Active Cyber Defense Operations. Assessment and Safeguards

Executive summary

The policy world has debated active cyber defense for many years. However, many of those discussions have not been concluded, at either the international or national level. Active cyber defense—the implementation of technical measures to mitigate, neutralize and attribute a malicious cyber operation or campaign—warrants this thorough analysis due to its inherent risks.

Whether the implementation of a measure is covered by an existing legal framework is certainly a good starting point. However, existing legal frameworks are applied to new areas, such as active cyber defense, for which the frameworks were not designed. Especially in the absence of specialized legal frameworks, not everything that may not be illegal should be pursued. Thus, how do we assess whether active cyber defense measures should be implemented?

Definitions of active cyber defense vary broadly, as do the technical measures that fall under those definitions. Creating an exhaustive list of measures and deciding which ones are useful and which are not seems like a futile task. That is why this paper suggests an overall framework for assessing whether measures should be implemented.

The following criteria are included in this framework:
• Goals and success ( purpose );
• Type, space and target of effect ( effect );
• Government lead agency and cooperativeness of the stakeholders (actors);
• Attribution and time ( timing );
• Escalation, automation, frequency, costs and collateral consequences (operations).

In addition to the assessment of individual measures, risks should further be mitigated by establishing safeguards applicable to every active cyber defense measure. Safeguards that should be implemented are as follows:
• Define and limit the scope;
• Establish a national legal framework that includes transparency, oversight and impact assessment;
• Set up guidelines for tools and services;
• Apply international law;
• Consider public interest;
• Adapt confidence-building measures.

It is important to move the policy discourse on active cyber defense forward. However, national and international cybersecurity will always depend on improving IT security and resilience. Active cyber defense can occasionally supplement IT security and resilience but will never substitute them. The assessment framework and safeguards ensure that in cases in which active cyber defense operations are required to fill a gap in protecting the state from malicious cyber operations and campaigns, they do so without causing more harm than good.

Definition of "Active Cyber Defense"

One or more technical measures implemented by an individual state or collectively, carried out or mandated by a government entity with the goal to neutralize and/or mitigate the impact of and/or attribute technically a specific ongoing malicious cyber operation or campaign.