Active defence — a term that captures a spectrum of proactive cybersecurity measures that fall between traditional passive defence and offence (also sometimes colloquially known as hack back); active defence can fall under two general categories: first, technical interactions between a defender and an attacker, and second, operations that enable defenders to collect intelligence on threat actors and indicators on the internet, as well as other non-cyber policy tools (e.g. sanctions, indictments, trade remedies) that can modify the behaviour of malicious actors.46
While some commentators have analytically differentiated hack back from active defence by the intention of the attacked organization (e.g. active defence refers to attempts to retrieve information whereas hack back refers to reciprocally inflicting damage on an alleged adversary), this report uses these terms interchangeably.47
An increasingly important question for lawmakers is: what limits should apply to active defence measures by a private organization? How should the government clearly circumscribe the technical measures a private-sector organization is empowered to use to respond to attacks? Such measures have created heated debate on both the technical and ethical fronts.
Active defence is a topic of controversy for practitioners, as certain common practices used to investigate and respond to potential intrusions are theoretically in contravention of existing broad legal guidance on permissible network defence.48
A government’s position on the permissibility of hack back should be a function of two factors: permissible active defence techniques and the alleged identity of the adversary whose techniques are being mobilized against. Additionally, it is helpful to describe the permissibility of hack back in three broad categories: approved, permissible and forbidden:
- Active defence techniques span a gamut whose wide differentiation creates opportunity for policy consensus, from generally accepted techniques (like research on the tools and techniques of network intruders) to more invasive techniques where an organization is acting beyond the borders of its own networks. The use of extra-network techniques would normally be relatively infrequent vis-à-vis the measures an organization is empowered to implement within its own network. Furthermore, the prudent deployment of these techniques will typically require the active engagement of the highest levels of an organization’s security, risk and legal leadership.
- It is helpful for policy-makers to establish clear guidance on the adversaries that attacked organizations are permitted to pursue. To underscore the point: hack back policy that does not require organizations to provide robust evidence to reliably establish the identity of the adversary they intend to pursue is inadvisable. It is important to recall that attributing an attack is difficult. But the inability to target a response, particularly if it acts beyond the borders of a network, risks creating enormous collateral damage. A perceived network intrusion could set off a cascade of reciprocal hack backs that may be destabilizing if the identity of the intruder is not well established.
- The alleged identity of the adversary should also affect the permissibility of active defence. Responding to a nation-state adversary may trigger significant collateral obligations for a host state of would-be active defenders. As such, policy-makers may consider curtailing attempts to attack nation-states. Policy-makers might also consider curtailing the use of active defence techniques against more sophisticated non-state adversaries, as those adversaries may have a greater ability to obfuscate their identity and dangerously escalate a conflict.
Policy model: Active defence
Key values trade-offs created by active defence policy choices
Connecting policy to values
The value trade-offs created by active defence policy are shrouded in more ambiguity than other topics in cybersecurity. Little empirical evidence exists regarding the impact of active defence because it is not measured in most jurisdictions (owing to its questionable legal status).
- The starkest example illustrating the difficulty of understanding the trade-offs associated with active defence is its impact on security. In theory, the permissibility of more invasive active defence techniques should concern and deter adversaries as those adversaries will believe that the costs of criminal activity are higher. However, active defence might also reduce security for innocent bystanders, who may be the recipient of an incorrectly targeted hack back or, perhaps worse, experience collateral damage from an escalation of cyberattacks. In short, the use of more invasive active defence techniques has an ambiguous impact on security.
- The use of hack back techniques also has an ambiguous economic value in the long run. Even in the short term, the proliferation of such techniques will be costly as effective active defence is an expensive capability for an organization to field. In addition to the first order cost, active defence risks collateral damage, liability or an escalation of attacks in cyberspace.
- Enabling the private sector to act with a greater degree of freedom in cyberspace (embodied by a more permissive view of the active measures organizations may take to defend themselves) will increase the private sector’s accountability to ensure security. With greater tools, they can rightly be expected to take a greater role in their own security. As active defence creates more private-sector accountability, it also creates substantial concerns for public-sector accountability. If an organization wrongfully responds to a nation-state, it is not clear what obligations the host state of the active defender has. In the case of a multinational, it might not even be understood which public sector is on the proverbial “hook”. Is it the country of residence for the corporate headquarters or the country from where the attack was launched? Or is it both?
- To the extent that more organizations are empowered, active defence techniques are likely to be the province of very few organizations with significant capabilities (somewhat like attribution). Consequently, more permissible active defence policies are likely to decrease fairness.