Protecting the Private Sector from Cyberattacks

An ever-increasing number of cyberattacks has prompted a national debate and ongoing dialogue about how to effectively protect sensitive data. Coverage of the 2016 Election and the focus on Hillary Clinton’s emails sparked examination over how the government can and should protect our networks. But what can private sector companies do to mitigate risk and ensure they are well equipped to handle cyberattacks? And what should the government do to support these measures?

In a recent report, “Into the Gray Zone: The Private Sector and Active Defense against Cyber Threats,” George Washington University’s Center for Cyber & Homeland Security (CCHS) examines capabilities that can help address the gap between the private sector’s increased shift to an information technology environment and the resources needed to protect its information. The Active Defense Task Force, whose co-chairs include Center for Cyber and Homeland Security Director Frank Cilluffo, former Homeland Security Secretary Michael Chertoff, former Director of National Intelligence Admiral Dennis Blair, and President and CEO of the Center for Democracy & Technology Nuala O’Connor, argued that the Justice Department should issue guidance about what kinds of “active defense” measures are allowed by current laws and that the Homeland Security Department should develop a framework for working with private sector companies that want to implement defense strategies. The goal is to provide companies with more opportunities to aggressively defend themselves without fearing prosecution.

“Active defense,” as defined by CCHS, “is a term that captures a spectrum of proactive cybersecurity measures that fall between traditional passive defense and offense. These activities fall into two general categories, the first covering technical interactions between a defender and an attacker. The second category of active defense includes those operations that enable defenders to collect intelligence on threat actors and indicators on the Internet, as well as other policy tools (e.g. sanctions, indictments, trade remedies) that can modify the behavior of malicious actors.” The task force was clear in that the term active defense should not be confused with “hacking back” and that the two should not be used interchangeably.

Task Force co-chair Dennis Blair added that the “active defense” approach could be described as “unleashing ingenuity on the cyber defense side to match the unleashed ingenuity on the attack side.” The report adds that strategies such as “Rescue missions” and “white hat ransomware” fall short of “hacking back,” and should be considered.

To use more aggressive tactics to offset cyberattacks, we need government cooperation. The underlying issue is that some “active defense” activities may be in violation of laws like the Computer Fraud and Abuse Act, which is seen as outdated by some industry experts. As highlighted in the report, “Under U.S. law, there is no explicit right to self-defense by private companies against cyber threat actors.”

What might be most interesting is the dynamic nature of cyber threats versus the static nature of Congress, as identified by Chertoff in a panel discussion following the release of the report. While cyber threats are constantly evolving, the U.S. Government has been slow to deal with these issues, and even more sluggish at implementing policies that would allow organizations to take a more aggressive approach in its defense tactics.

Protecting public and private interests should be front and center in the national discussion on cybersecurity, and we must be well equipped to respond to these threats and attacks. These organizations will be stronger at protecting themselves once the government can identify the most appropriate policies and frameworks to develop comprehensive defense policies.