Threat Intelligence

06:30 PM
Connect Directly

US Should Help Private Sector 'Active Defense,' But Outlaw Hacking Back, Says Task Force

Task Force at George Washington University suggests ways for government to clear up legal quagmires, improve tools, keep us all out of trouble.

The US government should explicitly prohibit private entities from "hacking back," but empower them to use other methods of so-called active defense against threat actors, according to members of the Active Defense Task Force at the George Washington University's Center for Cyber and Homeland Security (CCHS) in a report today.

The report authors are very clear that active defense is "not synonymous with 'hacking back'" and the two should not be used interchangeably. Active defense, rather, includes technical interactions between defenders and attackers, operations that enable defenders to collect intelligence on threat actors, and policy tools that modify the behaviors of malicious actors -- things like sinkholes, honeypots, beaconing, threat hunting, and gathering intel on the dark Web. It's the "gray zone" between hacking back and doing nothing.

(Image: (C) 2016 by Center for Cyber and Homeland Security. Some rights reserved.)
(Image: 2016 by Center for Cyber and Homeland Security. Some rights reserved.)

When it comes to active defense, many companies are either "doing nothing or doing them in the dark," says Christian Beckner, deputy director of CCHS.

The trouble is that these activities - even those in the gray zone - may or may not fall afoul of laws like the Computer Fraud and Abuse Act. As the report explains: "Under US law, there is no explicit right to self-defense by private companies against cyber threat actors."

Plus, what really worried the task force, says Beckner, are the companies that think they're doing the right thing and engage in active defense activities that ultimately lead to escalation. They make a bad situation worse - either by causing massive collateral damage or by creating a political conflict between nation-states where there might have been none.  

There have been discussions about this before, says Beckner, but the CCHS effort has aimed to delve into more in-depth operational issues, rather than just legal issues. The Task Force includes over 30 individuals from academia, government, and industry, and is co-chaired by former Director of National Intelligence Admiral Dennis C. Blair, currently chairman and CEO of Sasakawa Peace Foundation USA; former Secretary of Homeland Security Michael Chertoff, currently executive of the Chertoff Group; Nuala O'Connor, President and CEO of the Center for Democracy & Technology; and CCHS director Frank J. Cilluffo.

Black Hat Europe 2016 is coming to London's Business Design Centre November 1 through 4. Click for information on the briefing schedule and to register.

The Task Force suggested 15 key short-term actions for the US federal government and the private sector to make, in order to enhance the ability of the private sector to legally and safely use active defense technologies and policies. Some of those recommendations are:

  • The Department of Justice should issue guidance to the private sector about what they will and will not prosecute -- in both criminal and civil cases -- when it comes to active defense of a company's own security. Although the DOJ just made public some guidance it had issued to cyber crime prosecutors two years ago, this guidance does not specifically cover organization's active defense.
  • The Department of Homeland of Security should develop operations for public-private coordination on active defense, using existing groups like industry ISACs, ISAOs and NCCIC.
  • The US State Department should work with foreign partners to develop standards and norms on active defense.
  • The White House should develop guidance for federal agencies on when and how it is appropriate to provide active defense support to the private sector. Beckner points out that while a large company in the financial industry might be able to carry out their active defense well enough on their own, other organizations may try to stretch beyond their capabilities. Better cooperation between the private and public sector to begin with will help agencies identify when it is appropriate to step in.  
  • NIST should develop guidelines, risk levels, and certifications for carring out various active defense guidelines. 
  • Federal agencies that conduct or fund research and development should invest more in active defense. Beckner said that there is a particular need for "tools that facilitate attribution."   
  • Amend the Computer Fraud and Abuse Act and Cybersecurity Act of 2015 to allow low- and medium-impact active defense measures. 
  • The creation of best practices for coordination between ISPs, hosting providers, and cloud providers on active defense. The task force notes that third-party service providers like these will play a particularly significant role in active defense, particularly since so many companies also use security-as-a-service. They point to Google's aid in Operation Aurora as an example.

Not all members of the Task Force, however, were in full support of its final recommendations. The report includes an appendix written by O’Connor, expressing her measured dissent. O'Connor wrote "the report advocates a more aggressive posture than I believe appropriate, and does not give adequate weight to security and privacy risks of some of the techniques it favors."

She specifically takes issue with the technological tools of "dye packs" and "whitehat ransomware" -- tools that allow for too loose of an interpretation of the CFAA's rulings on unauthorized access to a computing device, even if the computing device in question is that of an attacker.

She further observes, "When it comes to risky defensive conduct that may cross the line and be unlawful, the report makes two observations that give me pause. First, that some cybersecurity firms might be given a license to operate as agents of the federal government and engage in conduct that would be unlawful for other private parties. Second, that the Department of Justice forbear prosecution of companies that engage in unlawful active defense measures." She points to the collateral damage caused by Microsoft when it brought down millions of innocent websites during a 2014 botnet takedown operation.

Beckner says, however, that organizations need more security tools available to them. "What we're trying to articulate," he says, "is what rules should be in the toolkit going forward?"

Related Content:


Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
11/3/2016 | 10:01:45 AM
Protecting online identity
Governmental interference is essential to secure our online privacy. Because this has gotten so much out of hand that on daily basis we get to learn horrifying news of such stature is mind blowing. Using a designated vpn server in this regard is important. PureVPN provides encrypted online browsing experience thus making your browsing history altogether secure and protected. 
13 Russians Indicted for Massive Operation to Sway US Election
Kelly Sheridan, Associate Editor, Dark Reading,  2/16/2018
Facebook Aims to Make Security More Social
Kelly Sheridan, Associate Editor, Dark Reading,  2/20/2018
From DevOps to DevSecOps: Structuring Communication for Better Security
Robert Hawk, Privacy & Security Lead at xMatters,  2/15/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.