The U.S. government will always play an important role in cybersecurity, but it lacks the resources to fully defend the private sector in the digital realm, according to a new report from the GW Center for Cyber and Homeland Security.
The report released Monday offers the most comprehensive assessment to date of the legal, policy and technological contexts that surround private sector cybersecurity and active defense measures to improve the United States’ responses to evolving threats.
A key difference between cybersecurity threats and other security threats is the mismatch between public and private capabilities and levels of authority in responding to these threats, the report says. The lack of government resources to defend the private sector from digital threats places businesses on the front lines of the cyber conflict and can put national security, economic vitality and privacy at risk.
“Given the scale and scope of the cyber threat, the digital equivalent of building higher walls and deeper moats alone is a reactive strategy doomed for failure,” said Center for Cyber and Homeland Security Director Frank Cilluffo. “Businesses cannot simply firewall their way out of this problem and must instead have greater leeway to more proactively respond to cyber threats.”
The report calls for increased collaboration between the public and private sectors to use available tools more effectively to disrupt and deter cyber threats, noting the collaboration between the private sector and policymakers is long overdue.
The report recommends:
- Developing procedures for public-private coordination on active defense measures through existing industry-led cooperation.
- Amending the Computer Fraud and Abuse Act and the Cybersecurity Act of 2015 to affirmatively allow low- and medium-impact active defense measures.
- Developing C-suite level operational templates based on risk assessment, industry standards and best practices to integrate into broader cyber strategy and incident response protocols.
The report draws on knowledge from an Active Defense Task Force of experts in the public and private sectors who are thought leaders in technology, security, privacy, law and business. The task force examined current cybersecurity practices commonly found in the private sector and provided case studies that lay out the strengths and weaknesses of such practices in addition to less common, active defense measures.
The aim of the report is to help chart a constructive course forward through the complicated terrains of law, technology and policy as they relate to private sector active defense. The report also dissects the complex web of the legal gray areas of cyber defense that make it difficult for the private sector and policymakers to work together.
The report provides a new definition of active defense that reflects the evolution of cybersecurity capabilities and includes operation that will allow defenders to gather intelligence and policy tools aimed at deterring hacks. With proper balance, the private sector can be a vital player in ensuring the nation’s economic and national security, the report finds.
The study differentiates between active defense and “hacking back,” which refers to offensive cyber measures that are beyond the scope of what is defined as permissible activity in this report. It also balances the need to enable private sector active defense measures with other important considerations such as the protection of individual liberties, privacy and risks of collateral damage when implementing active defense.
“The framework that we provide in this report offers a sustainable path forward for responsible private sector active defense,” said Deputy Director of the GW Center for Cyber and Homeland Security Christian Beckner. “An informed and equipped private sector, supported by this framework, is necessary to improving America’s cybersecurity posture moving forward.”
The Active Defense Task Force is co-chaired by Adm. Dennis Blair, former director of National Intelligence and chairman and CEO of Sasakawa Peace Foundation USA; Michael Chertoff, former secretary of Homeland Security and executive chairman and co-founder of The Chertoff Group; Nuala O’Connor, president and CEO of the Center for Democracy and Technology; and Mr. Cilluffo. Within the center, the task force is co-directed by Mr. Cilluffo and Mr. Beckner.