A Q&A with Wyatt Hoffman of Carnegie Endowment for International Peace
As cyber-attacks continue to mount, private organizations are ramping up their security activities, and many wonder whether “active cyber defense” is the answer. Of course, what constitutes “active cyber defense” is an emerging debate for international lawmakers and policy makers, says Carnegie Endowment for International Peace senior research analyst Wyatt Hoffman. I asked him about this concept and the related issues at hand.
The term “active defense” originated in the US military to describe generally a proactive defensive posture, interfering with and in some cases preempting an adversary’s attack.
What is “active cyber defense”? Is it the same thing as “hacking back”?
There’s a lot of confusion around this contentious term. People in the information security community will think of active defense as leaving traps inside your network to confuse or deceive adversaries, to make it harder for them to steal data or accomplish their objective in your network. For others, it’s a euphemism for “hacking back.” E.g., if a corporation is hacked they then retaliate by hacking the attacker’s own system to cause damage or disrupt the attack.
The term “active defense” originated in the US military to describe generally a proactive defensive posture, interfering with and in some cases preempting an adversary’s attack. The application of this term to cybersecurity creates confusion, and the first thing to point out is that there is a spectrum of activity that could be considered active cyber defense. You have on one end purely passive and usually static tactics such as firewalls and encryption. On the other is hacking back, cutting off the hacker’s access to their server or causing retaliatory damage, activities that cross a line into offensive. There’s a wide range of technical measures and practices in between. For instance, there are tactics such as beaconing in which you attach mapping technology to data so that when the data gets exfiltrated the beacon can tell you where it is and attribute the attack. Or there is more aggressive “white hat” ransomware that automatically encrypts stolen data on an attacker’s computer.
I use the term active defense to describe this whole spectrum, not because I’m wedded to a particular technical definition but because I’m interested in fostering a debate about what’s on and off the table for the private sector, so we have to talk about norms of behavior across this space.
Why is this issue so contentious? What’s driving the debates in technical and policy circles?
Indicators suggest that active cyber defense is becoming more mainstream and a new piece of legislation called the Active Cyber Defense Certainty Act would legalize some of these measures if passed. There are growing calls, on one hand, by some who think we should let the private sector be more aggressive because of the insufficiency of government response to growing threats. The other camp is saying this is vigilantism and it will unleash a wild west situation if we allow corporations to go outside their networks and create all kinds of risks for escalation and collateral damage.
For instance, if you use a measure to attack a hacker on a third-party network it could cause disruption or damage to innocent third party network users. At the same time, certain measures in the middle of the spectrum, if conducted responsibly, could dramatically improve defense against cyberattacks and potentially even shift the calculus for malicious actors in the long-run. One of the fundamental points we try to make is that we need to avoid false dichotomies. The debate fixates on whether to allow hacking back but we need to move beyond that and have more nuanced discussion about the whole set of capabilities from the relatively innocuous but legally ambiguous to those that should unequivocally be off the table.
The reality is that a lot goes on underneath the surface—there have been a number of interesting reports, including a recent piece in The New Yorker, about this debate. We know that a significant number of cyber security professionals, at least a third, claim to have already engaged in retaliatory hacking (according to a survey taken at Black Hat). Just today, a CEO of a power company talked about retaliating if anyone attacked the electric grid. There have been many rumors and anecdotes of banks hiring hackers abroad to disrupt or retaliate against attackers. A Dutch scholar recently spoke about the growing practice in the Dutch financial industry of hiring foreign firms for server takedown services. These trends are going to be driven by the sectors that are the biggest targets. We know there’s a growing transnational market for these services and companies that operate in more permissive legal environments are driving it. So, it becomes an issue of global governance rather than solely a question of national policy.
What are some of the dilemmas surrounding the private sector’s engagement in these activities?
I like to set aside for a moment the question of what’s legal under the Computer Fraud and Abuse Act. As far as we’re concerned, the dilemma is what do we want the international domain of cyber security activity to look like—not just what do we do with legislation domestically but what rules and guidelines can be put into place, how to shape an incentive structure for the responsible conduct of defensive activities, how to set standards and norms in this global domain. What we do with CFAA should flow from that broader, normative assessment and should account for the realistic limitations on national regulation.
There are inevitable risk tradeoffs with these activities, generally speaking. Theoretically, the more aggressive the defense is it, the more it will reduce costs and damage from attempted or successful attacks, either direct and indirect. However, aggressively retaliating against attacks will increase the risks of collateral damage from misattribution, cause inadvertent escalation or even an international incident. In doing so, it would increase the defender’s cumulative risk exposure. How do we weigh these countervailing risks against each other? Do we do too little or engage in defensive activity that causes more harm than good? One of the ways to begin to resolve this issue is to narrow the scope of activities by taking the riskiest ones off the table and leaving the no-brainers like internal honey pots that are relatively low risk.
Another dilemma is who should engage in this defense? Private actors differ significantly in their capacity to undertake this role. I might not want just any company to engage in white hat ransomware but a major company that has a central role in cyber security could raise the bar and ease concerns of misattribution and collateral damage. There should be those sorts of formal and informal barriers to entry through a shared sense of corporate social responsibility.
One of the key conflicts when you think about creating a space for a legitimate act of defense is how would you do this in legislation? It’s very circumstantial and difficult to define when defense like this should be safe and legal.
What relevance does active defense have for cyber insurance? What role can insurance play in governing this space?
In a report we released last year, we made an analogy to maritime security. Escalating Somali piracy in the late 2000s became an existential threat for the maritime shipping industry in the Gulf of Aden. Initially, it was considered a military problem but naval forces were unable to deal with the scope of the problem. Private companies then started to hire armed guards with little accountability or regulation in many countries, and it was difficult to enforce anything that was happening on the high seas. What helped develop international standards was the insurance industry. The big insurers in London saw the benefit of having armed guards but they helped foster clear rules of engagement to limit their capabilities and the potential for escalation—for instance, allowing only small arms and not military grade weapons. The insurance industry both defined the standard of responsible conduct and leveraged its influence over shipping companies through the cost of premiums to motivate security providers to abide by it.
We’re at a similar inflection point in cybersecurity. The government is struggling to manage escalating cyber risk and the private sector has the means, motive, and opportunity to more aggressively undertake “self-help”—and there are signs it is beginning to do so whether we like it or not. Yet we need mechanisms to ensure that any defense with risks to third parties could be undertaken responsibly.
We could use this model and apply it to cyber defense. Insurance can leverage financial stakes and act as proxy regulator to create solutions for governing this space. Insurance companies could come in and say, “some activities are off the table; if you’re going to conduct the activities on the table they should be a last resort, only after you’ve taken all measures short to ensure security. When you do conduct these activities, you should be doing so under certain conditions and with precautions and safeguards to ensure responsible conduct.”
If we focus solely on what is currently legal, we’re ignoring the more important question about what norms of behavior we should be promoting given the realistic limits on the government’s authority over this space. We may risk a situation in which hacking back becomes absolutely de facto behavior and then norms will emerge internationally that we can’t control. Underlying this is creating incentives for the private sector to uphold these standards and leverage corporate social responsibility.
The cyber insurance industry is not mature enough to take on this responsibility at the moment. There are significant barriers to unlocking its full potential to manage even more basic cybersecurity challenges. But we’ve partnered with Axio on a forthcoming paper on the role of insurance in managing corporate cyber risk more broadly. We looking at how we can operationalize this approach in the long term.
I want to thank Mr. Hoffman for thoughtful discussion on an emerging topic that I had the good fortune to learn about at our recent NetDiligence Cyber Risk Summit conference.
Cyber risk insurance carriers, along with their insured business clients who are actively combating cyber risk and data breach threats every day, should certainly be paying attention to this debate. Mr. Hoffman raises a number of interesting points, such as the potential for collateral damage and resulting implications. That could, for example, theoretically expose the “active defending” organization to additional liability, such as class-action lawsuits, due to downstream damages suffered by innocent third parties caught up in a hack-back operation.
The idea that some cyber risk insurers could ultimately play an important role and help create some standards of care governing the active defense practice is another fascinating concept. We plan to continue this dialogue with Wyatt and the Carnegie organization.