When an intruder is discovered in your network, every incident response team’s response is similar: What are they doing? What have they done? How long have they been here? Whose data has been compromised? How do we expunge them from our network? And the million-dollar question: Who are these miscreants in our network?
All deserving and fair questions.
If Reps. Tom Graves (R-GA-14) and Kyrsten Sinema (D-AZ-09) are successful, their bipartisan Active Cyber Defense Certainty Act (ACDC) (H.R. 4036) will be making key changes to the Computer Fraud and Abuse Act (CFAA) and adding another arrow to the cyber-defense quiver.
That arrow is “active cyber-defense techniques.”
In what can only be described as irony, the bill’s verbiage could have been taken right from the pages of Mao Zedong, who explained in his revolutionary writings, “Mao’s Road to Power (Vol 5 – page 491)” how in December 1936,
“the only real defense is active defense, the only defense for the purpose of counter-attacking and taking the offensive.” ~ Mao 1936
Graves & Sinema make the case, that the ACDC provides “authorized individuals and companies the legal authority to leave their network to
- establish attribution of an attack,
- disrupt cyber attacks without damaging others’ computers,
- retrieve and destroy stolen files,
- monitor the behavior of an attacker, and
- utilize beaconing technology.”
The enhanced flexibility will allow individuals and the private sector to develop and use tools that are currently restricted under the CFAA to protect their own network. Additionally, allowing defenders to develop and deploy new tools will help deter criminal hacking.
In the bill’s two-page explainer, it makes clear the expectation is that users will engage in technologically “deep reconnaissance” of those who are found on their network for the purposes of “naming and shaming” the attacker.
A quick review of outstanding Wanted by the FBI posters include a number of Chinese PLA officers, who wrangled a spot onto the list more than three years ago, in May 2014. It would appear to the casual observer that naming and shaming is not going to slow down a nation state one iota.
Furthermore, the proposed techniques are currently illegal, so a bit of work will need to be accomplished before companies can cut loose their counterattacks. And the bill calls for the entities wishing to engage in “active cyber-defense” to report to the FBI-led National Cyber Investigative Joint Task Force “before taking active defense measures.” After all, we would not want private citizens stumbling into the defensive/offensive activities of the FBI or other entities charged with protecting the United States.
As we see from Mao’s writings the concept is not new; the context of cyber active defense has been bandied about for a good number of years.
In 2012, Oliver Rochford wrote of the folly of the active defense within the cyber context. He correctly points out that the doctrine may have legs within the national security context, where the attribution exercise is not relying solely on virtual snipe trails but have all-source intelligence to bring to bear in the pre-attack analysis.
Then we have a recommendation made in 2013 in the Journal of Business & Technology Law, “Adequate Attribution: A Framework for Developing a National Policy for Private Sector Use of Active Defense,” whose authors included Shane McGee, who at that time was General Counsel at Mandiant. The piece points out how one is protected for protecting one’s own home from within one’s home in the analog world, and such would be the case for taking measures within one’s enterprise. But set foot outside your abode or network, and you are outside of the area where the law protects your activities. The authors’ framework on active defense encompassed “three elements: detection, traceback, and counterstrike.”
And finally, there is a scholarly piece, published just this past week by the Carnegie Endowment for International Peace, “Active Cyber Defense: Applying Air Defense to the Cyber Domain.” The authors’ use of the air defense analogy allows for a clear understanding of what constitutes an active defense.
“Active cyber defense is a direct defensive action taken to destroy, nullify or reduce the effectiveness of cyber threats against friendly forces or assets.” The authors discuss a plethora of passive, semi-passive and active mechanisms. What makes their piece sing is a concrete example of an active defense that plays out in a picture-perfect real-life scenario involving Georgia and Russia in 2012. In the 2012 incident, a Russia-based hacker continued to penetrate the Georgian infrastructure and stole information from about 300 to 400 government computers. The Georgians noticed the search parameters of the attacking software and allowed the attacker to penetrate a positioned server with a .ZIP file containing “Georgian-NATO Agreement.” The Georgians had put their own payload within the .ZIP and when the attacker opened it up, his machine and network became infected. What did the Georgians find? They found evidence of the official Russian hand in the work of the individual—instructions from the Russian government directing the hacker’s targeting effort.
Mao Zedong is right: An active defense is a powerful weapon, currently in the hands of nation states, but soon, perhaps, in the hands of companies and trusted individuals. The bipartisan effort to create a mechanism may be the key, it will need input from industry and government alike to make it viable.