One of the fastest growing threats to the United States lies in the realm of cyberspace.
With the touch of a button, foreign hackers and malicious governments can deliver blows to the U.S. economy by targeting American companies.
Recognizing the need to address this issue, Sen. Orrin Hatch, R-Utah, asked Secretary of Homeland Security Kirstjen Nielsen several questions about active cyber defense measures during a hearing last week. Essentially, active cyber defense is the effort to push back against hackers by private-sector actors.
In response, Nielsen confirmed the Department of Homeland Security’s desire to work with the private sector to further help companies engage in active cyber defense.
This is encouraging, as past administrations have shied away from supporting this type of defense.
Following several recent high-profile cyberattacks on U.S. companies, it is vital that a limited form of active defense be legalized. Simply put, there have been—and will be—too many attacks against American businesses for the government to handle on its own.
There are two reasons why allowing companies to engage in active cyber defense would be beneficial.
First, involving companies in their own defense would turn them from victims into witnesses. With active defense capabilities, hacked companies would be better equipped to identify their attackers, allowing the authorities to handle the situation in a more effective manner.
Secondly, empowering companies to better identify their attackers would enable the government to focus its limited time and energy on the most consequential attacks.
As detailed in The Heritage Foundation’s report on cybersecurity, there are differing degrees of active cyber defense activities, ranging from annoyance (techniques that make it difficult for a hacker to carry out his or her activities) to attribution (techniques that attempt to identify the hacker) to attack (techniques that “hack back” or destroy the hacker’s system).
When it comes to granting active cyber defense abilities to American businesses, The Heritage Foundation recommends limiting capabilities to annoyance and attribution techniques.
Currently, legislation on both the federal and state levels restricts companies from being able to carry out active cyber defense against domestic hackers.
To change this, any federal legislation must amend the Computer Fraud and Abuse Act of 1986 by removing the prohibition of accessing “a protected computer without authorization.” Moreover, new federal laws need to pre-empt state rules that inhibit active defense.
Foreign cyber laws also affect the ability of American companies to engage in active defense against hackers working outside of the U.S.
Traversing this obstacle is difficult, and the government should approach it with caution. To begin the process, the U.S. should facilitate a conversation about active defense with our allies.
The Department of Homeland Security’s desire to work with the private sector on this issue is an important part of the mission to improve cybersecurity, but ultimately, congressional action is needed. Georgia Rep. Tom Graves’ Active Cyber Defense Certainty Act is a step in the right direction.
Cyber threats are not going away, and they will only increase in intensity and quantity. It is necessary for U.S. companies to be able to combat them with active defense.