• Agenda
  • Initiatives
  • Reports
  • Events
  • About
    • Our Mission
    • Leadership and Governance
    • Our Members and Partners
    • Communities
    • History
    • Klaus Schwab
    • Media
    • Contact Us
    • Careers
    • World Economic Forum USA
    • Privacy and Terms of Use
  • EN ES FR 日本語 中文
  • Login to TopLink

We use cookies to improve your experience on our website. By using our website you consent to all cookies in accordance with our updated Cookie Notice.

I accept
    Hamburger
  • World Economic Forum Logo
  • Agenda
  • Initiatives
  • Reports
  • Events
  • About
  • TopLink
  • Search Cancel

Report Home

<Previous Next>
  • Preface
  • Introduction
  • Using the Playbook for Public-Private Collaboration
  • Reference architecture for public-private collaboration
  • Zero-days
  • Vulnerability liability
  • Attribution
  • Research, data, and intelligence sharing
  • Botnet disruption
  • Monitoring
  • Assigning national information security roles
  • Encryption
  • Cross-border data flows
  • Notification requirements
  • Duty of assistance
  • Active defence
  • Liability thresholds
  • Cyberinsurance
  • The future of cyber resilience
  • Appendix: Normative trade-offs framework
  • Acknowledgements
Cyber Resilience   Active defence
Home Previous Next
Cyber Resilience   Active defence
Home Previous Next
Cyber Resilience Home Previous Next
  • Report Home
  • Preface
  • Introduction
  • Using the Playbook for Public-Private Collaboration
  • Reference architecture for public-private collaboration
  • Zero-days
  • Vulnerability liability
  • Attribution
  • Research, data, and intelligence sharing
  • Botnet disruption
  • Monitoring
  • Assigning national information security roles
  • Encryption
  • Cross-border data flows
  • Notification requirements
  • Duty of assistance
  • Active defence
  • Liability thresholds
  • Cyberinsurance
  • The future of cyber resilience
  • Appendix: Normative trade-offs framework
  • Acknowledgements

    Active defence

    Share

    Definition

    Active defence — a term that captures a spectrum of proactive cybersecurity measures that fall between traditional passive defence and offence (also sometimes colloquially known as hack back); active defence can fall under two general categories: first, technical interactions between a defender and an attacker, and second, operations that enable defenders to collect intelligence on threat actors and indicators on the internet, as well as other non-cyber policy tools (e.g. sanctions, indictments, trade remedies) that can modify the behaviour of malicious actors.46

    While some commentators have analytically differentiated hack back from active defence by the intention of the attacked organization (e.g. active defence refers to attempts to retrieve information whereas hack back refers to reciprocally inflicting damage on an alleged adversary), this report uses these terms interchangeably.47

    Policy model

    An increasingly important question for lawmakers is: what limits should apply to active defence measures by a private organization? How should the government clearly circumscribe the technical measures a private-sector organization is empowered to use to respond to attacks? Such measures have created heated debate on both the technical and ethical fronts.

    Active defence is a topic of controversy for practitioners, as certain common practices used to investigate and respond to potential intrusions are theoretically in contravention of existing broad legal guidance on permissible network defence.48

    A government’s position on the permissibility of hack back should be a function of two factors: permissible active defence techniques and the alleged identity of the adversary whose techniques are being mobilized against. Additionally, it is helpful to describe the permissibility of hack back in three broad categories: approved, permissible and forbidden:

    • Active defence techniques span a gamut whose wide differentiation creates opportunity for policy consensus, from generally accepted techniques (like research on the tools and techniques of network intruders) to more invasive techniques where an organization is acting beyond the borders of its own networks. The use of extra-network techniques would normally be relatively infrequent vis-à-vis the measures an organization is empowered to implement within its own network. Furthermore, the prudent deployment of these techniques will typically require the active engagement of the highest levels of an organization’s security, risk and legal leadership.
    • It is helpful for policy-makers to establish clear guidance on the adversaries that attacked organizations are permitted to pursue. To underscore the point: hack back policy that does not require organizations to provide robust evidence to reliably establish the identity of the adversary they intend to pursue is inadvisable. It is important to recall that attributing an attack is difficult. But the inability to target a response, particularly if it acts beyond the borders of a network, risks creating enormous collateral damage. A perceived network intrusion could set off a cascade of reciprocal hack backs that may be destabilizing if the identity of the intruder is not well established.
    • The alleged identity of the adversary should also affect the permissibility of active defence. Responding to a nation-state adversary may trigger significant collateral obligations for a host state of would-be active defenders. As such, policy-makers may consider curtailing attempts to attack nation-states. Policy-makers might also consider curtailing the use of active defence techniques against more sophisticated non-state adversaries, as those adversaries may have a greater ability to obfuscate their identity and dangerously escalate a conflict.

    Policy model: Active defence

    Key values trade-offs created by active defence policy choices

    Connecting policy to values

    The value trade-offs created by active defence policy are shrouded in more ambiguity than other topics in cybersecurity. Little empirical evidence exists regarding the impact of active defence because it is not measured in most jurisdictions (owing to its questionable legal status).

    • The starkest example illustrating the difficulty of understanding the trade-offs associated with active defence is its impact on security. In theory, the permissibility of more invasive active defence techniques should concern and deter adversaries as those adversaries will believe that the costs of criminal activity are higher. However, active defence might also reduce security for innocent bystanders, who may be the recipient of an incorrectly targeted hack back or, perhaps worse, experience collateral damage from an escalation of cyberattacks. In short, the use of more invasive active defence techniques has an ambiguous impact on security.
    • The use of hack back techniques also has an ambiguous economic value in the long run. Even in the short term, the proliferation of such techniques will be costly as effective active defence is an expensive capability for an organization to field. In addition to the first order cost, active defence risks collateral damage, liability or an escalation of attacks in cyberspace.
    • Enabling the private sector to act with a greater degree of freedom in cyberspace (embodied by a more permissive view of the active measures organizations may take to defend themselves) will increase the private sector’s accountability to ensure security. With greater tools, they can rightly be expected to take a greater role in their own security. As active defence creates more private-sector accountability, it also creates substantial concerns for public-sector accountability. If an organization wrongfully responds to a nation-state, it is not clear what obligations the host state of the active defender has. In the case of a multinational, it might not even be understood which public sector is on the proverbial “hook”. Is it the country of residence for the corporate headquarters or the country from where the attack was launched? Or is it both?
    • To the extent that more organizations are empowered, active defence techniques are likely to be the province of very few organizations with significant capabilities (somewhat like attribution). Consequently, more permissible active defence policies are likely to decrease fairness. 
    46
    46 Center for Cyber & Homeland Security, The George Washington University. (October 2016). Into the Gray Zone: The Private Sector and Active Defense against Cyber Threats, p. 10. Retrieved 21 December 2017 from https://cchs.gwu.edu/sites/cchs.gwu.edu/files/downloads/CCHS-ActiveDefenseReportFINAL.pdf
    47
    47 World Economic Forum confidential interviews, June-November 2017
    48
    48 Carnegie Endowment for International Peace. Hoffman, W. and Levite, A. (2017, 14 June). Private Sector Cyber Defense: Can Active Measures Help Stabilize Cyberspace? Retrieved 21 December 2017 from http://carnegieendowment.org/2017/06/14/private-sector-cyber-defense-can-active-measures-help-stabilize-cyberspace-pub-71236
    • Policy Models
    Back to Top
    Subscribe for updates
    A weekly update of what’s on the Global Agenda
    Follow Us
    About
    Our Mission
    Leadership and Governance
    Our Members and Partners
    The Fourth Industrial Revolution
    Centre for the Fourth Industrial Revolution
    Communities
    History
    Klaus Schwab
    Our Impact
    Media
    Pictures
    A Global Platform for Geostrategic Collaboration
    Careers
    Open Forum
    Contact Us
    Mapping Global Transformations
    Code of Conduct
    World Economic Forum LLC
    Sustainability
    World Economic Forum Privacy Policy
    Media
    News
    Accreditation
    Subscribe to our news
    Members & Partners
    Member login to TopLink
    Strategic Partners' area
    Partner Institutes' area
    Global sites
    Centre for the Fourth Industrial Revolution
    Open Forum
    Global Shapers
    Schwab Foundation for Social Entrepreneurship
    EN ES FR 日本語 中文
    © 2022 World Economic Forum
    Privacy Policy & Terms of Service