George Washington University’s Center for Cyber and Homeland Security (CCHS), a “think and do” tank responsible for carrying out research and analysis on homeland security, counter-terrorism, and cybersecurity issues, has recently released a new, 86-page report [PDF] entitled, "Into the Gray Zone: The Private Sector and Active Defense against Cyber Threats."
The authors behind the report—experts in the fields of technology, privacy, security, law, and business communities—have presented the premise that although the U.S. government has a role to play in cybersecurity, it still lacks the resources needed to fully protect the private sector, thus, the responsibility of protection falls on private sector entities themselves. As such, the authors have provided a framework these private businesses can use and incorporate within their organizations in order to effectively address issues concerning cybersecurity that are affecting them and their clients.
As per the report: “There is a need for government to partner with the private sector in developing and implementing a framework for active defense. Such a framework would allow forward-leaning and technologically advanced private entities so effectively defend their assets in cybersecurity, while at the same time ensuring that such actions are embedded within a policy and legal framework that confirms government oversight, ensures that privacy and civil liberties are not infringed, and mitigates technical risks. America cannot accept the cybersecurity risks of a vulnerable private sector or continue to maintain an inadequate cyber deterrence posture.”
A push for “active defense”The proposed framework is all about active defense, the umbrella term the authors use to mean “a spectrum of proactive cybersecurity measures that fall between passive defense and offense.” Active defense is generally categorized into two: (a) the first covers “the technical interactions between a defender and an attacker”, and (b) the second covers “the operations that enable defenders to collect intelligence on threat actors and indicators on the Internet as well as other policy tools (e.g. sanctions, indictments, trade remedies) that can modify the behavior of the malicious actors.”
The report stresses that active defense doesn’t mean “hacking back” at enemy entities, and that the two terms must never be interchanged.
The paper is a dive “into the gray zone” in an attempt to find answers to the general questions that call for a nuanced discussion on active defense, such as:
- What measures fall within the scope of active defense and what are the benefits and risks of each?
- What measures may be appropriate to use by certain actors and under what circumstances?
- What is the role of the federal government in developing a framework and set of norms that can inform such action?
- How should policy and law be updated to support private sector active defense in a way that is consistent with both our values and interests, and that can evolve as new technologies are developed?
- Most importantly, how do we move beyond the current policy stalemate of inaction vs. hacking back and develop appropriate and risk-driven policies for active defense?
- Maximizes the effect of the privacy sector’s ability to defend its assets and data
- Uses the combined technical and non-technical tools needed to countering cyber threats
- Attempts to balance the need for the private sector’s defense measures with other considerations like protection of individual liberties, privacy, and the risks of collateral damage
Information security is everyone's responsibilityAlthough much is said about what private business entities should do to protect themselves in the realm of cyberspace, the report authors are quick to mention that the proposed active defense framework extends to the public as well. Thus, there is a call for both public and private sectors to work together in addressing cybersecurity threats.
CCHS is not the only group to call out the public to take their own security seriously. More and more security experts and advocates have been backing the notion that information security is everyone's responsibility, and it has become the driving force to further educate users and start awareness campaigns.
Readers can download and read more about “Into the Gray Zone: The Private Sector and Active Defense against Cyber Threats” here.