Volume 8, Issue 1 of the University of Maryland Journal of Business & Technology Law published a rather interesting article on active defense policy. Adequate Attribution: A Framework For Developing A National Policy For Private Sector Use of Active Defense was authored by Shane McGee, General Counsel and Vice President of Legal Affairs at Mandiant, Randy V. Sabett, Counsel with ZwillGen PLLC, and Anand Shah, Staff Attorney at Mandiant and Technology Fellow at ZwillGen PLLC.
The article is very timely, as it follows on the heels of a recent IP Commission Report that recommended the government investigate how active defense measures might be appropriately utilized by the private sector. Specifically, the IP Commission Report recommended that "new laws might be considered for corporations and individuals to protect themselves in an environment where law enforcement is very limited." The Report suggested that "[s]tatutes should be formulated that protect companies seeking to deter entry into their networks and prevent exploitation of their own network information while properly empowered law-enforcement authorities are mobilized in a timely way against attackers."
With momentum gaining in support of active defense strategies, McGee, Sabett, and Shah argue that national policy in active defense should avoid the "unrealistic" goal of "absolute identification of a cyber attacker" and should instead begin with a "national dialog" on what would define "adequate attribution."
This is a great read for those interested in the concept of active defense. An excerpt appears below, with footnotes redacted (follow the link above for the full article):
Once primarily the domain of the federal government and a few specialized defense contractors, “active defense” has become an increasingly common topic even in unclassified circles due to (a) much more media exposure, (b) a general relaxing of attitudes toward offensive cyber behavior and, to some extent, (c) a frustration with the ability for companies to protect themselves with a purely defensive posture. Whether called active defense, standing your cyber ground, or hacking back, the notion of offensive use of cyber capability continues to gain considerable attention. As we ponder the implications of publicly-reported cyberattacks with a kinetic component (e.g., America’s alleged involvement in Stuxnet and the appearance of Flame), we also need to determine if other broad attacks (e.g., Duqu and Shamoon) should be viewed as significant steps forward in attack vectors or simply more annoying distractions in the cyber landscape. In any event, no one can deny that offensive operations must be considered as a possible device in the cyber toolkit. The logic seems valid — the right of self-defense has existed for hundreds of years in the physical realm; it should have a corresponding construct in the cyber world. Unfortunately, a lack of clarity in current law and policy has not allowed that to happen.
. . . .
The nagging question involves picking the level of certainty required by a victim of cyberattack in the identity of the attacker before responding. At one extreme would be absolute knowledge of the identity of the attacker. However, several scholars agree that significant difficulty exists in attaining 100% certainty of an attacker’s identity and that even identifying an attacker beyond a reasonable doubt is “bordering on impossible.” At the other extreme would be a policy where little, if any, diligence would be required prior to attacking back. Richard Clarke provides perhaps the most accurate answer by stating that it will “depend upon the real-world circumstances at the time.” In this paper, we will lay out an argument that, since absolute identification of a cyber attacker is unrealistic, a national dialog should occur around what constitutes adequate attribution.We will then provide a normative framework for use by the private sector when contemplating the use of active cyber defense.