Active Cyber Defense: Toward Operational Norms

An increasing number of governments are engaging with active cyber defense — either through policy debate or in practice. However, the public discourse on what a good policy framework should look like and what operational norms should be followed lags significantly behind, especially when it comes to concrete operational norms (for intrusive measures) undertaken at home and against IT systems abroad. In simple terms, active cyber defense is the practical response by technical means of a government to malicious cyber activity targeting organizations within its country or allied states and partner states. This paper outlines nine operational norms that may decrease the risk of collateral damages and diplomatic escalation stemming from active cyber defense operations:

1. Respond, don’t retribute: Active cyber defense operations should always be a response to a malicious cyber operation or campaign, thus neutralizing, mitigating, or attributing a malicious cyber activity.
2. Prioritize operational spaces: Governments should focus their measures on their own jurisdictions, communicate with allies before engaging in their jurisdictions, and try to avoid the jurisdictions of uninvolved third parties.
3. Don’t just do it — explain it: Governments should set up political, legal, and oversight frameworks for active cyber defense operations and put an emphasis on impact assessment and transparency.
4. Shape the international discourse: Governments should be aware of their role in shaping international law and should engage in confidence-building measures.
5. Choose your active cyber defenders: Technical excellence, operational expertise, and the willingness to subject itself to strict frameworks under a central authority should be key requirements for the primary operational agency.
6. Know your adversary: A deep level of technical understanding about the adversary’s cyber-operational environment is crucial for an active cyber defense operation.
7. Fine-tune your capabilities: The procuring, designing, and testing processes of capabilities need to be meticulous in order to guarantee the efficiency, effectiveness, and proportionality of the measures.
8. Target with precision: Independent from the operational space, measures should be as limited as possible and avoid targeting third parties, especially supply chains and critical infrastructures.
9. This is your last resort: Governments should be aware that every intrusive active cyber defense operation is likely a resource-intensive, one-off activity that does not sustainably improve the overall level of national cybersecurity or resilience.

These operational norms are meant to serve not only as a contribution to the ongoing debate but also as a starting point for governments that are looking for advice on how to develop their active cyber defense policies. Additionally, these norms may also contribute to increasing convergence among like-minded states regarding active cyber defense policies that reflect shared values.