Into the Gray Zone
2f1BbTW
2f1BbTW
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
24 | A Framework for Active Defense Against Cyber Threats<br />
is required in most realms of active defense. A strong<br />
framework will help to alleviate <strong>the</strong> advantage that<br />
malicious actors gain from current ambiguity in<br />
terms of who takes <strong>the</strong> lead in defending businesses<br />
in cyberspace. The framework would also provide<br />
for greater transparency and accountability in private<br />
sector active defense.<br />
The framework also balances <strong>the</strong> need to enable private<br />
sector active defense measures with o<strong>the</strong>r important considerations<br />
such as <strong>the</strong> protection of individual liberties,<br />
privacy, and <strong>the</strong> risks of collateral damage. While a strong<br />
framework for responsible active defense will bolster <strong>the</strong><br />
tools that <strong>the</strong> private sector can employ to safeguard <strong>the</strong> privacy<br />
of <strong>the</strong>ir customers’ sensitive personal information, <strong>the</strong><br />
importance of guaranteeing <strong>the</strong> responsible use of active defense<br />
measures cannot be overstated. Activities that extend<br />
beyond <strong>the</strong> networks that a company is authorized to access<br />
raise legitimate privacy concerns (among o<strong>the</strong>r issues) for<br />
innocent third parties, so <strong>the</strong><br />
framework must ensure that<br />
any measures taken by <strong>the</strong><br />
private sector are proportional<br />
to <strong>the</strong> threat and limited<br />
in scale, scope, duration, and<br />
effect. By providing a clear<br />
framework for <strong>the</strong>se activities,<br />
practices that exceed or<br />
circumvent <strong>the</strong> framework’s<br />
carefully crafted best practices<br />
may be curtailed before undue infringement on <strong>the</strong><br />
privacy rights of innocent parties can occur. There are a<br />
variety of oversight mechanisms and legal reporting requirements<br />
that could be utilized to ensure that such considerations<br />
are integrated into <strong>the</strong> framework.<br />
A key aspect of this framework is a risk-driven<br />
methodology that can be used to weigh <strong>the</strong> risks and<br />
benefits of action vs. inaction, and to <strong>the</strong>n choose<br />
and utilize appropriate tools if and where actions is<br />
warranted. As discussed later in <strong>the</strong> paper, government<br />
should work with <strong>the</strong> private sector to establish<br />
such a risk-driven methodology, developing it<br />
through an open, consultative process.<br />
Some cyber capabilities cross<br />
into a "gray area" of activities<br />
that fall below <strong>the</strong> level of<br />
hacking back but still push<br />
<strong>the</strong> limits of current U.S. law.<br />
Key Actors in <strong>the</strong> Active<br />
Defense Framework<br />
Before looking at how this framework can be used,<br />
we need first to understand <strong>the</strong> capabilities and interests<br />
of <strong>the</strong> key actors within it. The framework’s first<br />
relevant set of actors includes <strong>the</strong> various businesses<br />
that make up <strong>the</strong> U.S. private sector. The Task Force<br />
quickly recognized that due to <strong>the</strong> enormous diversity<br />
of private entities operating in <strong>the</strong> United States, not<br />
all sectors operate at <strong>the</strong> same level of sophistication.<br />
Referring only to <strong>the</strong> capacity of <strong>the</strong> “private sector”<br />
as a whole is an overgeneralization. Indeed, <strong>the</strong>re is<br />
no “single” private sector. While many “mom-andpop”<br />
shops operate with only <strong>the</strong> most basic firewalls<br />
installed on <strong>the</strong>ir computers, o<strong>the</strong>rs, like <strong>the</strong> defense,<br />
technology, finance, and energy sectors, have developed<br />
and actually employed comparatively advanced<br />
cyber defense capabilities to protect <strong>the</strong>ir networks.<br />
Many large companies<br />
utilize advanced cyber capabilities<br />
that cross into<br />
a “gray area” of activities<br />
that fall below <strong>the</strong> level of<br />
hacking back but still push<br />
<strong>the</strong> limits of current U.S.<br />
law. In 2013, <strong>the</strong> FBI investigated<br />
whe<strong>the</strong>r a number<br />
of U.S. banks had used<br />
active defense techniques<br />
to disable servers in Iran<br />
that were conducting malicious attacks against <strong>the</strong>ir<br />
networks. 93 No charges were brought, but major banks<br />
reportedly advocated strongly for such activities. 94 The<br />
next year, an industry coalition including Microsoft,<br />
Symantec, and Cisco dismantled a sophisticated, allegedly<br />
Chinese-backed APT known as Axiom, 95 removing<br />
<strong>the</strong> group’s malware from 43,000 computers<br />
around <strong>the</strong> world. Today, companies in <strong>the</strong> United<br />
States and Israel are selling increasingly advanced cybersecurity<br />
solutions to top financial and defense firms<br />
that push <strong>the</strong> limits of measures that can be fairly called<br />
“passive defenses.” 96<br />
Many private sector actors are increasingly implementing<br />
<strong>the</strong>ir own progressively aggressive defensive