Skip to main content

Proceedings of a Workshop on Deterring Cyberattacks Informing Strategies and Developing Options for U.S. Policy (2010) / Chapter Skim
Currently Skimming:

Thinking Through Active Defense in Cyberspace--Jay P. Kesan and Carol M. Hayes
Pages 327-342

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.


From page 327...
... This paper is meant to be forward-looking, addressing the use of self defense in response to cyber attacks, which is currently a controversial topic with a questionable legal status, but this topic is also one which many members of the IT industry find attractive. Cyber attacks, though they generally do not involve bodily harm, are nonetheless very dangerous.
Read the entire page →
From page 328...
... This paper will first discuss a model that evaluates factors to determine whether and when active defense is the socially optimal solution to address cyber attacks. The focus will then shift to a discus sion of the policy considerations implicated by this model.
Read the entire page →
From page 329...
... , thus must all be found to be unavailable, impractical, or ineffective in order for active defense to be the socially optimal solution. The model further emphasizes the importance of the technology utilized: reasonable effort must be exerted to employ good IDS technology to assist the firm in detecting intrusions, and advanced traceback technology must also be employed to ensure that the victim firm is accurately targeting the hacker.11 The model also anticipates holding counterstrikers liable for damage to innocent third parties, with the expectation that potential tort liability will give firms incentive to not use unnecessary force when engaging in active defense.
Read the entire page →
From page 330...
... The model promotes a view that the socially optimal solution to the threat of cyber intrusions, in the absence of effective remedies being available through criminal law enforcement, civil litigation, or effective passive defense strategies, is to permit (but not require) parties to act in self-defense when reliable technology can be utilized, subject to potential liability for harm caused to the systems of inno cent third parties, whose interests are further protected by making counterstrikes subject to government regulation.
Read the entire page →
From page 331...
... 22 The reverse traceroute study found that the median accuracy of reverse traceroute was 87%, compared to 75% median accuracy for direct traceroute.23 One additional concern about the technology used in active defense is that the attacker might be spoofing his IP address in order to evade detection. Issues caused by IP spoofing (including harm to third parties)
Read the entire page →
From page 332...
... The model discussed in Section II sets out a number of factors to consider when determining if active defense is the socially optimal solution. It may be advisable, however, to establish a concrete definition to determine when counterstriking is appropriate.
Read the entire page →
From page 333...
... As an alternative to entrusting active defense to the private firms who are injured by the initial cyber intrusions, the government (or a government contractor) may also be placed in charge of any counterstrike deemed necessary.
Read the entire page →
From page 334...
... We also suggest retaining this liability rule if government is responsible for coordinating active defense. If the original liability rule is preserved and firms are still held responsible for harm caused to innocent third parties, on the theory that the government was acting as an agent of the counterstriking firm, that would ensure that firms will not capriciously submit a request to the relevant government agency for counterstrike assistance.
Read the entire page →
From page 335...
... In addition to constitutional concerns, it is also important to consider the implications of interna tional law. The DOD General Counsel issued an opinion in 1999 stating that the law of war should apply to cyber attacks, and therefore any attacks must be based on the necessity of war in order to avoid potential war crimes charges.28 The law of war includes requirements such as that the attacker must be able to make effective distinction between combatants and noncombatants, that attacks be founded on military necessity, that steps are made to ensure that any collateral damage is proportionate to the military advantage attained from the attack, and that only weapons that can be targeted with precision at combatants may be used.29 There would also be a danger of retaliation or retorsion by governments whose citizens are harmed by cyber counterstrikes executed by the U.S.
Read the entire page →
From page 336...
... International humanitarian law and the CFAA are thus two areas that must be considered when forming a policy concerning active defense. The CFAA is potentially more prohibitive of the sorts of 34 U.N.
Read the entire page →
From page 337...
... A purely private regime, on the other hand, would be undesirable, because the lack of uniformity in software and procedure for active defense indicates that a privately run active defense regime would be unpredictable at best. The importance of the private sector to the future of handling cyber conflicts cannot be under emphasized, however, since the private sector arguably has an interest in addressing vulnerabilities that is at least equal to that of the government.
Read the entire page →
From page 338...
... Iv. EFFECT OF ACTIvE DEFENSE ON THIRD PARTIES Hackers who engage in cyber intrusions generally seek to avoid getting caught, and one method that they use to evade detection is to route their message through other computers on the Internet in order 46 5 0 USC.
Read the entire page →
From page 339...
... Using education to reduce the number of potential third parties that can be harmed could potentially ease the implementation of a liability rule as part of a regime designed to permit defensive actions under the appropriate circumstances. Failure to protect their systems appropriately should not render parties ineligible for causes of action, but allowing the neglect of the oblivious intermediaries to decrease the damages owed may be an appropriate compromise to ensure that all firms are provided with the incentive to exercise due care in managing their IT infrastructure.
Read the entire page →
From page 340...
... v. CONCLuSION In certain circumstances, counterstrikes in response to cyber attacks can be the socially optimal solution.
Read the entire page →
From page 341...
... In the absence of effective deterrents under international criminal law, a self-help method like active defense offers sufficient deterrence to malicious hacker activity, with the added advantage of possibly mitigating damage to the target of the intrusion. Since there are some situations where the socially opti mal solution would be to permit counterstrikes, active defense should not be perpetually prohibited as a matter of policy, but it should be regulated carefully to ensure that counterstrikes are used only in the socially optimal way.
Read the entire page →

Key Terms

  • third parties
  • cyber attacks
  • socially optimal
  • optimal solution
  • liability rule

  • cyber intrusions
  • cyber crime
  • private firms
  • traceback technology
  • due process

  • purely defensive
  • ddos attacks
  • international humanitarian
  • humanitarian law
  • harm caused

  • cyber exploitation
  • cyber counterstriking
  • criminal enforcement
  • criminal law
  • accurate technology

  • concerning active
  • cyber intrusion
  • potential liability
  • defense issues
  • innocent third

  • government regulation
  • intrusion detection
  • crimes charges
  • war crimes
  • process violation


    • This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
    More information on Chapter Skim is available.