Active cyber defense has become an increasingly contentious subject of policy and operational discussions alike, due (in part) to media exposure, a frustration with the ability for companies to protect themselves with a purely defensive posture, and attention from Congress. With the never-ending parade of cyberattacks and compromises, it is difficult to deny that a dialog about offensive cyber operations would help avoid problems from a lack of national policy. The logic behind active cyber defense seems valid — the right of self-defense has existed for hundreds of years in the physical realm; it should have a corresponding construct in the cyber world. Unfortunately, a lack of clarity in current law and policy has not allowed that to happen.
Several reports and commentators have referred to the use of “all the tools of U.S. power” or confronting cyberattacks “with all available means” in discussing the general aspects of the government’s approach to cybersecurity. Further confusing the issue are discussions that conflate cyber espionage and cyberattacks. For the commercial and private sectors, regardless of the terms used, an attack on their networks is just that, an attack that must be dealt with in some manner.
Those in favor of employing active cyber defense generally agree that it has inherent dangers. For example, on the fundamental issue of identifying the attacker, some commentators point out that absolute technical attribution can never be achieved. The question becomes, then, what level of attribution would be appropriate from a policy perspective in order to justify the use of active defense. At one extreme would be absolute knowledge of the identity of the attacker, which, as already noted, many agree that significant difficulty exists in attaining this. At the other extreme would be a policy where little, if any, diligence would be required prior to hacking back.
In an attempt to establish a policy position on this issue, the House recently made amendments to H.R. 624, the Cyber Intelligence Sharing and Protection Act (“CISPA”), which provides what many are calling broad “immunity” from active cyber defense activities. Specifically, in Section 3 appears a section entitled “Exemption from Liability.” It states that “[n]o civil or criminal cause of action shall lie or be maintained in Federal or State court against [any entity protected under the Act], acting in good faith–(i) for using cybersecurity systems to identify or obtain cyber threat information or for sharing such information in accordance with this section; or (ii) for decisions made for cybersecurity purposes and based on cyber threat information identified, obtained, or shared under this section.”
The passage of CISPA in the House on April 18 by a vote of 288 to 127 further ratcheted up the activity related to active cyber defense. The authors designed CISPA to provide some additional latitude for companies to utilize counter measures as part of their information security programs. The perceived vagueness and overbreadth of the language has unsettled many. As a result, groups have been working to find meaningful ways to distinguish between acceptable countermeasures and illegal activity.
ZwillGen attorneys have been at the forefront of the analysis of this issue, including co-authoring Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities (Marc J. Zwillinger) and Adequate Attribution: A Framework for Developing a National Policy for Private Sector Use of Active Defense (Randy V. Sabett). We would happy to help our clients navigate these tricky issues, as well as engage in policy discussions in Washington (e.g., at CDT) to make sure their interests are being represented.
 The Commission on Cybersecurity for the 44th Presidency recommended the use of “all the tools of U.S. power— international engagement and diplomacy, military planning and doctrine, economic policy tools, and the work of the intelligence and law enforcement communities.” (emphasis added), available at http://csis.org/files/media/csis/pubs/081208_securingcyberspace_44.pdf.
Specifically, Senator Joseph Lieberman said that “Google’s experience should be a lesson to us all to confront this ever growing problem aggressively and with all available means.” Paul Eckert, U.S., Google and China Square Off Over Internet, Reuters, Jan. 13, 2010, available at http://www.reuters.com/article/idUSTRE60C1TR20100113 (emphasis added).