24 December 2018

Governing Private Sector Self-Help in Cyberspace: Analogies From the Physical World

WYATT HOFFMAN, STEVEN NYIKOS

Cyberspace is transforming the relationship between states and private entities. States have benefited immensely from the autonomy given to corporations driving technological innovation, but rapid innovation and growing societal dependence upon data and information and communications technologies have brought significant exposure to cyber risks. The consequences of these risks increasingly extend beyond corporate assets to broader public safety, economic prosperity, and even national security interests. Yet despite growing awareness of the extent of the problem, the roles and responsibilities of government and the private sector in cyberspace remain largely ambiguous.

This ambiguity leaves unresolved the proper scope and limits of self-help in cyberspace: How far are private actors allowed, expected, or even obligated to go when providing for their own security from malicious cyber activities?


Increasingly frequent and costly cyber attacks targeting the private sector routinely surmount basic cybersecurity measures. To counter this threat, private actors globally are contemplating or engaging in risky activities, including hacking back into the computer networks of their attackers to punish them or disrupt their activities. The absence of clear international rules of the road for private actors in cyberspace threatens to create a serious gap in global governance enabling potentially destabilizing private sector activities. There is an urgent need to consider the emerging norms and desirable boundaries of self-help in cyberspace.

Wyatt Hoffman is a senior research analyst with the Nuclear Policy Program and the Cyber Policy Initiative at the Carnegie Endowment for International Peace.

Unlocking the significant capacities of the private sector through a properly circumscribed self-help policy approach could offer an essential part of the solution to a deteriorating cybersecurity landscape. This is a growing strategic imperative for the United States and others struggling to manage the private sector’s exposure to incessant cyber attacks by state and nonstate actors alike.

This study attempts to help navigate the risks and opportunities presented by private self-help in cyberspace. It aims to foster serious consideration of the realistic boundaries of self-help and its potential role in private sector cyber defense.

Self-help in cyberspace includes a wide range of activities, from basic measures securing assets (for example, firewalls and encryption) to more assertive defenses designed to thwart attacks and even retaliatory cyber operations against attackers’ computer networks. The focus here is primarily on those activities that exceed the limits of purely passive defenses—activities that could be perceived as similar to the use of force in the physical world. Such activities are the subject of growing contention and raise significant concerns, including risks of collateral damage to innocent third parties and the consequences of measures with transnational impacts.

The aim here is not to resolve the complex dilemmas for law and policy presented by these measures. Before such legal and policy debates can be resolved, more fundamental questions need to be addressed: What principles should define reasonable defensive behavior, and how should governance be approached in a transnational market of security services? This study outlines the contours of a pragmatic approach to answering these questions with a focus on minimizing risks and incentivizing responsible conduct.

Cyberspace presents novel complexities and dilemmas. But the challenges of governing private actors undertaking security roles are not unprecedented. Historically, there has always been a need to strike a balance between the roles of the state and private actors that places some burden of risk on the latter and allows for some extent of self-help. The emergence of unique roles and capacities of the private sector in cybersecurity is in many ways an extension of deeper trends in the physical world that characterize the currently shifting relationship between states and private actors.

This study draws from historical and contemporary experiences with various manifestations of self-help in the physical world analogous to cyber activities. It examines analogies from the U.S. domestic context and from international governance efforts. The examples range from electric fences and other measures individuals take to defend their property to the quasi-military activities found in the global industry of private security contractors.

Analogies have inherent limitations but offer useful heuristics for thinking through the dilemmas posed by self-help in cyberspace. They capture different facets of this challenge that blurs traditional distinctions—foreign and domestic, public and private. The analysis here focuses on both where and how self-help should be realistically circumscribed. The insights from these analogies include specific principles and distinctions for governing defensive activities, complementary mechanisms for managing risks and incentivizing behavior, and lessons from processes of governance in similarly complex, global domains of activity.

DIRECTIONS FOR POLICY

Creating space for legitimate and responsible self-help practices could begin to arrest negative trends in cybersecurity and reduce the pressure on governments to escalate their responses to cyber threats. Such space may even be necessary to forestall corporations’ resort to riskier, destabilizing activities and vigilantism, or avert an equally undesirable trajectory toward an untenable situation for private sector cybersecurity.

Certain measures and practices clearly should be off the table for private actors. But within those constraints, there is significant space to explore a spectrum of defensive measures whose risks appear to be manageable and justified in some circumstances. Many of these defy traditional frameworks for forceful activities. They can be employed in ways tailored and proportional to threats, limited in impacts (for example, temporary or reversible), and conditional upon technical safeguards or certain defensive contexts.

This spectrum of cyber measures affords unique opportunities for self-help, but many such measures carry complex risks. They call for a nuanced approach to governing the behavior of private actors. Such an approach should examine, holistically, the incentive structure shaping private sector behavior, including competing and complementary forces such as regulation, liability, insurance, and market forces. Efforts to shape this incentive structure should be calibrated to the realistic limits of government control in this space and consider flexible, stopgap solutions. Finally, states’ domestic approaches must correspond to the global nature of these activities. At a minimum, an attempt to foster a common understanding of rules of the road among like-minded states is needed. But the irresolution of fundamentally diverging views among states toward the legitimacy and legality of self-help activities should not impede practical measures to improve behavior.

This study attempts to define the broad contours of an approach to governing self-help in cyberspace by integrating insights from the analogies explored here. The result is four directions for policy:

Solidify absolute boundaries of legitimate self-help to exclude those activities that would clearly be destabilizing internationally (that is, destructive hack backs). This calls for some convergence internationally upon norms that would build a firewall between legitimate self-defense and activities exclusively in the domain of state actors or oversight.

Raise the bar for basic cybersecurity practices to limit the circumstances that would require more assertive defenses. If the vast majority of cyber attacks can be mitigated through basic cyber hygiene, then making more assertive measures conditional upon basic due diligence would immediately narrow the circumstances of their employment.

Clear the way for self-help activities that would be broadly beneficial and relatively low risk, including a range of measures like digital beacons. Promoting more effective and less predictable defenses can create a broader deterrent effect that extends even to those not employing them.

Create the conditions to motivate responsible conduct for those activities whose risks could be managed or mitigated. This includes a range of complementary approaches: leveraging key stakeholders in positions to shape norms and conduct (the insurance industry, financial sector, and so on), raising barriers to entry in the form of licensing or certification requirements, imposing liability for negative consequences, and creating incentives to guide behavior in a transnational market of security services.

Clear roles and responsibilities in cyberspace have yet to be negotiated. Yet de facto norms of self-help behavior are already emerging—driven largely by individual corporations’ initiative and growing demands for aggressive cyber defense. Serious attention is needed to think through how to proactively shape the trajectory of this space of private sector activity. This requires moving beyond the false dichotomies that have dominated discussions (such as whether or not to allow hacking back). There are inevitable risks with any path forward regarding the role of the private sector. And in the current transient state of the domain, it is more important to identify feasible stopgap measures to manage these risks rather than attempt to define an ideal end-state. This study thus hopes to both help ground this debate in experience and stimulate further consideration of these questions.

INTRODUCTION

The cyber risk landscape has deteriorated in recent years. Massive ransomware attacks, large-scale data breaches, and discoveries of pervasive cyber vulnerabilities and aggressive, persistent intrusions into critical infrastructure and other sensitive targets all demonstrate an expansion and escalation of cyber threats. This trend appears likely to accelerate as sophisticated cyber capabilities proliferate further to globally dispersed malicious actors and the scope and scale of opportunities to launch attacks continue to expand. Meanwhile, the potential grows for systemic cyber risks to impact public safety, economic prosperity, and national security.

Far from protecting the private sector from cyber threats, many states are exacerbating the problem. Most governments are preoccupied with securing their own networks and critical infrastructure and lack the resources necessary to defend the private sector in any comprehensive manner. Many have strong aversions to assuming responsibility for private sector cyber risks. Even when they do seek to respond to and can attribute malicious activity, their responses are often impaired by concerns of escalation, retaliation, and other unintended consequences. Moreover, states remain largely focused on exploiting cyberspace—often for legitimate national and international security purposes. Yet offensive cyber capabilities deployed or accidentally leaked have been reverse engineered and redeployed by malicious actors, further undermining the private sector’s security.

By exposing private entities to the malicious activities of foreign nation-state hackers, criminals, and terrorists, cyberspace has weakened the buffer that states traditionally provide between their citizens and external security threats. This is not to say that governments are doing nothing; many have assisted the private sector with cybersecurity.1But their efforts have largely been outpaced by the escalation of cyber threats that the private sector generally cannot rely on law enforcement to protect it from. Cyber threats thus pose a fundamental challenge to the state’s role as the ultimate guarantor of its citizens’ security.

Consequently, for private sector entities forced to navigate this deteriorating landscape, cybersecurity has become largely a matter of self-help—that is, protecting their assets without recourse to law enforcement.2 At the most basic level, self-help in cyberspace includes common measures to secure oneself from malicious activity—an expectation of personal responsibility reflected in the frequent reference to cyber hygiene.3

But increasingly sophisticated and costly cyber attacks that surmount basic cyber defenses have motivated some private entities to engage in more assertive forms of self-help. This includes companies undertaking, contracting, or offering a spectrum of measures often referred to as active cyber defense (ACD).4 Some such measures are potentially beneficial not only for companies’ defense but also for deterring cyber threats more broadly. Yet many entail significant risks, including potentially disrupting or damaging networks of innocent third parties (particularly if a cyber attack is misattributed).

There is a concerning lack of clear rules of the road for this growing, transnational space of private sector activity. Many states have laws criminalizing hacking that prohibit defensive measures that would intrude into attackers’ or third parties’ systems or networks, even for self-defense. But such laws often have significant ambiguities in application and unclear enforcement.5 Policymakers globally are struggling to find effective formulas to govern this gray space of active defense.6

Inconsistencies among national approaches contribute to a fragmented regulatory environment internationally. The absence in many states of clear legal limits on such activities in cyberspace encourages aggressive practices that blur the line between defense and offense, such as hacking back into the networks of attackers.7 Furthermore, offshore activities or contracting make it possible to circumvent the constraints that do exist. With a nascent transnational market for aggressive defensive and even offensive measures, a gap in governance is emerging globally that cannot be addressed by national regulatory approaches alone.

The scope of appropriate private sector self-help is ill-defined because there is little clarity regarding both minimal expectations for corporations to undertake basic cybersecurity and maximal limits on aggressive defenses. This results in corporations taking divergent strategies to manage their growing exposure to cyber risks. Some react with relative complacency, doing the minimal amount necessary to meet expectations or requirements. Others adopt a more aggressive defensive posture, resorting to self-help practices that come with their own set of risks.

These pressures on the private sector lead many companies to directly or inadvertently channel cyber risks—toward subcontractors, consumers and shareholders, governments, a nascent insurance market, or outward to attackers and potentially innocent third parties (through collateral damage). The burden of risk often falls to those with less ability to understand or manage it, sometimes without them even knowing—for example, innocent third parties. Even those companies that are proactive and effective at mitigating cyber risks may find it increasingly hard to do so in the face of escalating threats.

This state of affairs presents a precarious situation for policymakers. Attempting to shape private sector behavior in one area may have ripple effects by incentivizing companies to channel risks elsewhere. These effects can be difficult to anticipate, and cyber risks are often inscrutable even to the companies themselves. Further, these risks and activities are not contained by national boundaries. Countries are trying to set domestic rules for activities that have transnational externalities. The lack of global norms creates the potential for a gap in governance of private sector behavior that could destabilize cyberspace in unprecedented ways. Policymakers are under increasing pressure to address cyber risk but lack an effective formula to balance these factors.

This study examines the emerging boundaries of private sector self-help in cyberspace to help navigate these policy challenges. It explores the role that self-help might play in combating malicious activity and contributing to order in a rapidly evolving domain that challenges traditional assumptions and approaches to security, with a focus on how to circumscribe and govern self-help. But the scope of this study is pragmatic, starting with an appreciation of the limits of law and regulation as well as the inevitable risk trade-offs, and concentrating on realistic approaches to motivating responsible behavior.

The approach here draws from historical experience. The process of fostering rules and norms of behavior is often iterative and can be difficult to navigate in an emerging domain of activity. When considering the desirable and realistic boundaries of self-help behavior, it is useful to reference examples from the physical world. This study examines a range of activities from the physical world analogous to specific cyber measures and the frameworks and mechanisms that evolved to govern these activities. Examples include the use of electric fences or mantraps to protect private property or the employment of private armed guards.

Self-help in cyberspace could take many forms, from basic measures to secure assets to retaliatory cyber operations against malicious actors. This study focuses primarily on those actions near, or in some cases transgress, the upper limits of defensive behavior—measures that appear similar to force in the physical world. These measures comprise much of the current ambiguous space and pose the most difficult dilemmas (in contrast to the more innocuous basic cybersecurity measures).

The diverse range of technical phenomena this entails cannot be captured by any single analogy. Thus the first half of this paper catalogues various frameworks for governing specific self-help activities in the physical world in the U.S. domestic context. The second half focuses on the governance of private self-help activities in the international context through various state-centric and multistakeholder approaches. The study concludes with an examination of the individual and collective insights from these analogies for governing self-help in cyberspace.

Each analogy demonstrates a dynamic balance struck between the legitimate interests of private actors to defend their property and the negative consequences of self-help behavior. How this balance emerges and evolves can offer valuable insights: principles to govern forceful measures; lessons for weighing and balancing the competing equities at stake; mechanisms to incentivize and shape the behavior of private actors; and approaches to resolving the challenges of governance in a transnational domain of private activity. Individually, the analogies may vary in how readily their principles and precedents translate to the cyberspace context. For this reason, this study does not dwell on any single analogy but focuses on the collective insights from a broad survey of manifestations of self-help.

The objective of this study is not to resolve the complex legal, policy, and strategic dilemmas posed by these activities. More modestly, it seeks to provide useful heuristics for understanding and navigating these dilemmas by grounding them in historical experience. There is steadily growing pressure in the United States and elsewhere to revisit legal constraints on aggressive private sector cyber defenses.8 Before the legal questions surrounding these activities can be answered, some fundamentals must be considered, including the principles that should govern this arena of private sector activity and how law and regulation play a role within the broader incentive structure shaping behavior. While any path forward regarding self-help needs to be reconciled with existing law, a discussion of whether and how to amend the Computer Fraud and Abuse Act in the United States or other relevant laws is beyond the immediate focus here.

This study, therefore, does not offer legal opinions on the applicability of existing law to actions in cyberspace. The examination of legal precedents from real-world activities is not to suggest that these precedents can or should necessarily apply as a legal defense for cyber activities. Rather, the focus is on how those precedents reflect an effective balance struck through similar dynamics as those at play in cyberspace, and their usefulness in thinking through cyber analogs. Any reference to possible liability or legality of a particular action in cyberspace is offered merely as a normative consideration rather than a legal opinion.
SELF-HELP IN THE HISTORICAL CONTEXT

Current debates over private entities’ use of controversial defensive cyber measures tend to fixate on their technical and legal dimensions: What limits should be placed on technical measures employed by defenders? Should defenders be allowed to engage in unauthorized access for the purposes of self-defense? However, underlying these disagreements are more fundamental, unresolved questions: What constitutes force in cyberspace? Should the government maintain a monopoly over the legitimate use of force in cyberspace—and is it even possible to do so? Placing these questions in the broader context of self-help draws attention to some of the assumptions that undergird these debates.

There is a temptation to view self-help, generally speaking, as antagonistic to state sovereignty and authority. This flows from a familiar narrative: the modern state evolved to supplant self-help as a guarantor of security; private actors agree to largely forego self-reliance for their defense. It follows that self-help in cyber could be atavistic—a return to a more primitive, lawless state of affairs. Indeed, debates over whether to allow more aggressive cyber defenses frequently invoke the Wild West as an admonition against ceding any ground to the private sector.9 Allowing self-help is seen as an irresponsible retreat by the state from the cyber domain and a weakening of its sovereignty.

Yet this view rests largely upon a mischaracterization of the historical nature of self-help. There has always been a balance struck between state and private responsibility that has both placed some burden of risk on private actors and empowered them to undertake their own security within limits. This balance has varied across national and cultural contexts. It has also evolved in response to changing security circumstances and the efficacy of states’ and international institutions’ management of threats. But it does not exist simply along a continuum with the state on one end and the private sector on the other. Rita Abrahamsen and Michael Williams have argued that with globalization:

No comments: