Washington, February 22, 2013 — As this week's Mandiant report on
China's cyber espionage highlights, cyber attacks are posing ever more serious
economic and national security risks to the United States. In Active Cyber
Defense: A Framework for Policymakers, CNAS Senior Fellow and
Director of the Program on Technology and U.S. National Security Dr. Irving
Lachow urges policymakers to provide guidance and clarity on an intensifying
debate about active cyber defense (ACD).
ACD, which is the range of proactive actions taken to engage an adversary before and during a cyber incident, "can dramatically improve efforts to prevent, detect and respond to" sophisticated attacks, says the author. Although ACD plays an increasingly important role in protecting both public and private sector organizations, Dr. Lachow notes that there is a great deal of uncertainty about which ACD actions companies can legally take to defend themselves. He points out that much of the current debate surrounding ACD focuses on the most extreme scenarios and pays insufficient attention to a number of useful options that are available to private sector actors.
The lack of legal clarity on what ACD actions can be taken under which circumstances has the potential to create undesirable outcomes for both industry and government, according to Dr. Lachow. He urges the U.S. government to provide greater clarity on which ACD actions are legal and which are not and calls on policymakers to develop a framework for ACD initiatives. "Clearer guidance will enable organizations to protect themselves from advanced cyber attacks to the greatest extent possible without putting themselves in legal jeopardy," he concludes.
The Center for a New American Security (CNAS) is an independent and nonpartisan research institution that develops strong, pragmatic and principled national security and defense policies. CNAS leads efforts to help inform and prepare the national security leaders of today and tomorrow.