Active cyber defense (ACD), also known as proactive cyber defense, is a computer network security strategy that acts to defend internal data and programs before an actual cyber attack is launched. Some people refer to this action as “hacking back.”
The world needs ACD, according to our close personal friends at the Defense Advanced Research Projects Agency (DARPA), because:
“U.S. military, government and commercial IT networks face constant cyberattack from both criminal and state-sponsored adversaries.”
Up to now, computer network operators have been reactive in response to software-driven attacks. Standard operating procedure is a four-step process:
1. Find the invading code
2. Unplug the affected systems
3. Create security patches to thwart particular attacks
4. Apply those patches network-wide
DARPA believes it is time for a fundamental change in our attitude toward hack attacks:
“To stay ahead of increasingly sophisticated, stealthy and dangerous threats, defenders must move beyond traditional static defenses to exploit the natural advantages of their IT systems and expertise.”
At this point, to understand what proactive cybersecurity really looks like, we have to get a bit technical (read: geeky). ACD is not one activity, but a host of techniques that could include:
• Beaconing technology to determine the location of a hacker
• Honeypots that appear both important and vulnerable, to fool adversaries into “taking the bait” to trap them
• Leaving the home network to track down stolen data
The thinking behind ACD is that an ounce of prevention is worth a pound of cure. Prior data breaches, like the one perpetrated on Equifax users in 2017, proved how costly and time-consuming recovering from an incursion can be.
An assault online (against a data system) is comparable to any other hostile action. Under certain circumstances, it could be considered an act of war. All cyber attacks mean to do harm to the target system.
One of the greatest teachers of waging war successfully was the 6th century BC Chinese general, military strategist, and philosopher Sun Tzu who wrote “The Art of War,” a definitive text on the psychology of armed conflict. Sun Tzu wrote about the importance of inward knowledge (getting into the other general’s head) as well as outward facts (terrain, battlefield conditions, number of opponents). Famously, the warrior sage wrote about the importance of proactivity in warfare:
“Hence to fight and conquer in all your battles is not supreme excellence; supreme excellence consists in breaking the enemy’s resistance without fighting.”
In other words – to quote an old Western movie phrase:
“Head ’em off at the pass.”
It is far better to prevent an attack than fight and win it – or fight and lose it. This is the basis for proactive cyber defense strategies that employ “good guy” hackers (called “white hats” or “gray hats,” depending on what exactly they do).
The US state of Georgia agrees with Sun Tzu. Having won the approval of the state legislature, governor Nathan Deal is poised to sign a new law, Senate Bill 315, that will create a state-level exemption for those who deploy “cybersecurity active defense measures that are designed to prevent or detect unauthorized computer access.”
An article from The Hill explains that “these methods would help companies protect their networks from attacks and identify hackers who have breached their systems to steal information or conduct other nefarious activity.”
While this regulatory plan looks good on the surface, CSO says the problem is that it “threatens to outlaw good-faith security research and enable ‘hack back’ vigilante action.”
The same article quotes Nate Cardozo, senior staff attorney of the Electronic Frontier Foundation (EFF):
“A legitimate reading of this law could criminalize independent security research and vulnerability disclosure, and that’s not good for anybody.”
Another outspoken critic of SB 315 is Frank S. Rietta (M.S. Information Security) who published an open letter to Gov. Deal which identifies four myths regarding cyber attacks:
1. All intentional unauthorized access to a computer or computer network requires some sort of hacking or other tricky means to bypass security.
2. All legitimate security research is conducted by parties in a business relationship with the owner of the system being researched.
3. Hackers are painstakingly breaking into networks by hand and then lying in wait in time frames where they may be “caught in the act.”
4. When a security incident or data breach occurs, the company or organization whose computer system was compromised is the primary victim.
Rietta summarizes his opposition to SB 315:
“The State of Georgia is a world leader in the cybersecurity arena with a $4.7 billion industry that employs tens of thousands of people. While the State may consider legislation appropriate to prosecute true cybercriminals, SB 315 is not the way forward. Any appropriate legislation must comprehensively address the real issues that cause millions of people to be harmed in data breaches, instead of outlawing good Samaritans who try to bring Internet safety issues into the daylight so that the issues are fixed and the public is protected.”
Furthermore, Georgia’s SB 315 does not specify what the exceptional cybersecurity measures could include. Google and Microsoft are among the big tech players who see the downside of all this pre-hacking activity in cyberspace, and are urging Gov. Deal to veto the bill before its May 8 deadline. They warned that the vague legal language “broadly authorizes the hacking of other networks and systems under the undefined guise of cybersecurity,” and clarified:
“Network operators should indeed have the right and permission to defend themselves from attack, but, before Georgia endorses ‘hack back’ authority in ‘defense’ or even anticipation of a potential attack with no statutory criteria, it should have a much more thorough understanding of the ramifications of such a policy. Provisions such as this could easily lead to abuse and be deployed for anticompetitive, not protective purposes.”
Gov. Deal is not alone in the vanguard of proactive cybersecurity advocates. Reps. Tom Graves (R-Ga.) and Kyrsten Sinema (D-Ariz.) are also proposing legislation to allow companies and private citizens to use “active defense measures” – is that an oxymoron? – against hackers.
Legislation like SB 315 illustrates what happens when non-technical do-gooders try to solve very complex technical issues. Still, this particular attempt includes other weak legal language that raises concern – one example is the inclusion of the loosey-goosey term “legitimate business activity.” The courts will have a field day with undefined terms like that.
As an end-note, the Computer Fraud and Abuse Act passed by Congress in 1986 prohibits anyone from “knowingly hacking into other networks without authorization.” But no one is talking about the fact that state laws like Georgia’s SB 315 violate this federal law. Isn’t that interesting?