The objective of this research is to explore stakeholders’ first-hand experience, beliefs, and opinions related to cybersecurity and Active Cyber Defence (ACD) in the Canadian Critical Infrastructure (CI) sector by engaging cybersecurity, IS/IT, Business Continuity, compliance, and law enforcement professionals directly involved in the protection of CI. A semi-structured interview will focus on the topics of cybersecurity, its importance relative to CI, and specifically reference (ACD) – an offensive technique whereby victims respond to cyber-attacks using offensive tactics aimed at striking back against adversaries, as an alternative to the typical ‘passive’ traditional cybersecurity implementations, such as firewalls and antivirus software. The impetus for this study is based on legislation in the United States (US), titled the “Active Cyber Defence Certainty Act,” a proposed bill which would legally provide victims of cyber-attacks the ability to weaponize their networks and commit various counter-attacks against adversaries under the guise of self-defence.
This dissertation aims to dissect ACD’s perceived application, desirability, and viability within the context of Canadian CI – an undeveloped/unexplored conceptualization and an important consideration in the realm of cybersecurity, given society’s reliance on CI, the potential risks cyber threats present to the population, and the reported limited effectiveness of current techniques. The research question asked interviewees whether organizations should consider adopting an ACD strategy as part of its cyber security mandate in the CI sector if permissible.
Cybersecurity has truly become a political, military, economic, social, information, infrastructure, physical environment, and time concern for senior leaders (Matthews et al., 2016). The emergent risk characteristics of cyberspace are a result of rapid advancements in computer and communication technologies, as well as the tight coupling of the cyberspace domain to physical operations (Matthews et al., 2016). This ‘coupling’ is evident within Canada’s CI sector (Public Safety Canada, 2018), which relies on networked communication between physical sensors attached to physical structures. In today’s cyber world, a wide range of CI, including water supplies, transportation networks, energy, and communication technologies are all considered vulnerable to cyber-attack (Harrington, 2016; Dogrul et al., 2011). Systems such as smart grids and metering, energy harvesting, and System Control and Data Acquisition (SCADA) are but a few of the technologies utilized and entrusted to safely provide society with operational necessities, such as energy (Kasl, 2018). As such, Canadians depend on the cybersecurity and reliability of CI to ensure their prosperity, as well as physical and economic well-being.
The key to understanding the potential magnitude of cyber threats is the networked characteristic of computer systems. These networks ‘‘control physical objects such as electrical transformers, trains, pipeline pumps, chemical vats, and radars’’ (The National Strategy 2003, pp.6–7) and attacks—or ‘‘cyberdisasters’’—would ‘‘compromise systems and networks in ways that could render communications and electric power distribution difficult or impossible” (Hansen and Nissenbaum, 2009, p. 1161). Based on our dependence on network connectivity and function, combined with the current threat environment which indicates that cyber-attacks are increasing in severity, sophistication, and frequency (Ernst & Young, 2015; Trustwave, 2015), it is important for the CI sector in Canada to explore available options to ensure that cybersecurity practices are both effective and progressive.
While the need for cybersecurity initially emerged with the development of the first military computer networks during the later part of the Cold War, the implications of security incidents in cyber-infrastructure have multiplied exponentially since (Chronopoulos, 2017). Given that the cybernetic infrastructure intersects with the financial, transportation, energy and other CI, an escalating number of industry insiders believe more creative thinking is required to effectively address this issue (Homer-Dixon, 2010). Cybersecurity has traditionally worked from a defensive position, supported by an industry whose default mode is to patch, prevent, block and build updatedversions of the same technology (Simon, 2017; Matthews et al., 2016). This innovation deficit on the part of the industry has impacted end users across various sectors, such as CI, who are trying to build mission assurance security strategies against unprecedented threat levels (Golden, 2015).
In the Information Age, industry needs to rethink its cybersecurity management approaches and recognize that traditional access control and perimeter defenses alone are no longer sufficient (Carcary, 2018). Rather, holistic and “proactive” approaches that continually evolve and adapt to counter emerging threats and minimize the potential negative consequences of exposure are required (Accenture, 2016). At a time when we rely increasingly on networked technology for the storage of data and the delivery of critical services. According to Pupillo (2018),
“those same assets become a primary target of cyberwarfare: this is the so-called paradox of progress; our society is more efficient as digitalization progresses, but also more fragile” (p.1).
In response to the frequency and prevalence of cyber incidents, and while considering the potential for physical impacts to society through attacks on sectors such as CI, industry professionals, scholars, and politicians have been debating how to better manage these risks in a more effective manner. Beginning in the early 1990’s, cybersecurity professionals started to question the ‘passive’ approach and further explored how to ‘take the fight to the cyber-attacker’ (Canada, 2010). The quest to deter and thwart cyber-attacks has led policy makers, corporate decision makers and government to consider ACD as a tactical and strategic option (Westby, 2012). Once primarily the domain of the federal government and a few specialized defense contractors, “Active Defence” has become an increasingly common topic even in unclassified circles due to increased media exposure, a general relaxing of attitudes toward offensive cyber behavior, and a frustration with the ability for companies to protect themselves with a purely defensive posture (McGee et al., 2013). According to Rosenzweig (2014), ACD enables those being attacked to develop a preventative intervention deterrence which is intended to signal the attacker that the victim knows who the attacker is and can inflict some kind of harm on the attacker.
To counteract the threat of potentially disastrous cyber-attacks, nations’ policymakers today are increasingly testing the use of proactive strategies to supplement cyber defence (Dogrul et al., 2011). For instance, various governments have attempted to pass laws and bills to empower police officers with the ability to plant Trojan horses on suspects’ computer systems; the goal being to spy on data (including screen display, keystrokes, and possibly microphone and webcam data) (Kesan and Hayes, 2012). ‘The Magic Lantern’ Trojan Horse Project in the US is a post 9/11 example of this same concept (Hartzog, 2001). Another example occurred in Germany in 2007, when German police came up with their own ‘Bundestrojaner’ (Paulin, 2015). Several years later, this transition has now made its way formally into the private sector.
The perceived failure of government to provide adequate protection has led many theoreticians to suggest the need for private sector self‐help (Rosenzweig, 2014). Within existing legislative frameworks, ACD is not an option at the organizational-level in any country at the time of writing; however, in a contrary position, advocates such as Lachow (2012), Schwartau (2000) and Dewar (2014) frame ACD as a viable legal deterrence option providing certain provisions are implemented. Currently, there is some evidence to suggest that certain entities in the private sector have been tacitly utilizing this sort of approach to protect their systems (Kesan and Hayes, 2012). The idea of formalizing ACD for the private sector has up to this point been treated like the proverbial “elephant in the room,” until recently.
A key turning point in the evolution of industry-led ACD occurred in 2015. In its 2015 report, the United States-China Economic and Security Review Commission recommended tha US Congress assess the coverage of U.S. law to determine whether U.S.-based companies that have been hacked should be allowed to engage in ‘counter-intrusions’ [i.e. ACD or ‘hacking back’] for the purpose of recovering, erasing, or altering stolen data in offending computer networks (Lin, 2016).
Since then, efforts to legislate ACD are currently occurring in the United States, with the release of “Into the Gray Zone: The Private Sector and Active Defence against Cyber Threats” (Center for Cyber and Homeland Security, 2017). Similarly, Tom Graves, US Republican for the State of Georgia, introduced the Active Cyber Defense Certainty (ACDC) Act in 2017. The bill amends Title 18 of the United States Code, to “provide a defense….for persons defending against unauthorized intrusions into their computers” (Active Cyber Defence Certainty Act 2.0, – Discussion Draft, 2017, p. 1). While the document contains certain provisions which attempt to regulate the usage of ACD, the intention of the bill is to provide the private sector with legal recourse to weaponize its networks and conduct offensive cyber operations against adversaries. Following this approach in August 2018, US President Donald Trump signed a presidential order intended to “loosen” former Obama-era restrictions on the US use of cyber weapons against adversaries who “seek to infiltrate critical infrastructure, including the electrical grid, power stations, so that in some future conflict [adversaries] might have the opportunity to shut down the nerve center of American energy and our national life” (Kirk, 2018, n.p.).
While Canadian Parliament is not currently exploring a provision granting private sector participants legal recourse to engage in offensive cyber operations, it is, however, in the process of expanding the government’s powers to “become far more proactive, launching cyber-attacks abroad and engaging in covert operations, that could, in theory, involve everything from impersonation to taking down a foreign electrical grid” by way of Bill C-59’s updated national security legislation (Scotti, 2018, n.p.). As Canada is looking to expand the powers of its Canadian Security Establishment (CSE) employees by enabling them to conduct “active cyber operations” (Scotti, 2018, n.p.), the idea of an offensive cybersecurity capability also appears to be at the forefront of Canadian politics, albeit with its usage being deployed, mandated, and controlled by a government organization.
Given the dramatic shift in the US, which seeks to provide “active defence” options in the realm of CI in response to a perceived need to better defend against cyber threats, knowing whether stakeholders in Canadian CI are aware, interested, and supportive of a model similar to the US-based Active Cyber Defence Certainty (ACDC) Act Proposal is important when considering how best to equip our professionals with options to best execute their own cybersecurity mandate. As the US has given serious debate to the viability and merits of organizational-level ACD options, this study focuses on the perceived value of a legally prescribed ACD option in a Canadian CI context. CI corporations have become key stakeholders in society, having been endowed with legal and social rights normally reserved for people (Department of Homeland Security, 2017). These corporations, in effect, appear to have a ‘duty’ to adequately defend their information systems in a manner commensurate to the risk and the current threat environment. The CI sector is also critical to the everyday functioning of Canadian society, thus providing a common platform of shared interest for all Canadians, who as dependents and consumers are also susceptible to the effects of a major disruption (Shore, 2008). While no empirical data currently exists on the effectiveness (and subsequent risks) of organization-level ACD, engaging with Canadian CI stakeholders to explore their opinions, insights, and knowledge of the topic appears to be a logical first step in considering the concept of ACD as a potential cybersecurity strategy in the Canadian CI sector.
This dissertation is structured into five Chapters. Chapter One described the objectives of the research, and highlighted key issues on the topic. In Chapter Two, the Literature Review will first examine CI in the Canadian context and discuss threats faced by the sector. The extent of cyber threats and a discussion of formalized attempts at harmonizing cybersecurity initiatives using the European Union’s (EU’s) framework is then provided to demonstrate the complexity and efforts being made internationally in response to this issue. Lastly, ACD is reviewed, and justifications both for and against its usage are provided. Chapter Three describes the Research Methods employed for this study. Chapter Four contains the Discussion and Analysis of the research findings, focusing on key themes and developments resulting from participant interviews. Finally, a review of the key points of analysis, study limitations, and potential areas of future research are provided in Chapter Five.
This chapter will focus on three primary topics. The first section discusses CI in Canada, with specific focus on the components of CI and the threats currently faced by the sector. Cybersecurity is the second topic addressed by reviewing the prevalence of cyber threats, as well as Europe’s attempt to harmonize efforts to combat cyber crime in a formalized, international model. Lastly, the concept of ACD is discussed, with a review of the techniques and justifications both for and against its usage in the private sector.
Critical Infrastructure (CI)
CI by definition in Canada refers to “processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government.” There are (Public Safety Canada, 2018, p. 18) ten government mandated sectors that are categorized as CI in Canada:
Energy and Utilities – electrical power, natural gas, oil production, supporting transmission systems, high risk facilities
Finance – banking, securities, investments, integrity of electronic banking systems
Food – food safety at production, sales and use nodes, distribution
Transportation – roadways, air, rail, marine
Government – services, public facilities, information and information networks, secure and protected sites
Information and Communications Technology – telecommunications, broadcasting, software, hardware, networks
Health – hospitals, health-care, blood supply
Water – drinking water, waste water contamination
Safety – hazardous substances, explosives, nuclear waste, emergency services
Manufacturing – chemical and strategic manufacturers
It is evident that CI permeates the day-to-day life of all Canadians. Canada relies on CI to provide reliable energy, clean drinking water, safe food, and a variety of other essential services on a continuous basis. Responsibility for maintaining the integrity and safeguarding of CI is said to be a shared endeavour, comprising of federal, provincial, and territorial governments, local authorities and CI owners and operators (Public Safety Canada, 2010). CI owners and operators bear the primary responsibility to protect their assets and ensure delivery of service. Advocates of ACD would generally contest that it is incumbent upon organizations, particularly those in the CI sector, to adequately defend their networks and cyber assets, in light of the government’s relative ineffectiveness to adequately curb the threat (Hopkins, 2011).
In the context of Canada, the world’s second largest country by land area with a population of nearly 37 million people spanning from the Pacific Ocean across to the Atlantic, and from the 49th parallel to the South upwards to the North Pole (Statistics Canada, 2018), CI is so widely distributed and pervasive that this “shared approach” to CI protection accountability is both ambiguous from a definitional standpoint and unrealistic to implement in a variety of contextual, geographic, and resource-based circumstances.
As an example, the Energy Disruption Scenario Table provided by NRCan (2006) demonstrates the complexity and crossover quality of “ownership” responses in the event of a major energy disruption scenario, emphasizing the need for organizations in the CI sector to safeguard their own assets first and foremost.
Of note, there is no equivalent Canadian guideline for a cyber-attack or network disruption. While the Royal Canadian Mounted Police (RCMP) would intervene since a crime has been committed, the mitigation, management, and leadership of such an event would fall within the jurisdiction of the company experiencing the event.
Moreover, Graham (2011) suggests the government’s “real” response is to bestow the responsibility upon CI owners to organize their immediate protection plans for assets they own and operate. Graham (2011) uses the energy sector as an example, in which both major private systems operators and government have partnered to map and identify major energy CI for planning purposes. For relatively larger sectors such as energy, CI may be more comprehensively and appropriately viewed from a North American perspective, especially at or near the US-Canada border. As Jacques Shore (2008, p. 2) states, “Canada is vulnerable to attacks on energy infrastructure aimed at disrupting service to the United States.” As Canada’s closest ally and neighbor, it may be prudent to heed Shore’s (2008) advice and view CI from a ‘borderless perspective’ to maximize risk comprehension and effectively manage threats against Canadian CI both as the target and proxy. Realizing Canadian CI is inextricably linked to the United States and that the potential for threats on Canadian territory are intended to disrupt the United States (or vice-versa), in 2011 the two governments signed the Canada-United States Action Plan on Critical Infrastructure (Public Safety Canada, 2011).
Components of CI
While the definition of CI includes processes, systems, facilities, technologies, networks, assets and services, an extension of the term ‘assets’ is likely to provide further clarity and emphasize its multi-faceted and integrated nature, touching on the physical, cyber, and human elements simultaneously. The Government of Canada (2011) views CI assets within three broad categories:
Physical – tangible assets, such as roads, pipelines, dams, transmission lines, and vital institutions such as hospitals.
Cybernetic – technology that depends upon information hardware, software, data, and networks used within the CI context, for example System Control and Data Acquisition (SCADA). This also includes all electronic information stored and other monitoring systems that permit remote management of CI assets.
Human – Those who control the assets and thus operate the system.
Based on the complexity of Canadian society in 2018, all three components of CI are required in order to function continually. With the continuous talk in popular media, in academic circles, and in industry relating to cyber risks, it is apparent that threats in this area are increasing in both frequency and sophistication (Cardenas et al., 2011). Furthermore, these threats cross most of the sectors and create new and emerging vulnerabilities not just to computer systems, but also to physical operations. While service and delivery of CI has arguably never been as efficient, streamlined, and developed, there is a growing recognition that the movement from human operated facilities and monitoring to automated monitoring and control systems has presented a myriad of new vulnerabilities within CI (Conference Board of Canada, 2009). Graham (2011) echoes this point by positing that the core to vulnerability to virtually all CI sectors can be attributed to the interdependencies and complexities, directly reflecting the integration of ‘cyber-dependence’ within systems.
Threats to CI
Viewing threats to CI exclusively through the traditional lens of physical harm of external sabotage and terrorism overlooks what could arguably be more persistent and probabilistic threats (Conference Board of Canada, 2006). A 2008 study exploring insider threats to CI emphasized the lack of prior research on the topic (Department of Homeland Security, 2008). Due to the access privileges and inherent proximity to CI granted to insiders, it is surprising that insider threats in this context appear under-researched, especially when estimates ranging between 43% (Software Engineering Institute, 2012) and 90% (Hong et al., 2010) of all breaches reported are ultimately attributed to insiders.
Threats to cyber components of Industrial Control Systems (ICS) has received much attention lately. ICSs are used to control facilities, such as water plants, electrical power distribution, and oil refineries, thus playing an integral role in the operation of CI (Franke & Brynielsson, 2014). While CI in Canada is susceptible to experiencing the same types of cyber threat manifestation referenced in the previous section of “Cybersecurity,” albeit with potentially higher consequences due to the dependence society has developed on the cyber components to operate CI in the 21st century, specific reference should be given to three real-world examples demonstrating the coupling of cyberspace to the security of state state/society.
The first example has been termed the ‘first real war in cyberspace’ and involved major Distributed Denial of Service (DDoS) attacks which brought down the web sites of Estonian government agencies, Parliament, the national news media, and the country’s two largest financial institutions (Hansen & Nissenbaum, 2009; Kelsey, 2008). This appears to be the first (unproven) non-military action committed against a nation-state where cyber-attacks were used against the public. By demonstrating the ability to disrupt a national government and its citizens through these means, this event arguably put the world on notice and effectively demonstrated how cyber can play a primary role in causing serious, deliberate disruptions to infrastructure and the functioning of society at large.
Another example of such a cyber-attack occurred on the Ukrainian national electric grid on 23 December 2015. As a result of this breach, operation of a number of electric substations were interrupted, leaving approximately 80,000 civilians without power. The Ukrainian blackout case can be seen as the one of the first significant and publicly reported cyber-attacks aimed at civil infrastructure and directly impacting civil population (Ficco et al., 2017; Yutian et al, 2016).
While no CI were impacted (aside from the financial sector) in the Estonian example, a more recent and ‘quintessential’ case resulting in physical damage to an ICS is the case of Stuxnet, a weaponized virus which infiltrated the computer systems at Iranian nuclear facilities and prevented the reactors from operating properly. The code led to the false readings of centrifuges and through this, the equipment was rendered inoperable at various locations as the attack led to deficiencies that degraded the centrifuges’ ability to enrich uranium (Kushner, 2013). While Stuxnet had a specific objective (to disrupt the Iranian nuclear program) and is believed to have been carried out or sponsored by nation-state actors (Farwell and Rohozinski, 2014), the potential for similar actions against the CI sector appear real, given the resources and availability. To use a Stuxnet-related example, in June 2010, a Belarusian malware-detection firm received a request from a client to determine why its computer systems were rebooting repeatedly. The malware was signed by a digital certificate to make it appear that it had come from a trustworthy source. This feat caught the attention of the antivirus community, whose automated-detection programs were unable to mitigate or handle such a threat. This was the first sighting of Stuxnet spreading (Kushner, 2013). Shortly after, Chevron, the American-based oil and energy company, confirmed the speculation by becoming the first U.S. corporation to admit that Stuxnet had spread across its machines (Nibbelink, 2013). Other popular malware derivatives, such as Flame, DuQu, and Gauss also exist (Bencsáth et al., 2012). As companies have been slow to invest in the resources required to update industrial controls while the threats are increasing in frequency and variety, coupled with human error and flawed cybersecurity processes (Dustan, 2016), it appears that the risk against CI has increased. Moreover, Kaspersky Labs has found “critical infrastructure” companies continuing to use 30 year old operating systems and other legacy technology, which are inherently vulnerable to attack (Kushner, 2013). Given the importance of CI to Canadians, it is important to understand how the CI sector is addressing such cyber threats, if at all.
The ITU defines cybersecurity as
The collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurances and technologies that can be used to protect the cyber environment (Van Solms & Van Niekerk, 2013, p. 97).
While the ‘risk management,’ ‘actions,’ and ‘technologies,’ aspects are the primary focus of this work, it is imperative to understand that cybersecurity also encompasses a variety of ‘human’ elements, such as policy development, training, and best practices, which is why this particular definition was selected. Without these fundamental ‘human’ tenets in place, any technology, no matter how robust, will struggle to effectively protect the cyber environment (Evans et al., 2016). Furthermore, van Solms and van Niekerk (2013) posit that cybersecurity extends beyond the boundaries of traditional “information security” to also include the protection of other assets, including the person, due to the inherent interconnectedness between society and technology.
The extent of cyber threats
Cyber threats are prevalent and growing (Matthews et al., 2016). For example, 97% of organizations analyzed in 63 countries claim to have experienced a cyber breach within their history, and 98% of applications tested across 15 countries were deemed to be vulnerable to attack (Trustwave, 2015); in 2014, threat groups were present on a victim’s network a median of 205 days before detection; $7.7M was the mean annualized cost of cyber crime across 252 global, benchmarked organizations in 2015 (Ponemon Institute, 2015), and 60% of enterprises (n = 350) globally spend more time and money on reactive measures versus proactive risk management, meaning that the cyber-attack has already disrupted the network and resulted in further loss. According to Carcary (2018), cyber-attacks are estimated to cost between $375 and $575 billion US dollars per annum, while some estimations appear to be much higher based on underestimating the ‘dark figure’ and other residual, indirect loss created by cyber-attacks. In their 2015 Global Information Security Survey, Ernst and Young (2015) reported that 88% (n= 1,775) of respondents believed that their current cybersecurity strategies did not meet their organization’s needs.
Combating cyber threats in a formalized international model – European example
The freedom and flexibility of cyberspace act as a driver for efficiencies, optimization, and enhanced communication in all facets of life, but also as functional risk factors which demonstrate the necessity of promoting a cybersecurity culture across all levels of society (Surdu, n.d.) – at the national and governmental levels, among organizations, and among citizens. Achieving a standardized culture of security and awareness in an effort to combat against the myriad of cyber threats presents a significant challenge, as well as an opportunity to ‘get better’ at cybersecurity through a collaborative approach.
Using the example of the European Union (EU), a current collection of 28 nations (European Union, 2018), attempts have been made at the international level to formalize strategies to combat cyber risks. According to Kasl (2018), the legal framework in the EU to address cyber risks are primarily built upon the Budapest Convention on Cyber Crime, an international treaty adopted in 2001, which now has been ratified by 57 states. Since then, the EU launched its first initiative on Information Technology (IT) Security in 2006, which was then replaced by a Cybersecurity Strategy in 2013, and most recently by a comprehensive cybersecurity ‘package’ in September, 2017 (Pupillo, 2018). Through this centralized approach, the European Commission (EC) has identified the priorities and strategic actions in the field of cybersecurity at the member-state level. In the context of protecting Critical Infrastructure, in 2016, both the European Parliament and European Council have expanded on the pre-existing Network and Information Systems (NIS) Directive, which provides measures of ensuring the security of critical cyber networks and systems in the EU (Boiten, 2018). As of May, 2018, The EU’s General Data Protection Regulation legislation came into force, with the goal to ensure that organizations providing CI services have robust systems in place to withstand cyber-attacks (Ahmad, 2018). The legislation insists on a set of cybersecurity standards that adequately address mitigating the effects of events, such as the 2017 WannaCry ransomware attack, which impacted segments of the unprepared National Health Services (publicly-funded national healthcare system) across England.
While the initiatives referenced above appear well-intentioned and appear to be an important initial step in developing synergies with the international community to combat a complex, wide-reaching, and multi-faceted issue. However, the very fragmented nature of the cybersecurity landscape in Europe and the voluntary nature of cooperation and information-sharing among member states, the EU’s ability to operate through a single coordination point remains uncertain, at best, according to Pupillo (2018).
While it may appear logical to explore various methods to better protect networks against the constant threat of successful cyber-attacks, the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UN GGE) are unable to reach consensus on key issues such as the right to self-defence and state responsibility in cyberspace (Digital Watch, 2017). In addition to making this group relatively ineffective in policy development, the incongruence on such key issues, despite the platform to convene on a widely recognized, parallel international level, only emphasizes the discord amongst stakeholders on how to properly and effectively manage the issue of cybersecurity. Using the example of the Budpapest Convention of Cyber Crime, arguably the most robust international attempt at harmonizing cybersecurity in both size and scope, it would take until 2040 to have the majority of the world’s nations sign it at its current pace (Council of Europe, 2018). Countries that are alleged to be leaders in nation-state cyber warfare, such as China, Russia, and North Korea (Shin et. al, 2018) have not given any notification of interest in joining a pact such as this, likely limiting its impact upon the international community, especially in the context of state-sponsored cyber-attacks. Furthermore China, India, and Brazil have overtly refused to participate as signatories since they were not involved in the negotiation. In the United States, the Donald Trump presidency has also confounded matters regarding ongoing US participation (Pupillo, 2018).
Moreover, Microsoft has developed a policy paper titled A Digital Geneva Convention to Protect Cyberspace (n.d.), promoting a legal binding framework to govern states’ behaviour in cyber space, which would include initiatives such as refraining from attacks that would destroy CI, the global economy, and restrictions on developing cyber weapons, among others. Other countries, including the Netherlands, have also attempted to develop similar documentation to no avail to date.
Active Cyber Defence (ACD)
While there is no specific common definition of the term (Dewar, 2014), Active Cyber Defense (ACD) is a general cybersecurity term that describes a range of techniques which proactively engage an adversary before and during a cyber incident. According to Lachow (2013) ACD can dramatically improve the defender’s ability to prevent, detect and respond to attacks typically carried out by “Advanced Persistent Threats” (APT). APT is the acronym commonly used to describe consistent attacks, usually carried out by resource-rich entities, such as nation-states. APT actors generally use sophisticated means to penetrate organizations and evade detection within the network environment for an extended period of time in order to gather information (Daly, 2009). While scholars generally accept that typically ‘passive defences,’ such as basic cyber hygiene practices, vulnerability patching, firewalls, and antivirus software are necessary components of a well-designed cybersecurity strategy, these traditional methods do not comprehensively mitigate the risk of disruption against the increasingly sophisticated threats that exist in today’s cyber space (Westby, 2012). McGee et al.’s research (2013) supports this notion, positing that only 6% of organizations detect APTs via internal methods.
Despite the fact that cybersecurity has evolved since the development of the Internet, offensive cyber operations continue to exist exclusively within the domain of military and government operations and have not made their way legally into the private sector. These are typically unprovoked nation-state level operations designed to achieve a specific objective against an adversary and/or its assets (McGee et al., 2013). Conversely, ACD is different, as it is considered to be a tactical response by a victim to a specific cyber incident, following a legally defensible use of cyber force. A victim of a cyber-attack located within Canada, engaged in any “active defence” or self-defence measures which amounted to aggression, would currently be in violation of the law (Hopkins, 2011). At present, we do not have a ‘test’ case involving ACD in court (Lin, 2016). While engaging in ACD would currently amount to vigilantism, reasonable arguments and legislation have been put forth, which seem to subscribe to the notion that engaging in ACD should be defensible in court and is necessary to protect society.
Examples of ACD operations include companies conducting retaliatory hacking or active cyber defence / hackbacks (Lachow, 2013; Menn, 2012). These examples demonstrate there are computer and network security trained people who conduct ACD, outside the boundaries of law. Lachow (2013), referencing nCircle’s 2012 study, claims 36% of the 180 organizations surveyed conducted active defence operations in some capacity.
ACD draws upon the same skills and software exploit kits used by hackers and cyber activists (Kesan and Hayes, 2012). Dave Dittrich, Research Scientist and Engineer Principal at the University of Washington‘s Applied Physics Laboratory, is one of the first cybersecurity experts to explore the concept of active defence (Westby, 2012). He noted as early as 2003 that the ACD typically involve four levels of activity:
1 – local intelligence gathering;
2- remote intelligence gathering;
3- actively tracing the attacker; and
4- actively attacking the attacker
While the first activity appears to be a legal action across jurisdictions, the remaining three activities may not be, depending on how they are conducted. Dewar (2014) provides a more contemporary analysis of specific ACD measures, particularly the deployment of “white worms,” which are software similar to viruses, which seek out and destroy malicious software, identify intrusions, and/or engage in recovery procedures. A second ACD strategy is to repeatedly change the target device’s identity during data transmission, a process known as ‘address hopping.’ ACD therefore places emphasis on proactive measures to counteract the effects of a cyber-attack, either by identifying and neutralizing malicious software or by deliberately seeking to mask the online presence of target devices to counter espionage. Rosenzweig (2014) discusses the use of ‘honeypots,’ which are deliberate traps set to detect or in some manner counteract attempts at unauthorized use of information systems. Active defence tactics proposed by other industry professionals take an even more aggressive approach and include ‘hacking back’ into adversaries’ systems to retrieve data, shutting down systems, sabotaging data, infecting the attacker with malware, overtaking the attacker’s botnet, and hiring a botnet to attack the attacker (Westby, 2012), demonstrating the wide spectrum of tactics which fall under the scope of ACD.
Justification for ACD
Strong support for employing ACD is prevalent in the literature. According to Bardin (2012), numerous justifications exist for the use of offensive cyber actions at the state and organizational levels, including lack of professional law enforcement skill in the realm of cybersecurity, saving lives compared to an invasion or war, and the cost-effectiveness of executing such activities as opposed to incurring massive debt to neutralize adversaries in the traditional sense. The author also claims that the majority of Chief Information Security Officers (CISOs), facing continuous probes, hacking attempts, and threats of espionage on their networks, typically approve of the approach. Lachow (2013) supports the use of ACD, by claiming that passive cyber defences which rely on perimeter sensors cannot adequately protect against sophisticated cyber-attacks, as these can adapt quickly and become more advanced than the defences of their targets. In the 2015 Report to Congress on the U.S.-China Economic and Security Review Commission (USCC, 2015), stakeholders recommended that Congress assess the coverage of US law to determine whether US-based companies that have been hacked should be allowed to engage in counter-intrusions (ie ACD or ‘hacking back’) for the purpose of recovering, erasing, or altering stolen data in offending computer networks. This recommendation was the first of its kind to authorize the development of provisions allowing private entities the ability to engage in offensive cyber actions against adversaries to protect their networks. In the context of CI protection, the root of the attack may be ideological or political, as opposed to financially motivated, meaning that deterrence and frustration may not work (Schillings, 2014). In situations as these, supporters feel that the primary method to ensure public safety would be to “attack the attackers,” whether the scenario called for it to be through physical or cyber means.
Other popular justifications being suggested for active defence tactics include the right to self-defence, ‘hot pursuit’ and ownership of stolen data. Rosenzweig (2013) looks to far-reaching self-defence interpretations in international law, such as The Budapest Convention, Rome Statute, and International Criminal Tribunal of Yugoslavia (Kordic and Cerkez), all of which provide definitions of permissible self-defence through “active means.” Although these examples can be read through the lens of ACD, it is clear that their intent is not to provide guidance or a legal justification in the context of cybersecurity. Stewart Baker, former general counsel of the U.S. National Security Agency (NSA) has been one of the most prominent advocates for engaging in ACD (Leon, 2015). In 2013, in front of United States Congress, Mr. Baker claimed that a cybersecurity crisis was upon society and that an active defence posture was necessary to both deter attackers and protect individuals’, corporations’, and governments’ safety online. According to Baker, the most important argument that supports ‘hacking back’ is based on a natural right to defend one’s own person and property. Lin (2016), in his analysis of arguments advocating for ACD, references the United Nations’ Universal Declaration of Human Rights (UDHR) specifically, Article 3, which affirms, “Everyone has the right to life, liberty, and security of person (United Nations, 2015, p. 8), as well as Article 12, which reads:
No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks (p. 26).
While there may be a degree of merit in the self-defence argument, Lin (2016) concedes that there are sensible limits to defending one’s own property, implying that a dichotomy exists between resisting a threatening intruder and setting up honeypots or interfering with an external network.
In 2011, the U.S. Department of Defense (DoD, 2015) issued the Department of Defense Strategy for Operating in Cyberspace, which stated that the U.S. reserved the right to respond to a cyber-attack with military force as the option of last resort. Nation- states have the right to defend themselves against various forms of attack and this right extends beyond kinetic incidents to those perpetrated entirely through cyber operations. Private sector actors are seeking to apply the same logic to defending their networks through the use of ACD measures, claiming that that the application of international law rarely, if ever, takes private organizations into account; in this context, such a narrow interpretation of international laws is at their detriment, rendering them unable to legally defend their cyber territory as they would any physical entity (Rosenzweig, 2014). Other experts have begun framing cybersecurity as a public health issue and the deployment of ACD as means to effectively eradicate ‘cyber pathogens’ (Singer and Friedman, 2014). In this context, cyber-attacks are considered an infection of threat to the public good of online life, including CI and institutions which rely on network connectivity. As we already embark on ‘immunizations’ through traditional, ‘passive’ cybersecurity techniques, such as anti-virus software and security update installations, ACD can simply be considered a necessary vehicle to deter a malicious actor from attacking, or destroying one once it enters the system. Despite any specific rationale advocating for the use of ACD, the common theme appears to be that attacks are prevalent and difficult to defend against. Given these challenges and the relative ineffectiveness of deterring or detecting APTs, supporters of ACD are seeking the legal reprieve and general acceptance to engage in more proactive and offensive measures, which they feel will increase their ability to defend networks, thus protecting their organizations and wider society by extension.
Justification against ACD
While strong support exists within some circles, primarily on the grounds of self-defence and inadequate private sector resources, the dominant expert opinion is that ACD, particularly offensive actions venturing outside of networks, should not be permitted (Lin, 2016; Menn, 2012; Westby, 2012). Taylor (2016) posits that an expert panel at the 2016 RSA Conference discussed the concept of ACD and explicitly provided the opinion to attendees that they would not recommend its usage in the private sector. According to the 2015 Passcode Influencers Poll, 82% of respondents do not believe that private companies should engage in ‘hacking back’ (Sorcher (2015). Similarly, a sub 20% approval rating for ACD was observed in a Bloomberg Poll, where respondents claimed they believed it is solely the government’s responsibility to respond to cyber-attacks (Robertson, 2015). In 2012, John Pescatore, then head of Gartiner’s Internet Security Practice, was interviewed in a Reuters article saying that ACD had no business case or possibility of positive outcomes. Mr. Pescatore also mentions that conducting ACD is a sophisticated practice and that the majority of companies and contractors do not possess the skill-set to properly engage in such actions (Menn, 2012). Lin (2014) rightfully acknowledges that no clear rules exist in the realm of ACD and a situation escalation beyond the control of the attacking party is a real consequence. For example, if ACD is conducted against a foreign target, this attack may be misinterpreted by the retaliated nation as a military response, which increases the risk of serious political and economic backlash.
Schillings (2014) posits that tactical mistakes can occur. This includes failure in attributing the attack to the rightful party. As a result, this struggle in being able to accurately identify the perpetrator may result in an innocent organization, or some other unintended target to be negatively impacted by an ACD offensive. McGee et al. (2013) also mention the difficulty of definitively attributing cyber-attacks, which is likely to incorporate attempts at anonymization by the perpetrator, re-routing through numerous jurisdictions or countries, and may even violate certain laws, such as the U.S. Neutrality Act (or international equivalent), which explicitly states that no private entity may take action against a nation-state currently at peace with the U.S. If an ACD strategy is employed and the attacker is ultimately identified as a nation-state or nation-sponsored outside of the legal confines of one’s country, then presumably the organization, as well as the organization’s country, is now in a situation that is likely to have further ramifications, including diplomatic crises, trade sanctions, retaliatory revenge attacks, civil litigation, fall in share price, and reputational damage, and collateral damage to civilians or CI, among others (Schillings, 2014; Hopkins, 2011). Given these risks, which have the potential to extend well beyond the organization itself and could conceivably result in damages more significant than the loss incurred from the cyber incident, in addition to the lack of guarantee in positive attribution or recovering the assets compromised, it may be difficult to justify the use of ACD on the basis of a ‘revenge attack’ or possible recovery attempt.