The idea of cyber self defense – or as some call it, “hack back” – is back into cybersecurity discussions with a proposed Active Cyber Defense Certainty Act by Congressman Tom Graves. Graves, a Republican from Georgia’s 14th District, joined with Arizona Democrat Kyrsten Sinema at a panel discussion arranged by Georgia Tech’s Institute for Information Security and Privacy. The panel, which was moderated by IGP’s Milton Mueller, brought together experts from academia and the private sector.
The idea of cyber self-defense in in some ways an innovative response to an Internet governance problem. It responds to the problem of the limitations of national jurisdiction and limited transnational cooperation among law enforcement agencies by allowing victims to act on their own behalf.
Responding to questions from Georgia Tech faculty experts and some Atlanta business people in the audience, the panel discussed various issues that the proposed bill could raise. Some of the most notable discussions revolved around the following questions: Who should be allowed to carry out self defense? What about attribution? Should we differentiate between state actors and private actors?
Who should be allowed to engage in cyber self defense?
One of the issues that the panel discussed was whether self defenders would need to be officially certified. MacAfee’s Candace Worley advocated strongly for putting “guard rails” around the active defense capability. In the physical world, the answer to this question might be quite easy: the person who is getting attacked can defend himself or herself. But in cyber self defense, the panel discussed the suggestion that only those with certain competence should be allowed to trigger the cyber self defense, and that those using this capability be carefully educated about their liabilities and immunities. The sufficient level of competence can be identified by a some kind of official certification. But the requirement to receive a license can hamper an efficient and timely reaction to cybersecurity attacks, which undermines the purpose of the cyber self defense bill. Can we call this action cyber self defense if it can only be carried out by certificate holders?
What kind of disclosures should be required of active defenders? Some suggested that they should be required to share information about the threat with law enforcement agencies and/or vendors; others suggested there should be information sharing about the nature of the response. There was also some concern about the impact of active defense on evidence gathering by law enforcement.
Attribution and Collateral Damage?
How can we legalize cyber self defense when we still have trouble attributing cyber attacks? As one IISP researcher asked, “What happens when the hack back reveals the “attacker’s machine” is not actually owned by the attacker? Furthermore, what constitutes proof of ownership? It is well known that attackers use “stepping stones,” or compromised machines for C&C servers, routing points, or dropsites, while continuing to allow their benign activity. Who owns these machines in the eyes of this draft?” What if cyber self defense is carried out against an innocent network, such as a hospital network, and the defense led to taking innocent lives? According to Congressman Graves, the attacker would be liable for the damages.
State Initiated or State Sponsored Attacks?
It was mentioned that the US does not punish the cybersecurity attackers well enough and it is in need of a network of self defense to be able to deter attacks and especially defend itself against State initiated attacks. The problem with this proposition is that it is not always clear whether the attack took place by a state against another state or whether it was private sector initiated. It is similar to the complex issue of state-sponsored terrorism and also raises the issue of attribution. Is the private actor acting on its own or is it sponsored by a government? IGP’s Hans Klein asked the representatives and the panelists about the international implications of active defense, referencing Microsoft’s call for a “digital Geneva Convention.”