Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

06:30 PM
Connect Directly

US Should Help Private Sector 'Active Defense,' But Outlaw Hacking Back, Says Task Force

Task Force at George Washington University suggests ways for government to clear up legal quagmires, improve tools, keep us all out of trouble.

The US government should explicitly prohibit private entities from "hacking back," but empower them to use other methods of so-called active defense against threat actors, according to members of the Active Defense Task Force at the George Washington University's Center for Cyber and Homeland Security (CCHS) in a report today.

The report authors are very clear that active defense is "not synonymous with 'hacking back'" and the two should not be used interchangeably. Active defense, rather, includes technical interactions between defenders and attackers, operations that enable defenders to collect intelligence on threat actors, and policy tools that modify the behaviors of malicious actors -- things like sinkholes, honeypots, beaconing, threat hunting, and gathering intel on the dark Web. It's the "gray zone" between hacking back and doing nothing.

When it comes to active defense, many companies are either "doing nothing or doing them in the dark," says Christian Beckner, deputy director of CCHS.

The trouble is that these activities - even those in the gray zone - may or may not fall afoul of laws like the Computer Fraud and Abuse Act. As the report explains: "Under US law, there is no explicit right to self-defense by private companies against cyber threat actors."

Plus, what really worried the task force, says Beckner, are the companies that think they're doing the right thing and engage in active defense activities that ultimately lead to escalation. They make a bad situation worse - either by causing massive collateral damage or by creating a political conflict between nation-states where there might have been none.  

There have been discussions about this before, says Beckner, but the CCHS effort has aimed to delve into more in-depth operational issues, rather than just legal issues. The Task Force includes over 30 individuals from academia, government, and industry, and is co-chaired by former Director of National Intelligence Admiral Dennis C. Blair, currently chairman and CEO of Sasakawa Peace Foundation USA; former Secretary of Homeland Security Michael Chertoff, currently executive of the Chertoff Group; Nuala O'Connor, President and CEO of the Center for Democracy & Technology; and CCHS director Frank J. Cilluffo.

Black Hat Europe 2016 is coming to London's Business Design Centre November 1 through 4. Click for information on the briefing schedule and to register.

The Task Force suggested 15 key short-term actions for the US federal government and the private sector to make, in order to enhance the ability of the private sector to legally and safely use active defense technologies and policies. Some of those recommendations are:

  • The Department of Justice should issue guidance to the private sector about what they will and will not prosecute -- in both criminal and civil cases -- when it comes to active defense of a company's own security. Although the DOJ just made public some guidance it had issued to cyber crime prosecutors two years ago, this guidance does not specifically cover organization's active defense.
  • The Department of Homeland of Security should develop operations for public-private coordination on active defense, using existing groups like industry ISACs, ISAOs and NCCIC.
  • The US State Department should work with foreign partners to develop standards and norms on active defense.
  • The White House should develop guidance for federal agencies on when and how it is appropriate to provide active defense support to the private sector. Beckner points out that while a large company in the financial industry might be able to carry out their active defense well enough on their own, other organizations may try to stretch beyond their capabilities. Better cooperation between the private and public sector to begin with will help agencies identify when it is appropriate to step in.  
  • NIST should develop guidelines, risk levels, and certifications for carring out various active defense guidelines. 
  • Federal agencies that conduct or fund research and development should invest more in active defense. Beckner said that there is a particular need for "tools that facilitate attribution."   
  • Amend the Computer Fraud and Abuse Act and Cybersecurity Act of 2015 to allow low- and medium-impact active defense measures. 
  • The creation of best practices for coordination between ISPs, hosting providers, and cloud providers on active defense. The task force notes that third-party service providers like these will play a particularly significant role in active defense, particularly since so many companies also use security-as-a-service. They point to Google's aid in Operation Aurora as an example.

Not all members of the Task Force, however, were in full support of its final recommendations. The report includes an appendix written by O’Connor, expressing her measured dissent. O'Connor wrote "the report advocates a more aggressive posture than I believe appropriate, and does not give adequate weight to security and privacy risks of some of the techniques it favors."

She specifically takes issue with the technological tools of "dye packs" and "whitehat ransomware" -- tools that allow for too loose of an interpretation of the CFAA's rulings on unauthorized access to a computing device, even if the computing device in question is that of an attacker.

She further observes, "When it comes to risky defensive conduct that may cross the line and be unlawful, the report makes two observations that give me pause. First, that some cybersecurity firms might be given a license to operate as agents of the federal government and engage in conduct that would be unlawful for other private parties. Second, that the Department of Justice forbear prosecution of companies that engage in unlawful active defense measures." She points to the collateral damage caused by Microsoft when it brought down millions of innocent websites during a 2014 botnet takedown operation.

Beckner says, however, that organizations need more security tools available to them. "What we're trying to articulate," he says, "is what rules should be in the toolkit going forward?"

Related Content:


Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
11/3/2016 | 10:01:45 AM
Protecting online identity
Governmental interference is essential to secure our online privacy. Because this has gotten so much out of hand that on daily basis we get to learn horrifying news of such stature is mind blowing. Using a designated vpn server in this regard is important. PureVPN provides encrypted online browsing experience thus making your browsing history altogether secure and protected. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/1/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
The Threat from the Internet--and What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-01
The Journal theme before 3.1.0 for OpenCart allows exposure of sensitive data via SQL errors.
PUBLISHED: 2020-07-01
SAP Solution Manager (Trace Analysis), version 7.20, allows an attacker to perform a log injection into the trace file, due to Incomplete XML Validation. The readability of the trace file is impaired.
PUBLISHED: 2020-07-01
In nDPI through 3.2, the packet parsing code is vulnerable to a heap-based buffer over-read in ndpi_parse_packet_line_info in lib/ndpi_main.c.
PUBLISHED: 2020-07-01
In nDPI through 3.2, the H.323 dissector is vulnerable to a heap-based buffer over-read in ndpi_search_h323 in lib/protocols/h323.c, as demonstrated by a payload packet length that is too short.
PUBLISHED: 2020-07-01
In nDPI through 3.2, the OpenVPN dissector is vulnerable to a heap-based buffer over-read in ndpi_search_openvpn in lib/protocols/openvpn.c.