Criminal Justice & the Rule of Law Cybersecurity & Tech

Active Cyber Defense a/k/a Hackback

Paul Rosenzweig
Monday, May 8, 2017, 11:57 AM

I am a bit of an outlier in the cybersecurity community since I think that there are circumstances in which private actors ought to be allowed to more aggressively respond to intrusions on their systems (though I don't go "full postal" on the issue). For those who are interested in the subject I just published a piece at Heritage co-authored with my colleagues Steve Bucci and David Inserra, entitled "Next Steps for U.S.

Published by The Lawfare Institute
in Cooperation With
Brookings

I am a bit of an outlier in the cybersecurity community since I think that there are circumstances in which private actors ought to be allowed to more aggressively respond to intrusions on their systems (though I don't go "full postal" on the issue). For those who are interested in the subject I just published a piece at Heritage co-authored with my colleagues Steve Bucci and David Inserra, entitled "Next Steps for U.S. Cybersecurity in the Trump Administration: Active Cyber Defense." Here is the abstract:

The failure of the government to provide adequate protection has led many cybersecurity analysts, scholars, and policymakers to suggest that there is a need for private-sector self-help. If the government is unable or unwilling to take or threaten credible offensive actions to deter cyberattacks or to punish those who engage in them, it may be incumbent upon private-sector actors to take up an active defense. In other words, the private sector may wish to take actions that go beyond protective software, firewalls, and other passive screening methods—and instead actively deceive, identify, or retaliate against hackers to raise their costs for conducting cyberattacks. Taking into consideration U.S., foreign, and international law, the U.S. should expressly allow active defenses that annoy adversaries while allowing only certified actors to engage in attribution-level active defenses. More aggressive active defenses that could be considered counterattacks should be taken only by law enforcement or in close collaboration with them.


Paul Rosenzweig is the founder of Red Branch Consulting PLLC, a homeland security consulting company and a Senior Advisor to The Chertoff Group. Mr. Rosenzweig formerly served as Deputy Assistant Secretary for Policy in the Department of Homeland Security. He is a Professorial Lecturer in Law at George Washington University, a Senior Fellow in the Tech, Law & Security program at American University, and a Board Member of the Journal of National Security Law and Policy.

Subscribe to Lawfare