Thinking Through Active Defense in Cyberspace
Proceedings of the Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options, pp. 327-342, National Research Council, Washington, DC: National Academies Press, 2010
18 Pages Posted: 14 Oct 2010 Last revised: 18 Jan 2016
Date Written: October 12, 2010
In this article, we take a forward-looking approach to the issue of active defense in cyberspace. Active defense typically occurs in the following way: the victim of a cyber attack detects an intrusion, identifies the source of the attack, and sends the data back at the attacker with the goal of interrupting the attack, thereby mitigating the harm to the victim’s system. Building on our earlier work that active defense is socially optimal when accurate technology exists and civil litigation, criminal prosecution, and purely defensive strategies would be ineffective or impractical, we now discuss the domestic and international law implications of permitting active defense and offer recommendations for who should be responsible for active defense and under what circumstances. We recommend further improvement of the current technology available for active defense in order to ensure that any cyber counterstrikes have a strong chance of hitting the attacker. We stress the importance of any active defense regime being compatible with notions of self-defense under international humanitarian law and domestic law, though we reject the common conclusion that the Computer Fraud and Abuse Act could be read broadly to prohibit any sort of activity on the Internet that might cause harm to another computer owned and operated by a private citizen. We also discuss the implications of permitting active defense by private firms and conclude that there may be too many potential harms to permit private firms to engage in active defense in the absence of controlling government oversight. However, the need for a more centralized response to cyber attacks raises the question of whether a government entity should be responsible for conducting cyber counterstrikes, and if so, what legal considerations would arise in the event of government-controlled active defense. Additionally, we examine the sort of controls that might be put in place to ensure the protection of oblivious third parties whose compromised computers might be inadvertently harmed by a cyberattack victim’s choice to employ active defense.
Keywords: cyberattacks, cyberdeterrence, active defense, hackback
Suggested Citation: Suggested Citation