Offense or Defense for the Private Sector
Increasing concern about cyberthreats aimed at critical infrastructure and the theft of intellectual property and privileged information continues to escalate planning, actions and calls for new capabilities, such as the plan announced recently by the U.S. government to form offensive, as opposed to solely defensive, cyberteams to combat these threats.
It’s becoming clear that we can’t prevent cyberattacks through diplomacy alone. So the questions become: What can and should be done? We can continue to try to block attacks. We can try to respond when something takes place. Or, we can raise the stakes, in essence saying that if a criminal organization, hacker or nation-state adversary tries to steal our privileged information or conduct reconnaissance on our critical infrastructure, there may be consequences.
Even though there exists a strong public interest in the cybersecurity of the private sector — particularly for critical infrastructure and sensitive manufacturing — the private sector that owns and operates this infrastructure and manufacturing remains principally responsible for its cybersecurity. In that light, we also need to explore whether companies should be able to defend themselves by essentially being reactive, or will we say if they want to raise the stakes, such as sending back malware that damages the attacker’s systems, that they can do so without being exposed to liabilities? What should be our position, as the cybersecurity industry, regarding such “active defense?”
This is a complex issue. Attribution remains difficult. Isolating a desired effect solely on an adversary’s systems may also prove “sporty,” as interconnected systems may allow “consequences” to propagate. Although it may be necessary for the private sector to contemplate this course of action, it does not follow that it must do so, even if the public sector does.
Nonetheless, if this is the only way the private sector can fulfill its responsibility to secure systems in which there’s a public interest, we may have to move in this direction. At the very least, we must consider whether the government should undertake a more robust response on behalf of the private sector, or whether the government would sanction such a response from the private sector itself. Again, we need to understand the legal and policy implications of what’s happening in cybersecurity, even as we face challenges at its technical and operational frontiers.