Can active cyber defense stem cyberattacks?
Over the last year, we have seen a record number of unprecedented cyberattacks, such as SolarWinds, Microsoft Hafnium, and Colonial Pipeline. The severity of these attacks underscores the challenges the government and the private sector face in responding to the rapidly evolving and increasingly dangerous cyber threat landscape. To address these challenges, some commentators and experts have attempted to highlight the potential benefits of the U.S. government allowing the private sector to engage in Active Cyber Defense (“ACD”) or “hacking back” against cybercriminals targeting their companies. The concept of ACD is not new. Supporters and critics of ACD have been debating its merits and effectiveness over the last several years. This article will attempt to provide a summary of the current cyber defense framework, proposed legal mechanisms to enable the private sector to engage in ACD, the potential positives and negatives of ACD, and the potential impact ACD may have on cyber insurance.
Following the Colonial Pipeline attack, President Biden signed an Executive Order on May 12, 2021 with the goal of improving the nation's cybersecurity and protecting federal government networks. Although the President's broad executive order demonstrates a step in the right direction, it is, by itself, limited in its ability to stop the consistent barrage of cyberattacks facing the private sector. Days after President Biden signed the executive order, JBS, the world's largest meat supplier, was forced to pay $11 million to resolve a ransomware attack that disrupted its business. This attack, along with many other private sector attacks, is a stark reminder that threats in the cyber domain are too vast for a single solution.
Despite government efforts, the private sector is, by and large, on its own when responding to cyberattacks. Furthermore, the private sector is legally limited to taking only defensive cybersecurity actions. As such, some U.S. Congressional Representatives are proposing the enactment of the Active Cyber Defense Certainty Act ("ACDCA"), which attempts to create some exceptions to the Computer Fraud and Abuse Act, the U.S. anti-hacking statute. The ACDCA authorizes companies to hack back against cybercriminals. Supporters of this legislation argue that if the government cannot deter cyberattacks or punish those that engage in them, companies should be empowered to engage in ACD to protect themselves and neutralize threats to their businesses. Supporters further argue that an underground community of cybersecurity firms is already engaged in ACD operations to protect their clients and the ACDCA would help legalize this method of defense.
In addition to the ACDCA, a May 13, 2021 opinion piece in the Wall Street Journal proposed that Congress revive U.S. Constitution Article I. Sec. 8: Letters of Marque and Reprisal, to ensure ACD operations are supervised and conducted safely and responsibly. Historically, the letter of marque served as a “do-it-yourself” authorization, allowing private individuals to retaliate against a foreigner that has caused an injury. Eventually, governments adopted the concept in the naval domain, serving as a government license authorizing privateers to attack and capture enemy vessels. Notably, the U.S. deployed Letters of Marque and Reprisal extensively during the War of 1812, when the British Navy outnumbered the U.S. Navy 66 to 1. Privateers empowered with letters of marque successfully weakened the British shipping industry and their ability to wage war. Despite its effectiveness, the U.S. tightly controlled the granting of the letter of marque. Applicants for a letter of marque were required to submit specific details about the ship, crew, owners, and defensive/offensive capabilities to ensure compliance with both U.S. and international law. Additionally, ship commanders were required to keep a daily log of all activities and share it with the government. Grantees of a letter of marque were bound by the operational scope of their specific letters, which included an authorized level of force and territorial scope. Those that violated the scope of their letters were legally bound to make reparations to their victims.
Some supporters of ACD are optimistic that applying the letter of marque in the cyber domain will stem cyberattacks. Supporters propose that a cybersecurity firm retained to defend a company’s computer network from a cyberattack can apply for a letter of marque only after it establishes its qualifications, conducted a thorough investigation, and confirmed attribution. The cyber letter of marque will then define the scope and limitations of the cybersecurity firm's ACD operations to ensure proportionality and lawfulness. The goals of the ACD operation would be to stop the cybercriminal’s ongoing exploits, potentially seize and delete any exfiltrated data, and degrade the cybercriminal’s computer network to make it costly for the cybercriminal to continue with its malicious activities. The information collected from the operation would then be provided to the government to support public-private information sharing and to improve the U.S. cybersecurity posture. Following the completion of the ACD operation, the cyber letter of marque will expire.
Critics of the ACDCA and the Letter of Marque and Reprisal believe any form of ACD would only lead to an escalation in cyberattacks and create a cyber wild west. Concerning the ACDCA, critics argue that the proposed safeguards that limit those who can engage in active cyber defense and under what scenarios are vague and impractical. The ACDCA states: “Congress holds that active cyber defense techniques should only be used by qualified defenders with a high degree of confidence in attribution, and that extreme caution should be taken to avoid impacting intermediary computer or resulting in an escalatory cycle of cyber activity.” Critics argue that qualified defenders are not clearly defined, and attribution is often difficult to determine. Moreover, critics note that the risk of creating a cycle of escalation or causing collateral damage to innocent computer networks is too great regardless of the precautions taken by qualified defenders. Concerning the Letter of Marque and Reprisal, critics echo similar criticisms as those raised against the ACDCA, but further question the ability of cybersecurity firms to guarantee that they are targeting the appropriate cybercriminals since attribution, which may be difficult to confirm, is legally required before the issuance of a letter of marque. Furthermore, critics question the ability of cybersecurity firms to hack back without leaving a trail, which is critical in preventing further retaliation and escalation. Finally, critics point out that the Paris Declaration of 1856 prohibits the U.S. from employing privateers.
Supporters of the ACDCA and the Letter of Marque and Reprisal believe that some of the criticisms are without merit and point out that the cyber wild west already exists and deputizing companies is an effective solution to bring some order to the chaos. Supporters also take the position that the uncertainty over attribution is overstated, highlighting that with advances in technological tools and with enough time, attribution can be ascertained. Furthermore, supporters argue that the limitation and penalties associated with the letter of marque are meant to hold cybersecurity firms to the strictest standard of operational adherence. Practically speaking, cybersecurity firms will be dissuaded from carrying out ACD operations unless they are confident that they won’t run afoul of any laws or cause any collateral damage. Additionally, supporters point out that the U.S. was not a signatory of the Paris Declaration of 1865, which applies only in the naval domain, and the U.S. never formally banned the use of privateers. As such, supporters argue that the Letter of Marque and Reprisal is constitutionally permissible in the cyber domain. Lastly, supporters point out that the current cyber defense framework is enabling hackers to commit criminal acts with little to no repercussions, while subjecting companies to strict legal requirements and limited means to defend themselves. Supporters contend that ACD is the only means to level the cyber battlefield.
For better or for worse, if the U.S. were to allow companies to engage in ACD, companies will need to understand how it may potentially impact cyber insurance. If the critics are right and ACD operations lead to an escalation in cyberattacks, then we will continue to see a further hardening of the cyber market, a further reduction in capacity, pullbacks in coverage, unsustainable claims frequency and severity, an uptick in widespread events, and a rise in new exposures not currently contemplated.
If, however, ACD brings about the desired effect of making it more costly for cybercriminals to launch attacks, we may potentially see a decrease in the frequency of attacks, specifically from less sophisticated cybercriminals. This may lead to a reduction in the number of cybercriminal groups since the cyberattack barrier to entry will increase. This may have the positive effect of reducing claims frequency and premium. With the reduction in claim expenses and premiums, companies can then devote more time and resources to improving their network security posture and defending against widespread events perpetrated by advance persistent cybercriminals and nation-states. A reduction in the number of cybercriminal groups to contend with may also provide the government and private sector with extra bandwidth to better understand and predict the cyber threat landscape.
Furthermore, if ACD is permitted, insurance carriers may potentially expand coverage and their list of partner vendors to include cybersecurity firms qualified to engage in ACD. Companies can engage these cybersecurity firms to assist with the following: retrieving or deleting data that was exfiltrated from a client’s system; recovering money that cybercriminal groups obtained through social engineering or extortion; and preventing cybercriminals from carrying out extortion threats by covertly retrieving the decryption key from their network or degrading their network to stop the publication of exfiltrated data. All these services will hopefully support the decrease in claims frequency and severity.
The potential decrease in claim frequency and severity coupled with access to new data collected from ACD operations may lead to an increase in cyber capacity, which has diminished recently. Insurance carriers will have access to more data and insight about the cyber threat landscape which could assist with underwriting confidence. This may potentially encourage some legacy insurance carriers to reenter the cyber market and/or result in new entrants offering fresh services and/or expanded coverage. The potential additional capacity offered by insurance carriers could foster competition and innovation to the benefit of cyber insurance purchasers.
As cyberattacks continue to evolve and pose tremendous risks to the government and the private sector, the U.S. cyber defense framework will also be forced to evolve. If ACD is available to address and eliminate cyber threats, then companies should be aware of the potential future steps they can take to protect themselves, the proposed mechanisms to take these steps, the potential positive and negative impact of taking such steps, and the potential effects it may have on their cyber insurance.
Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed subsidiaries of Willis North America Inc., including Willis Towers Watson Northeast Inc. (in the United States) and Willis Canada, Inc.