Into the Gray Zone

7
Active Defense Considerations
for the Future
THIS REPORT IS A SNAPSHOT of active defense and its broader implications as they exist
today. However, it is important to recognize that this field will be constantly evolving—including
from the standpoint of technology and law. With respect to technology, key questions
for the future include: how active defense will be impacted by the Internet of Things (IOT),
cloud computing, increasingly distributed enterprises, and the changing capabilities and intentions
of threat actors? Certainly the IOT will expand exponentially the opportunities for
adversaries to attack. At the same time, from the defender’s perspective, the task of identifying
potential vulnerabilities and acting to mitigate them before and after breach will become
more complex and more resource-intensive. The tradeoff is that the IOT will bring increased
convenience and functionality for both business and consumers; but it will come at a price.
Cloud computing also cuts two ways. On the one hand, it opens up avenues for a wider range
of enterprises to obtain services for cybersecurity and other purposes. On the other hand, the
cloud also changes the landscape in which adversaries operate by providing a tempting target,
rich in assets for attack. Whereas potential targets may currently be more dispersed, the cloud
concentrates them to a greater degree—although the owners and operators of Internet-based
cloud technologies and services may be comparatively well-placed to defend the valuable constellations
of data and other assets that are effectively entrusted to them. Another trend, in
the form of increasingly distributed enterprises, also alters the cybersecurity ecosystem for
network defenders and network attackers at once. Here again, the evolution in practice brings
with it new challenges for the in-house security practitioner, including “more places where it
[data] must be protected.” 129
As technology continues to change so too will the capabilities—and accompanying intentions—
of threat actors. However, the counterforces they face will not remain static either: new elements
will enter the fray, and the capacities and roles of existing actors will develop as well. For
example, what is the role for state and local governments when it comes to active defense? Just
as these authorities have become ever-more involved over time in matters of cybersecurity more
generally, one might expect state and local officials to participate (eventually) in the domain of
active defense in particular.
Another important question for the future is: how will international norms develop in this
area? The answer depends upon individual actors (state and non-state) as well as the totality
of their conduct. These practices and the statements made in support of—or in protest to—
them will constitute evidence of emerging global parameters of acceptable behavior. Formal
international instruments such as global treaties are, admittedly, generally difficult to draft
and bring into force given the wide variety of competing viewpoints that must be accommodated
and reconciled. Therefore, it may prove constructive in the shorter term to work
towards a more informal international understanding of what should be the core body of
37