https://www.lawfareblog.com/self-help-cyberspace-path-forward
By Wyatt Hoffman, Ariel E. Levite
Lawfare.com
September 16, 2019
Recent years have seen sustained calls to “unleash” the private sector to more
assertively combat cyber threats. The argument has gained some sympathy in
Congress, where Rep. Tom Graves (R-Ga.) recently reintroduced the Active Cyber
Defense Certainty Act (ACDCA). As Bobby Chesney summarizes, the act, if passed,
would amend the Computer Fraud and Abuse Act (CFAA) to allow private entities,
under certain conditions, to engage in defensive measures that intrude into
attackers’ networks for purposes of attributing, disrupting or monitoring
malicious activity.
Motivating this renewed push for active defense is a growing recognition of the
magnitude of the peril that cyberattacks present to the private sector, along
with limits on the government’s ability to arrest its growth and bring the
perpetrators to justice. As former director of the National Security Agency
Gen. Michael Hayden put it, “[T]he cyber cavalry ain’t coming.” However,
notwithstanding the benefits of harnessing private-sector expertise to improve
cyber defense, the ACDCA is premature and of uncertain efficacy, and is
potentially even risky from both domestic and international perspectives. A
dual-track approach is therefore essential: The United States should prudently
explore acceptable domestic parameters for the practice of private-sector
“self-help” in cyberspace and engage other nations to harmonize these standards
internationally. The Justice Department can lead such an approach and—by
exercising prosecutorial discretion within the limits of existing law—begin to
define the scope and parameters for responsible private-sector conduct in this
domain.
The reintroduction of the ACDCA has predictably elicited two familiar sets of
objections. One is that any effort to create space for more assertive defenses
is dangerous; the other is that such efforts are unnecessary or even
irrelevant. The former objection resurfaces the opposition to private-sector
engagement in “hacking back,” citing risks of collateral damage from
misattribution, escalation, abuse by corporations for competitive advantage,
getting in the way of governmental operating space, and the potential for
triggering an international incident when defensive measures cross national
boundaries. The other source of opposition stems from the belief that such a
move would have dubious utility, as it would hardly change the calculus for
most corporations considering engaging in active cyber defense. In this view,
what holds corporations back from practicing more assertive cyber defense at
present is not only legal constraints (which companies can bypass if they wish
by using proxies and foreign operating bases) but also concerns over uncertain
efficacy, liability and reputational damages. Moreover, the ACDCA addresses
only criminal liability under the CFAA, giving corporations little clarity
regarding other state laws and a number of statutes relating to electronic
surveillance potentially in play.
These are all certainly valid considerations. Yet they do not necessarily weigh
equally with all forms of active cyber defense—which is often conflated with
the most extreme “hack backs.” Moreover, opponents and proponents of active
cyber defense alike should recognize that the current ambiguous legal
boundaries neither enable effective private-sector defense nor prevent more
risk-acceptant actors from engaging in reckless conduct. This is especially
true given the trajectory of the cybersecurity landscape.
[...]
--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_
