Recent years have seen sustained calls to “unleash” the private sector to more assertively combat cyber threats. The argument has gained some sympathy in Congress, where Rep. Tom Graves (R-Ga.) recently reintroduced the Active Cyber Defense Certainty Act (ACDCA). As Bobby Chesney summarizes, the act, if passed, would amend the Computer Fraud and Abuse Act (CFAA) to allow private entities, under certain conditions, to engage in defensive measures that intrude into attackers’ networks for purposes of attributing, disrupting or monitoring malicious activity.
Motivating this renewed push for active defense is a growing recognition of the magnitude of the peril that cyberattacks present to the private sector, along with limits on the government’s ability to arrest its growth and bring the perpetrators to justice. As former director of the National Security Agency Gen. Michael Hayden put it, “[T]he cyber cavalry ain’t coming.” However, notwithstanding the benefits of harnessing private-sector expertise to improve cyber defense, the ACDCA is premature and of uncertain efficacy, and is potentially even risky from both domestic and international perspectives. A dual-track approach is therefore essential: The United States should prudently explore acceptable domestic parameters for the practice of private-sector “self-help” in cyberspace and engage other nations to harmonize these standards internationally. The Justice Department can lead such an approach and—by exercising prosecutorial discretion within the limits of existing law—begin to define the scope and parameters for responsible private-sector conduct in this domain.
The reintroduction of the ACDCA has predictably elicited two familiar sets of objections. One is that any effort to create space for more assertive defenses is dangerous; the other i ..
Support the originator by clicking the read the rest link below.
