measures.
The report views the complex web of the legal gray areas of cyber defense that make it difficult for the private sector and policymakers to work together.
The Active Defense Task Force is co-chaired by Adm. Dennis Blair, former director of National Intelligence and chairman and chief executive of Sasakawa Peace Foundation USA; Michael Chertoff, former secretary of Homeland Security and executive chairman and co-founder of The Chertoff Group; Nuala O’Connor, president and chief executive of the Center for Democracy and Technology; and Cilluffo, director of the GW Center for Cyber and Homeland Security. Within the center, the task force is co-directed by Cilluffo and Christian Beckner, deputy director of the GW Center for Cyber and Homeland Security.
The report also provided a new definition of “active defense” that reflects the evolution of cybersecurity capabilities, including operations that allow defenders to gather intelligence and policy tools aimed at deterring hacks. With proper balance, the private sector can be a vital player in ensuring the nation’s economic and national security, the report said. The study differentiates between active defense and “hacking back,” which refers to offensive cyber measures beyond the scope of what is defined as permissible activity. It also balances the need to enable private sector active defense measures with other important considerations such as the protection of individual liberties, privacy and risks of collateral damage when implementing active defense.
The authors of the report developed a framework for active defense against cyber threats that seeks to maximize the effectiveness of the private sector’s ability to defend its most valuable data and assets through technical and non-technical tools.
This framework is risk-driven because it seeks to inform decision-makers about the relative legal, reputational and collateral risks associated with specific active defense measures. The report’s recommendations are broken down by actions for the executive branch, Congress and the private sector.
• Developing procedures for public-private coordination on active defense measures through existing industry-led cooperation mechanisms
• Amending the Computer Fraud and Abuse Act and the Cybersecurity Act of 2015 to affirmatively allow low- and medium-impact active defense measures
• Developing C-suite level operational templates based on risk assessment, industry standards and best practices to integrate into broader cyber strategy and incident response protocols
“The framework that we provide in this report offers a sustainable path forward for responsible private sector active defense,” Beckner said. “An informed and equipped private sector, supported by this framework, is necessary to improving America’s cybersecurity posture moving forward.”