The Promise and Peril of Active Cyber Defense

Similar documents
Program 1. THE USE OF CYBER ACTIVE DEFENSE BY THE PRIVATE SECTOR

Cyber Security Summit 2014 USCENTCOM Cybersecurity Cooperation

Section One of the Order: The Cybersecurity of Federal Networks.

Policy recommendations. Technology fraud and online exploitation

About Issues in Building the National Strategy for Cybersecurity in Vietnam

National Policy and Guiding Principles

CYBERCRIME AS A NEW FORM OF CONTEMPORARY CRIME

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Investigating Insider Threats

About the George Washington University Center for Cyber & Homeland Security. Download the full report at cchs.gwu.edu

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

Critical Information Infrastructure Protection Law

Cybersecurity and Hospitals: A Board Perspective

- Cyber threat information: information directly pertaining to,

SPACE SECURITY AND CYBERSECURITY: INTERSECTING CHALLENGES

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

CYBER SOLUTIONS & THREAT INTELLIGENCE

CYBER ASSISTANCE TEAM OVERVIEW BRIEFING

CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Bad Idea: Creating a U.S. Department of Cybersecurity

SEACEN Cyber Security Summit 2014 Demystifying Cyber Risks: Evolving Regulatory Expectations

Data to Decisions Terminate, Tolerate, Transfer, or Treat

Advanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018

-Eight types of cyber data, (Sec. 708(7))

The challenges of the NIS directive from the viewpoint of the Vienna Hospital Association

ISRAEL NATIONAL CYBER SECURITY STRATEGY IN BRIEF

Executive Order on Coordinating National Resilience to Electromagnetic Pulses

Election Infrastructure Security: The How and Why of It

COMESA CYBER SECURITY PROGRAM KHARTOUM, SUDAN

The UK s National Cyber Security Strategy

Are we breached? Deloitte's Cyber Threat Hunting

Location-Specific Cyber Risk

Cybersecurity and Commercial Aviation

Opening Doors to Cyber and Homeland Security Careers

CyRiE Cyber Risk Economics. Erin Kenneally, M.F.S., J.D. Program Manager Cyber Security Division

Cybersecurity & Privacy Enhancements

Building Privacy into Cyber Threat Information Sharing Cyber Security Symposium Securing the Public Trust

Commonwealth Cyber Declaration

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Cyber Crime Seminar 8 December 2015

OUTCOME DOCUMENT OF THE INTERNATIONAL CONFERENCE ON CYBERLAW, CYBERCRIME & CYBERSECURITY

Today s cyber threat landscape is evolving at a rate that is extremely aggressive,

Syllabus: Cybersecurity Law Seminar. George Mason University Antonin Scalia Law School Spring 2018 Professors Kiran S. Raj & Scott Ferber

IMPORTANT GLOBAL CYBERLAW TRENDS 2017

Is the Best Defense a Good Offense? Christopher T. Pierson, CIPP/US, CIPP/G James T. Shreve, CIPP/US, CIPP/IT

Legal, Ethical, and Professional Issues in Information Security

Cybersecurity, safety and resilience - Airline perspective

Regulating Cyber: the UK s plans for the NIS Directive

DHS Cybersecurity: Services for State and Local Officials. February 2017

Ms. Izumi Nakamitsu High Representative for Disarmament Affairs United Nations

Control Systems Cyber Security Awareness

Cybersecurity in Government

Executive Order & Presidential Policy Directive 21. Ed Goff, Duke Energy Melanie Seader, EEI

COUNTERING IMPROVISED EXPLOSIVE DEVICES

Achieving a Secure and Resilient Cyber Ecosystem: A Way Ahead

Beyond the United Nations Group of Governmental Experts: Norms of Responsible Nation State Behavior in Cyberspace

Data Breach Preparation and Response. April 21, 2017

A Cross-Sector Perspective on Product Cyber Security

Registry Internet Safety Group (RISG)

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

The Cyber Threat. Bob Gourley, Partner, Cognitio June 22, How we think. 1

Moving from Prevention to Detection March 2017

Resolution: Advancing the National Preparedness for Cyber Security

Standing Together for Financial Industry Resilience Quantum Dawn IV after-action report June 2018

Promoting Global Cybersecurity

RESOLUTION 130 (REV. BUSAN, 2014)

PROTECTING ARIZONA AGAINST CYBER THREATS THE ARIZONA CYBERSECURITY TEAM

Understanding Cyber Insurance & Regulatory Drivers for Business Continuity

Water Information Sharing and Analysis Center

Security & Phishing

THE WHITE HOUSE. Office of the Press Secretary EXECUTIVE ORDER

Greg Garcia President, Garcia Cyber Partners Former Assistant Secretary for Cyber Security and Communications, U.S. Department of Homeland Security

Robert Hayes Senior Director Microsoft Global Cyber Security & Data Protection Group

Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

THE WHITE HOUSE Office of the Press Secretary EXECUTIVE ORDER

G7 Bar Associations and Councils

NEW INNOVATIONS NEED FOR NEW LAW ENFORCEMENT CAPABILITIES

UNCLASSIFIED. National and Cyber Security Branch. Presentation for Gridseccon. Quebec City, October 18-21

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

Defending Our Digital Density.

Robert Holleyman, President and CEO, BSA The Software Alliance

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

Panelists. Moderator: Dr. John H. Saunders, MITRE Corporation

GPS Vulnerability and DHS Mitigation Efforts. David Wulf Acting Deputy Assistant Secretary Infrastructure Protection Department of Homeland Security

The Non-Code Layers of the Cyberstack & the Globalization of Criminal Evidence. Peter Swire IISP: Friday Cyber Lecture October 13, 2017

MYTH vs. REALITY The Revised Cybersecurity Act of 2012, S. 3414

Department of Veterans Affairs VA DIRECTIVE April 17, 2006 WEB PAGE PRIVACY POLICY

Anatomy of a Data Breach: A Practical Guide for Small Law Departments

PURPOSE STATEMENT FOR THE COLLECTION AND PROCESSING OF WHOIS DATA

New Zealand National Cyber Security Centre Incident Summary

The Republic of Korea. economic and social benefits. However, on account of its open, anonymous and borderless

EU policy on Network and Information Security & Critical Information Infrastructures Protection

THE WHITE HOUSE. Office of the Press Secretary. EMBARGOED UNTIL DELIVERY OF THE PRESIDENT'S February 12, 2013 STATE OF THE UNION ADDRESS

Japan s Cyber Diplomacy

Germany: Report on Developments in the Field of Information and Telecommunications in the Context of International Security (RES 68/243),

INFORMATION ASSURANCE DIRECTORATE

CYBERSECURITY. The Intersection of Policy and Technology YOU RE HERE TO MAKE A DIFFERENCE ṢM

Transcription:

1 The Promise and Peril of Active Cyber Defense Dr. Irv Lachow Deputy Director, Cyber Strategy and Execution, MITRE August 6, 2018 2017 The MITRE Corporation. All rights reserved.

2 Disclaimer The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions, or viewpoints expressed by the author.

3 Agenda Active Cyber Defense Primer Policy Issues References ATT&CK Discussion

4 Why Is Active Cyber Defense Important? Governments alone cannot protect the private sector Companies are increasingly capable of taking active steps to defend themselves and are doing so Current legal and policy guidance is "absent, vague or difficult to operationalize." Governments are effectively blocking companies from taking action Two most likely outcomes are undesirable: Companies do nothing Wild West

5 What Does Active Cyber Defense Mean? Center for Cyber and Homeland Security Active defense is a term that captures a spectrum of proactive cybersecurity measures that fall between traditional passive defense and offensive.the term is NOT synonymous with hacking back. (Emphasis added.) Hoffman and Levite (from Robert Dewar) An approach to achieving cybersecurity predicated upon the deployment of measures to detect, analyze, identify and mitigate threats combined with the capability and resources to take proactive or offensive action against threats DARPA DARPA s Active Cyber Defense (ACD) program is designed to [provide] cyber defenders a home field advantage: the ability to perform defensive operations that involve direct engagement with sophisticated adversaries in DoD-controlled cyberspace.

Examples of ACD Actions 6 Source: CCHS

7 Benefits and Risks of ACD Actions Source: Hoffman and Levite

8 Agenda Active Cyber Defense Primer Policy Issues References ATT&CK Discussion

9 Key Policy and Legal Questions Who can do ACD? What can they do? When can they do ACD? Who is help responsible when? How address int l aspects? How address technical developments?

10 Current Legal Frameworks National laws prevent the bulk of ACD activities Computer Fraud and Abuse Act (CFAA) is most relevant Cybersecurity Act of 2015 allows for the operation of defensive measures within certain constraints International Laws "Formal international treaties have no apparent direct application to the [ACD] questions being considered." Which legal models are most applicable? This lack of guidance needs to be addressed Source: Lachow, CCHS, Rosenzweig

Congress May Change the Game: An Overview of ACDC Act 11 Provides affirmative defense to criminal prosecution for ACD measures focused on: Attribution Disruption Monitoring Intention to use ACD measures must be reported to FBI and can be pre-emptively reviewed by them Caveats: Cannot create a threat to public health and safety or take steps that result in persistent disruption of Internet activity For intermediary computers, ACD measures cannot exceed level of activity needed to gather attribution info, nor can they result in intrusive or remote access.

12 Key Issues Raised Regarding ACDC Act Several key terms are vague Persistent, remote access, threat to public health or safety Does not prevent criminal charges for CFAA violations or address civil suits Does not address ECPA, Wiretap Act, State laws FBI pre-emptive review may make USG responsible for corporate ACD measures and undermine norms Source: Cook

13 Principles-Based Approach (Market Driven) The Concept Create normative principles for ACD behaviors Risk-based Formalized via industry-driven code of conduct Use market-based mechanisms to enforce desired behaviors Insurance industry Civil torts Advantages Relies on incentives to drive behavior Balances risks Adaptable to dynamic environment Challenges Legal authority is still needed Actions can have global consequences Markets sometimes fail Source: Hoffman and Levite

14 Government-Licensed Private Security The Concept: Only authorized firms are allowed to conduct ACD Licensing requirements set by each country Allowed actions would fall short of most aggressive ACD techniques Close cooperation with gov t authorities Advantages Clear limits about allowable actions Lower risk of collateral damage and escalation Improved public-private cooperation Challenges Licensing process Oversight process Coordination across nations State-sanctioned activity Source: Rosenzeig

15 GWU Task Force ACD Policy Framework Fifteen recommended steps for U.S. industry, Executive Branch, and Congress Key themes Define range of acceptable actions that balance efficacy and risk Update legal instruments to reflect balanced approach Work towards global standards across nations Strengthen public-private cooperation Create set of best practices that are promulgated across industry Source: CCHS

16 UK s Government ACD Program: Overview Goal: protect the majority of people in the UK from the majority of the harm, caused by the majority of attacks, for the majority of the time. Led by National Cyber Security Centre Initial focus on public sector customers Close public-private cooperation Program elements Strengthen infrastructure protocols Secure email Take down criminal websites Filter DNS Strengthen identity authentication Source: Levy

17 UK Government ACD Program: Results Takedown service Removed 121,479 unique phishing sites across 20,763 attack groups hosted in the UK. This reduced median availability of a UK-hosted phishing site from 26 hours to 3 hours. Removed 18,067 unique phishing sites across 2,929 attack groups that were pretending to be UK gov t brand. Secure email 10% of gov t domains now use Mail Check service Seeing reduction in number of messages spoofed from @gov.uk DNS Filtering Blocked 134,825 unique DNS queries One in six orgs found security issues to be remedied Source: Levy

18 Key Takeaways Private sector brings key capabilities to the table ACD actions need to balance benefits and risks Legal clarity is needed International aspects may be most challenging Government and industry cooperation is essential

19 Agenda Active Cyber Defense Primer Policy Issues References ATT&CK Discussion

20 Key References Center for Cyber & Homeland Security (CCHS). Into the Grey Zone: The Private Sector and Active Defense Against Cyber Threats (Washington, DC, The George Washington University, 2016). Cook, Chris. Hacking Back in Black: Legal and Policy Concerns with the Updated Active Cyber Defense Certainty Act, November 20, 2017, https://www.justsecurity.org/47141/hacking-black-legal-policy-concernsupdated-active-cyber-defense-certainty-act/. Hoffman, Wyatt and Ariel E. Levite. Private Sector Cyber Defense: Can Active Measures Help Stabilize Cyberspace (Washington, DC, Carnegie Endowment for International Peace, 2017). Lachow, Irving. Active Cyber Defense: A Framework for Policymakers (Washington, DC, Center for a New American Security, 2013). Levy, Ian. Active Cyber Defence One Year On (London, UK National Cyber Security Centre, 2018). Rosenzweig, Paul, Steven P. Bucci and David Inserra. Next Steps for U.S. Cybersecurity in the Trump Administration: Active Cyber Defense, Backgrounder, No 3188 (Washington, DC, The Heritage Foundation, 2017).

21 Agenda Active Cyber Defense Primer Policy Issues References ATT&CK Discussion

22 Questions? Comments? Ideas?

23 ACD Activities Involve Risk Tradeoffs Source: Hoffman and Levite

24 In Theory ACD Risks Can be Quantified Source: Hoffman and Levite

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback