Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

06:30 PM
Connect Directly

US Should Help Private Sector 'Active Defense,' But Outlaw Hacking Back, Says Task Force

Task Force at George Washington University suggests ways for government to clear up legal quagmires, improve tools, keep us all out of trouble.

The US government should explicitly prohibit private entities from "hacking back," but empower them to use other methods of so-called active defense against threat actors, according to members of the Active Defense Task Force at the George Washington University's Center for Cyber and Homeland Security (CCHS) in a report today.

The report authors are very clear that active defense is "not synonymous with 'hacking back'" and the two should not be used interchangeably. Active defense, rather, includes technical interactions between defenders and attackers, operations that enable defenders to collect intelligence on threat actors, and policy tools that modify the behaviors of malicious actors -- things like sinkholes, honeypots, beaconing, threat hunting, and gathering intel on the dark Web. It's the "gray zone" between hacking back and doing nothing.

When it comes to active defense, many companies are either "doing nothing or doing them in the dark," says Christian Beckner, deputy director of CCHS.

The trouble is that these activities - even those in the gray zone - may or may not fall afoul of laws like the Computer Fraud and Abuse Act. As the report explains: "Under US law, there is no explicit right to self-defense by private companies against cyber threat actors."

Plus, what really worried the task force, says Beckner, are the companies that think they're doing the right thing and engage in active defense activities that ultimately lead to escalation. They make a bad situation worse - either by causing massive collateral damage or by creating a political conflict between nation-states where there might have been none.  

There have been discussions about this before, says Beckner, but the CCHS effort has aimed to delve into more in-depth operational issues, rather than just legal issues. The Task Force includes over 30 individuals from academia, government, and industry, and is co-chaired by former Director of National Intelligence Admiral Dennis C. Blair, currently chairman and CEO of Sasakawa Peace Foundation USA; former Secretary of Homeland Security Michael Chertoff, currently executive of the Chertoff Group; Nuala O'Connor, President and CEO of the Center for Democracy & Technology; and CCHS director Frank J. Cilluffo.

Black Hat Europe 2016 is coming to London's Business Design Centre November 1 through 4. Click for information on the briefing schedule and to register.

The Task Force suggested 15 key short-term actions for the US federal government and the private sector to make, in order to enhance the ability of the private sector to legally and safely use active defense technologies and policies. Some of those recommendations are:

  • The Department of Justice should issue guidance to the private sector about what they will and will not prosecute -- in both criminal and civil cases -- when it comes to active defense of a company's own security. Although the DOJ just made public some guidance it had issued to cyber crime prosecutors two years ago, this guidance does not specifically cover organization's active defense.
  • The Department of Homeland of Security should develop operations for public-private coordination on active defense, using existing groups like industry ISACs, ISAOs and NCCIC.
  • The US State Department should work with foreign partners to develop standards and norms on active defense.
  • The White House should develop guidance for federal agencies on when and how it is appropriate to provide active defense support to the private sector. Beckner points out that while a large company in the financial industry might be able to carry out their active defense well enough on their own, other organizations may try to stretch beyond their capabilities. Better cooperation between the private and public sector to begin with will help agencies identify when it is appropriate to step in.  
  • NIST should develop guidelines, risk levels, and certifications for carring out various active defense guidelines. 
  • Federal agencies that conduct or fund research and development should invest more in active defense. Beckner said that there is a particular need for "tools that facilitate attribution."   
  • Amend the Computer Fraud and Abuse Act and Cybersecurity Act of 2015 to allow low- and medium-impact active defense measures. 
  • The creation of best practices for coordination between ISPs, hosting providers, and cloud providers on active defense. The task force notes that third-party service providers like these will play a particularly significant role in active defense, particularly since so many companies also use security-as-a-service. They point to Google's aid in Operation Aurora as an example.

Not all members of the Task Force, however, were in full support of its final recommendations. The report includes an appendix written by O’Connor, expressing her measured dissent. O'Connor wrote "the report advocates a more aggressive posture than I believe appropriate, and does not give adequate weight to security and privacy risks of some of the techniques it favors."

She specifically takes issue with the technological tools of "dye packs" and "whitehat ransomware" -- tools that allow for too loose of an interpretation of the CFAA's rulings on unauthorized access to a computing device, even if the computing device in question is that of an attacker.

She further observes, "When it comes to risky defensive conduct that may cross the line and be unlawful, the report makes two observations that give me pause. First, that some cybersecurity firms might be given a license to operate as agents of the federal government and engage in conduct that would be unlawful for other private parties. Second, that the Department of Justice forbear prosecution of companies that engage in unlawful active defense measures." She points to the collateral damage caused by Microsoft when it brought down millions of innocent websites during a 2014 botnet takedown operation.

Beckner says, however, that organizations need more security tools available to them. "What we're trying to articulate," he says, "is what rules should be in the toolkit going forward?"

Related Content:


Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
11/3/2016 | 10:01:45 AM
Protecting online identity
Governmental interference is essential to secure our online privacy. Because this has gotten so much out of hand that on daily basis we get to learn horrifying news of such stature is mind blowing. Using a designated vpn server in this regard is important. PureVPN provides encrypted online browsing experience thus making your browsing history altogether secure and protected. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Browsers to Enforce Shorter Certificate Life Spans: What Businesses Should Know
Kelly Sheridan, Staff Editor, Dark Reading,  7/30/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-05
An issue was discovered in NLnet Labs Routinator 0.1.0 through 0.7.1. It allows remote attackers to bypass intended access restrictions or to cause a denial of service on dependent routing systems by strategically withholding RPKI Route Origin Authorisation ".roa" files or X509 Certificate...
PUBLISHED: 2020-08-05
Jeedom through 4.0.38 allows XSS.
PUBLISHED: 2020-08-05
In Contour ( Ingress controller for Kubernetes) before version 1.7.0, a bad actor can shut down all instances of Envoy, essentially killing the entire ingress data plane. GET requests to /shutdown on port 8090 of the Envoy pod initiate Envoy's shutdown procedure. The shutdown procedure includes flip...
PUBLISHED: 2020-08-05
In Sulu before versions 1.6.35, 2.0.10, and 2.1.1, when the "Forget password" feature on the login screen is used, Sulu asks the user for a username or email address. If the given string is not found, a response with a `400` error code is returned, along with a error message saying that th...
PUBLISHED: 2020-08-05
Unexpected behavior violation in McAfee Total Protection (MTP) prior to 16.0.R26 allows local users to turn off real time scanning via a specially crafted object making a specific function call.