Active Cyber Defense Operations

Goal:

An operation can aim to mitigate the impact, neutralize a malicious cyber operation or campaign and/or attribute it technically.

Success:

To better estimate the success of the effect, it is crucial to look at the expected goal.

A possible categorization, connected to the frequency of operations, is whether the operation is likely to result in a tactical or strategic success.

In both cases, active cyber defense operations could be labeled during the ex-ante impact assessment.

Type:

If an active cyber defense operation leads to unintended consequences, reversibility ensures damage control.

Whereas the intrusiveness of measures is not necessarily binary but, on a spectrum, it may be useful to divide them into intrusive and non-intrusive methods for operationalizing the framework.

Space:

Blue space is defined as the area within the jurisdiction of the government, including the private sector among others; Green space is defined as IT systems and infrastructure affected in a malicious cyber operation or campaign that are within the jurisdiction of an allied government; Red space is defined in this paper as IT systems and infrastructure used in a malicious cyber activity that is within the jurisdiction of the country in which the operation or campaign originates; Gray space is defined in this paper as IT systems and infrastructure used in a malicious cyber operation or campaign that are not located in blue, green, or red space.

Target:

Concrete target systems and infrastructure must be considered and possibly treated differently, especially if the type of effect is intrusive and non-reversible.

It is crucial to make a clear distinction between critical infrastructure and non-critical infrastructure, treating targets of active cyber defense operations as critical infrastructure if they would be considered critical infrastructure in the nation conducting active defense.

Targeting critical infrastructure with active cyber defense operations should be assessed with utmost care, as it can lead to unintended and even cyber-physical effects and the subsequent risk of escalation.

Government-led agency:

Several types of government actors are considered for the lead agency in active cyber defense operations, including national cybersecurity agencies, federal and state law enforcement agencies, intelligence agencies, and the military.

Considering the effect space, cybersecurity and law enforcement agencies may be appropriate for measures in blue and green spaces, while intelligence agencies may be suitable for measures in gray and/or red spaces.

Cooperativeness:

Cooperation is important, as the risks and resources involved in exchanging information with an affected third party may be lower than attempting to compromise that third party through an active cyber defense operation against their will.

Attribution:

Attribution through technical intelligence and other means plays a major role in implementing active cyber defense measures.

Confidence levels in technical attribution are crucial for several active cyber defense measures, and they may vary from uncertain to proven based on technical, intelligence, and geopolitical evidence.nce.

Time:

The effectiveness of an active cyber defense operation may decrease as more time passes between the incident(s) and the operation.

The timing of active cyber defense operations is crucial to meet necessary self-defense criteria and avoid being seen as pure retribution.

De and escalation:

Several active cyber defense measures carry the potential risk for escalation.

The potential for de-escalation and escalation involves multiple parties and factors, including third parties and the controllability of the active cyber defense measures deployed.

Adhering to proportionality is important to maintain legality and avoid escalation.

Confidence-building measures, such as open communication channels, can help in avoiding escalation and promoting de-escalation.

Automation:
Linked to the question of escalation is the level of automation of an active cyber defense operation.

Increased automation when targeting heterogeneous systems may lead to unintended consequences and loss of control.

How risky an automated process is depends on other criteria, such as the type of effect and the overall picture.

Frequency:
The overall calculation should factor in the frequency of measures needed to achieve the goal.

A one-off operation may be preferable in terms of efficiency and effectiveness.

If repetitions of active cyber defense operations are necessary, other measures such as passive cyber defense or a combination may become more effective and efficient.

Cost:

The costs for an active cyber defense operation in terms of resources are closely linked to the frequency criterion.

The cost of specialized staff time, procurement of tools and exploits, and third-party support from the private sector may make an operation prohibitively expensive or inefficient.

The overall operation may be rendered inefficient and ineffective in achieving the goal based on the costs criterion.

Collateral Consequences:

Collateral consequences go beyond simply referring to accidental consequences, as actions may be taken while it is clear that collateral consequences could occur.

Planners of active cyber defense operations may either expect (and accept or not accept) or not expect collateral consequences.

• One safeguard to be clearly outlined in the warrant and impact assessment is the scope of the operation. It should be as narrow as possible and at least assess whether the targets of an operation are in blue, green, gray or red space.

• Ideally, the scope is limited to blue space, as this normally means directly supporting the targets of a malicious cyber operation or campaign within one’s own jurisdiction, rather than going after the threat actor.

• Adherence to the rule of law is facilitated by having a clear and specific legal framework for active cyber defense operations.

• The legal framework and its elements should be regularly revisited, evaluated and refined in accordance with national sunset clause procedures.

• A formal ex ante impact assessment is essential to weigh the risks, impact, chances and possible consequences of an operation, develop additional options and back-up plans and define circuit breaker conditions.

• Impact assessment is a useful basis for decision-makers and oversight bodies and, therefore, should be a requirement for every active cyber defense operation.

• Active defense operations most likely have extraterritorial implications, touching on sovereign issues of other states. Therefore, a high standard of oversight (ex-ante and ex post) is required and should be enshrined in the legal framework.

• Disseminating, if necessary sanitized, details of active cyber defense operations beyond executive, judicial and legislative authorities allow external experts to independently assess measures and suggest improvements.

• A key aspect of transparency as well as oversight is the auditability, performed by independent auditors, of the operations.

• Some measures, however, especially the more intrusive ones, may require procurement of software including exploits and services.

• Tools and services must be acquired only from third parties, ideally as open source, that are transparently vetted, and which do not conduct any business with governments or other entities that have been reported to conduct unlawful activities and violate human rights with their tools and services.

• Whenever unknown vulnerabilities or exploits are required for an active cyber defense operation, a vulnerability assessment and management should be established beforehand as a safeguard to manage the risks of reverse engineering, exploitation of leaks and/or use against the infrastructure by the threat actors.

• The international law framework for countermeasures seems appropriate for active cyber defense operations in red space, although they may not always qualify as countermeasures or reprisals under international law.

• The framework includes aspects such as the measures should be proportional, have the right timing, be temporary, be non-retributive and require a certain level of attribution.

• Governments leading active cyber defense operations must also be aware that they are contributing to the development of binding customary law.

• Active cyber defense operations should be conducted only if there is a clear public interest in doing so, such as threats to public safety and security (thresholds may include interference with critical infrastructure or a local declaration of state of emergency), meddling with democratic processes or significant economic harm.

• If there is no clear public interest, then other, more passive, measures could be taken to neutralize or mitigate an ongoing cyber operation or campaign.  

• If states consider active cyber defense operations in green, gray and/or red space, the states should set up international confidence-building measures or adapt existing ones for this purpose.

• The minimum viable communication should make sure that the targets of the active cyber defense operation understand ex post that it was a response and, therefore, had defensive intent.

Mitigation

Tactical

Reversible

Intrusive

Blue Space

Non-critical Infrastructure

(Critical Infrastructure)

Law Enforcement

Unknown

Not necessary

During operations of the same campaign

In-between sequential campaigns

(Potential de-escalation)

No change in the escalation cycle

Semi-Automated

One-off

(Periodic)

Low

Not expected

Clearly defined

Non-active-cyber-defense-specific legal framework exists

Unclear; at least an independent technical expert was consulted

Ex ante warrant and ex post notification of targets were required

Public was informed with a sufficient amount of information; auditability is unknown

Unknown process of development/ procurement and testing. Country has a Vulnerability Equities Process.

Not applicable (in the sense of between nations)

Appears to have been in the public interest

Not required (in the sense of international measures)

Mitigation
(Neutralization)

Tactical
(Strategic)

(Reversible)

Intrusive

Blue Space

Green Space

(Gray Space)

Non-critical Infrastructure

(Critical Infrastructure)

Law Enforcement

Unknown

Noncooperative

Not necessary

During operations of the same campaign

In-between sequential campaigns

No change in the escalation cycle

Semi-Automated

One-off

Low

Not expected

Unclear

Applicability of existing non-specific legal framework questionable

Unclear

Ex ante warrant and ex post notification of targets were required

Public was provided with a minimum of information; auditability unknown

Likely implemented

Unknown

Appears to have been in the public interest

Unknown

Mitigation

Tactical

Reversible

Intrusive

Blue Space

Unclear whether critical infrastructure was included

Law Enforcement

Cooperative
Unknown

Proven

In-between sequential campaigns

Potential de-escalation

No change in the escalation

Proportional

Semi-Automated

One-off

High

Not expected

Known Unknown

Clearly defined

Non-active-cyber-defense-specific legal framework exists

Unclear

Ex ante warrant and ex post notification of targets were required

Public was informed with a sufficient amount of information; auditability is unknown

Unknown process of development/ procurement and testing. Country has a Vulnerability Equities Process.

Not applicable (in the sense of between nations)

Appears to have been in the public interest

Not required (in the sense of international measures). However, The FBI also alerted local authorities in other countries to take down Snake infections on compromised machines outside the United States.) and published an in-depth technical report …. To explain why they did it and that it was a response to longlasting, damaging operation.

Mitigation

Neutralization

Strategic

Tactical

Reversible

Intrusive

Blue Space

(unknown)

Non-critical Infrastructure

Law Enforcement

Cooperative

Proven

During operations of the same campaign

No change in the escalation

Manual

One-off

High

Not expected

Clearly Defined

Non-active-cyber defense-specific frameworks exits

Unclear

Ex ante warrant

Public was informed with a sufficient amount of information; auditability is unknown

Unknown process of development

Not applicable

Law Enforcement Agencies in the United States, Germany and the Netherlands took action against infrastructure based in their countries.

Appears to have been in the public interest

Coordination with EU Member States and Five Eye Countries