The U.S. government should clarify the ways private companies can respond to cyber breaches, including sometimes allowing them to compromise attackers’ networks, according to a report from academics and private sector officials published today.
Such “active defense” measures begin with sharing information about adversaries, luring those adversaries with misinformation and hunting down information about hackers on the dark web, the report states. They extend, in rare circumstances, to going on “rescue missions” to retrieve or destroy stolen data inside an intruder’s networks or locking an attacker’s network until stolen information is returned—a process the authors call “white hat ransomware.”
Those aggressive approaches should only be undertaken with government cooperation, according to the report from the Active Defense Task Force organized by The George Washington University’s Center for Cyber and Homeland Security.
The approaches amount to “unleashing ingenuity on the cyber defense side to match the unleashed ingenuity on the attack side,” former Director of National Intelligence Adm. Dennis Blair, a task force co-chair, said during a panel discussion marking the report release.
Some critics would describe compromising or breaking into an adversary’s network as going on offense regardless of the specifics. “Rescue missions” and “white hat ransomware” fall short of “hacking back,” the report argues, because their intent is to secure the defender’s network rather than to harm the attacker.
The report is titled “Into the Gray Zone: Active Defense by the Private Sector Against Cyber Threats.”
Another task force co-chair, Nuala O’Connor, objected to those aggressive measures in an appendix to the report, saying they create too great a risk of hurting innocent computer users or undermining national security. O’Connor, a former chief privacy officer at the Homeland Security Department, is president of the Center for Democracy and Technology.
“Because attacks are often launched through the computers of innocent people, and because attack attribution is at best an inexact science, the risk of harm in these methods that gain unauthorized access can fall upon other victims of the attack and on innocent bystanders,” O’Connor wrote.
Some active defense measures described in the report include:
- Seeding your network with beacons that, if stolen by a hacker, will send back information about the hacker’s computer
- Using technical measures to disconnect botnets—armies of zombie computers hackers use to launch attacks that overwhelm a website
- Cooperating with government to combat foreign adversaries through indictments and sanctions
The report urges the Justice Department to issue public guidance describing what active cyber defense measures it believes are allowed by current laws such as the Computer Fraud and Abuse Act. This will give companies more latitude to aggressively defend themselves without fearing prosecution, according to task force members, many of whom are former federal officials.
Security researchers have criticized the 1986 Computer Fraud and Abuse Act as outdated and overbroad. The Justice Department, earlier this month, released a set of principles drafted in 2014 to guide prosecutors considering bringing charges under the law.
Among other recommendations, the report also urges:
- DHS to develop operational procedures for the public and private sector to cooperate on active defense
- The White House to produce guidance for federal agencies on when and how they should aid companies with active defense
- The State Department to work with other nations to develop common standards and procedures for active defense
- Companies to develop active defense procedures endorsed by top executives
Other task force co-chairs are Center for Cyber and Homeland Security Director Frank Cilluffo and former Homeland Security Secretary Michael Chertoff.