A few days ago, the Center for a New American Security (CNAS) released a report written by Irving Lachow titled Active Cyber Defense: A Framework for Policymakers. The report is a very useful and readable summary on the technical/legal issues behind private sector active defense. Mr. Lachow’s closing thoughts:
The U.S. government needs to provide greater clarity on which ACD actions are legal and which ones are not. Without such guidance, two problematic situations may arise. First, organizations may choose not to take actions that are legal because of fears of breaking vague provisions of existing law. Second, organizations may take actions that they believe are legal but that government authorities view as being illegal. In the former case, corporations are bypassing ACD options that could help protect valuable information. In the latter case, companies are taking actions that could lead to serious financial and legal risks and could also undermine U.S. national objectives (such as U.S. efforts to establish norms in cyber space). Clearer guidance will enable organizations to protect themselves from advanced cyber attacks to the greatest extent possible without putting themselves in legal jeopardy.
Leave a Reply