TY - STAND
AB - The failure of the government to provide adequate protection has led
many cybersecurity analysts, scholars, and policymakers to suggest
that there is a need for private-sector self-help. If the government is unable or unwilling to take or threaten credible offensive actions to deter cyberattacks or to punish those who engage in them, it may be incumbent upon private-sector actors to take up an active defense. In other words, the private sector may wish to take actions that go beyond protective software, firewalls, and other passive screening methods—and instead actively deceive, identify, or retaliate against hackers to raise their costs for conducting cyberattacks. Taking into consideration U.S.,foreign, and international law, the U.S. should expressly allow activedefenses that annoy adversaries while allowing only certified actors to engage in attribution-level active defenses. More aggressive active defenses that could be considered counterattacks should be taken only by law enforcement or in close collaboration with them
BT - The Heritage Foundation
N1 - If the government is unable or unwilling to deter cyberattacks or hold perpetrators accountable, it may be necessary for private-sector actors to adopt an active defense approach. Active cyber defense extends beyond traditional protective measures like software and firewalls, involving strategies that actively deceive, identify, or retaliate against hackers—a practice known as “hack back”—to increase the costs of conducting cyberattacks. Before the U.S. can authorize private hack back, it must take into account not only domestic laws but also international regulations governing cyberspace. Congress should advance beyond current practices and establish a new active cyber defense system that allows the private sector to more effectively detect and respond to cyber threats. This policy should be carefully crafted to minimize unintended consequences and prevent further escalation, yet it represents a crucial advancement in U.S. cybersecurity.
N2 - The failure of the government to provide adequate protection has led
many cybersecurity analysts, scholars, and policymakers to suggest
that there is a need for private-sector self-help. If the government is unable or unwilling to take or threaten credible offensive actions to deter cyberattacks or to punish those who engage in them, it may be incumbent upon private-sector actors to take up an active defense. In other words, the private sector may wish to take actions that go beyond protective software, firewalls, and other passive screening methods—and instead actively deceive, identify, or retaliate against hackers to raise their costs for conducting cyberattacks. Taking into consideration U.S.,foreign, and international law, the U.S. should expressly allow activedefenses that annoy adversaries while allowing only certified actors to engage in attribution-level active defenses. More aggressive active defenses that could be considered counterattacks should be taken only by law enforcement or in close collaboration with them
PY - 2017
T2 - The Heritage Foundation
TI - Next Steps for U.S. Cybersecurity in the Trump
Administration: Active Cyber Defense
UR - https://www.heritage.org/sites/default/files/2017-05/BG3188.pdf
ER -