Implementation of Active Cyber Defense Measures by Private Entities: The Need for an International Body to Address Disputes

Ike Barnes

EXECUTIVE SUMMARY

News reports about cyber-attacks against corporations are commonplace. A search of Google News on July 31, 2017, for cyber-attacks yielded eight articles from the same day on the first page of the search return. To address this problem, organizations such as George Washington University’s Center for Cyber and Homeland Security and the Heritage Foundation have proposed the implementation of active cyber defense measures by the private sector to increase the collective cybersecurity posture of all entities.[1] (For clarity, both the Center for Cyber and Homeland Security and Professor Dorothy Denning from the Naval Postgraduate School have limited the definition of active cyber defense to measures that do not involve hacking a threat actor to recover material by the private sector.)[2] These proposals have brought forth differing opinions on the legality of active ; however, proponents and opponents of these measures all agree that cybersecurity is a national security issue for the nations of the world.

To address the legal objections, Representatives Tom Graves (R-GA) and Krysten Sinema (D-AZ) proposed the Active Cyber Defense Certainty (ACDC) Act on October 13, 2017, which creates an affirmative defense for private entities that use active measures external to their networks to determine the location of persistent attacks on their networks and to address the limitations of passive cyber defense measures.[3] This proposed legislation has reshaped the conversation to include the application of deterrence theory in cyberspace across the geopolitical boundaries between nation states, organizations, individuals, and cyber threat actors, yet it does not address the global nature of cyberspace and the ease in which entities can cross geopolitical borders.

Representative Edward Royce (R-CA) introduced the Cyber Diplomacy Act of 2017, a law that would create an office within the Department of State to negotiate cyber matters on behalf of the United States abroad and “to promote an open, interoperable, reliable, and secure internet that fosters efficiency, innovation, communication, and economic prosperity, while respecting privacy and guarding against deception, fraud, and theft.”[4] The Cyber Diplomacy Act of 2017 creates a mechanism to address the concerns surrounding the use of active cyber defense measures by American companies in cyberspace. Combining these two pieces of legislation promotes U.S. interests in cyberspace globally while allowing private entities to engage in active cyber defense measures external to their networks with the goal of deterring cyber-attacks; however, it still leaves a gaping hole in U.S. cybersecurity. There is no single entity charged with creating a coherent cybersecurity policy. In fact, numerous executive branch agencies in the intelligence community (IC), law enforcement, the military, and the Department of Homeland Security are charged with various aspects of cybersecurity policy creation and implementation.

The U.S. government, due to the 9/11 Commission’s findings, created a director of national intelligence in 2005 to address IC shortfalls in the aggregation of intelligence to prevent terrorist attacks. Likewise, the threat to national security created by the number of diverse and disparate executive branch entities with roles in the creation and implementation of America’s cybersecurity policy necessitates the creation of a national director of cybersecurity. This director needs regulatory authority over private-sector critical infrastructure and key resources (CIKR) to ensure that best practices are followed and that the U.S. government issues a standard for the CIKR sectors to follow in cybersecurity matters. Furthermore, the national director of cybersecurity can serve as the coordination point for the private sector’s implementation of active cyber defense measures as required by the ACDC Act. Combining the ACDC Act and the Cyber Diplomacy Act of 2017, in conjunction with the creation of an empowered national director of cybersecurity, creates a holistic policy for the United States, but an international body is still needed to manage and mitigate the disputes that will inevitably arise between nations with the use of active cyber defense measures.

The Council of Europe and the United States recognized a need for an international accord to homogenize global laws on cyber matters in the late 1990s. The resultant 2001 treaty, the Budapest Convention on Cybercrime, states in summary that nations should homogenize their laws in cyberspace to increase cooperation in enforcement matters as criminals can conduct cyber-attacks globally.[5] The North Atlantic Treaty Organization (NATO) created the Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, Estonia, in 2008 “to enhance the capability, cooperation and information sharing among NATO, NATO nations and partners in cyber defence by virtue of education, research and development, lessons learned and consultation.”[6] The CCDCOE played a key role in authoring the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, which outlines the myriad of international laws in cyberspace.[7] Given this expertise, the CCDCOE should use the Budapest Convention on Cybercrime as a framework for disputes arising from the implementation of the ACDC Act. The CCDCOE’s 29 centres provide the infrastructure necessary to mitigate disputes in a variety of locales.[8] The United States should petition NATO to change the charter of the CCDCOE, so it can be the international agency to mitigate cyber disputes between nations.

The legislative branch, the executive branch, NATO, and the private sector all have a role to play in the implementation of active cyber defense measures. As there is at least ambiguity surrounding the employment of active cyber defense measures, the U.S. Congress needs to make at least some facets of active cyber defense legal. The executive branch needs to develop a policy surrounding the legalization of active cyber defense. NATO should explore a role in the mitigation of disputes arising between nations from the employment of active cyber defense measures. The private sector needs to develop the implementation techniques.

Cybersecurity experts agree the current state of global cybersecurity needs improvement. Though there is significant disagreement about the employment of active cyber defense measures, this thesis concludes that to raise the collective cybersecurity of all, active cyber defense measures need to be legalized and employed. They will deter cyber threat actors and change their cost–benefit analysis for conducting illicit activities in cyberspace. Creating a national director of cybersecurity to unify and coordinate the cybersecurity policy of the United States will only strengthen the employment of active cyber defense. Likewise, empowering NATO’s CCDCOE to mitigate disputes between nations will facilitate information sharing between countries, making it harder for faceless enemies to remain anonymous.

Cybersecurity is a collective issue. It is not limited to the government, nor is it limited to the private sector. Only through the cooperation and mutual support outlined in this thesis can the United States raise the collective security of all. Active cyber defense is a facet of that collaboration. It is naïve for an entity to rely on passive cyber defense measures to protect its crown jewels.[9] The time for collective action is now. The bipartisan legislation legalizing active cyber defense in conjunction with the other measures presented in this thesis is the first step.

 

[1] Dennis C. Blair et al., eds., Into the Gray Zone: The Private Sector and Active Defense against Cyber Threats (Washington, DC: George Washington University, Center for Cyber and Homeland Security, 2016); and Paul Rosenweig, Steven P. Bucci, and David Inserra, “Next Steps for US Cybersecurity in the Trump Administration: Active Cyber Defense,” Backgrounder, no. 3188 (May 5, 2017): 11.

[2] Blair et al., Into the Gray Zone, 9; and Dorothy E. Denning, “Framework and Principles for Active Cyber Defense” (Monterey, CA: Naval Postgraduate School, December 2013), 3.

[3] Active Cyber Defense Certainty Act, H.R. 4036, 115th Cong., 1st sess. (2017), https://www.congress.
gov/bill/115th-congress/house-bill/4036.

[4] Cyber Diplomacy Act of 2017, H.R. 3776, 115th Cong., 1st sess. (2017), https://www.congress.gov/
bill/115th-congress/house-bill/3776/text.

[5] Convention on Cybercrime, November 23, 2001, E.T.S. 185.

[6] “Home Page,” NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), accessed May 28, 2018, https://www.ccdcoe.org.

[7] Michael N. Schmitt, ed., Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Cambridge: Cambridge University Press, 2017).

[8] CCDCOE, “Home Page.”

[9] Crown jewels are the key pieces of data and information a company has that make its business viable. The loss of this information generally means a company no longer exists. Among cybersecurity professionals, it is a common term and concept in describing what information a company must protect so that the proper tools can be put into place. Misidentification generally means the company is spending money to protect something that, if lost, is not critical to its business model. For an investment company, this would include both its client account information and trading strategy, which makes it different from other investment companies.

No Comments

Post a Comment