Thinking Through Active Defense in Cyberspace

Proceedings of the Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options, pp. 327-342, National Research Council, Washington, DC: National Academies Press, 2010

Illinois Program in Law, Behavior and Social Science Paper No. LBSS10-02

Illinois Public Law Research Paper No. 10-11

18 Pages Posted: 14 Oct 2010 Last revised: 18 Jan 2016

See all articles by Jay P. Kesan

Jay P. Kesan

University of Illinois College of Law

Carol Mullins Hayes

University of Washington - The Information School

Date Written: October 12, 2010

Abstract

In this article, we take a forward-looking approach to the issue of active defense in cyberspace. Active defense typically occurs in the following way: the victim of a cyber attack detects an intrusion, identifies the source of the attack, and sends the data back at the attacker with the goal of interrupting the attack, thereby mitigating the harm to the victim’s system. Building on our earlier work that active defense is socially optimal when accurate technology exists and civil litigation, criminal prosecution, and purely defensive strategies would be ineffective or impractical, we now discuss the domestic and international law implications of permitting active defense and offer recommendations for who should be responsible for active defense and under what circumstances. We recommend further improvement of the current technology available for active defense in order to ensure that any cyber counterstrikes have a strong chance of hitting the attacker. We stress the importance of any active defense regime being compatible with notions of self-defense under international humanitarian law and domestic law, though we reject the common conclusion that the Computer Fraud and Abuse Act could be read broadly to prohibit any sort of activity on the Internet that might cause harm to another computer owned and operated by a private citizen. We also discuss the implications of permitting active defense by private firms and conclude that there may be too many potential harms to permit private firms to engage in active defense in the absence of controlling government oversight. However, the need for a more centralized response to cyber attacks raises the question of whether a government entity should be responsible for conducting cyber counterstrikes, and if so, what legal considerations would arise in the event of government-controlled active defense. Additionally, we examine the sort of controls that might be put in place to ensure the protection of oblivious third parties whose compromised computers might be inadvertently harmed by a cyberattack victim’s choice to employ active defense.

Keywords: cyberattacks, cyberdeterrence, active defense, hackback

Suggested Citation

Kesan, Jay P. and Hayes, Carol Mullins, Thinking Through Active Defense in Cyberspace (October 12, 2010). Proceedings of the Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options, pp. 327-342, National Research Council, Washington, DC: National Academies Press, 2010, Illinois Program in Law, Behavior and Social Science Paper No. LBSS10-02, Illinois Public Law Research Paper No. 10-11, Available at SSRN: https://ssrn.com/abstract=1691207

Jay P. Kesan (Contact Author)

University of Illinois College of Law ( email )

504 E. Pennsylvania Avenue
Champaign, IL 61820
United States
217-333-7887 (Phone)
217-244-1478 (Fax)

HOME PAGE: http://www.jaykesan.com

Carol Mullins Hayes

University of Washington - The Information School ( email )

Box 353350
Seattle, WA 98195
United States

Do you have negative results from your research you’d like to share?

Paper statistics

Downloads
397
Abstract Views
3,828
Rank
135,696
PlumX Metrics