I am a bit of an outlier in the cybersecurity community since I think that there are circumstances in which private actors ought to be allowed to more aggressively respond to intrusions on their systems (though I don’t go “full postal” on the issue). For those who are interested in the subject I just published a piece at Heritage co-authored with my colleagues Steve Bucci and David Inserra, entitled “Next Steps for U.S. Cybersecurity in the Trump Administration: Active Cyber Defense.” Here is the abstract:
The failure of the government to provide adequate protection has led many cybersecurity analysts, scholars, and policymakers to suggest that there is a need for private-sector self-help. If the government is unable or unwilling to take or threaten credible offensive actions to deter cyberattacks or to punish those who engage in them, it may be incumbent upon private-sector actors to take up an active defense. In other words, the private sector may wish to take actions that go beyond protective software, firewalls, and other passive screening methods—and instead actively deceive, identify, or retaliate against hackers to raise their costs for conducting cyberattacks. Taking into consideration U.S., foreign, and international law, the U.S. should expressly allow active defenses that annoy adversaries while allowing only certified actors to engage in attribution-level active defenses. More aggressive active defenses that could be considered counterattacks should be taken only by law enforcement or in close collaboration with them.