Professional Documents
Culture Documents
Daniel West
Author Note
Contact: dlw79@psu.edu
Running head: ACTIVE DEFENSE IN CYBERSPACE: REVIEW OF TECHNOLOGY 2
Table of Contents
Abstract ........................................................................................................................................... 3
Introduction ..................................................................................................................................... 4
Literature Review............................................................................................................................ 5
Defining the Environment ........................................................................................................... 5
Lexicon ........................................................................................................................................ 7
Barriers to Combating Cybercrime ............................................................................................. 8
Proximity & Difficulties in Attribution ................................................................................. 10
Scale, Scope, & Artificial Intelligence .................................................................................. 14
Defining Active Cyber Defense ............................................................................................ 14
Government Responsibility ................................................................................................... 19
Balancing Civil Liberties & Security .................................................................................... 20
Sovereign and Citizen Self-Defense ...................................................................................... 21
Deconfliction of Cyber Activities Between Friendly Actors ................................................ 22
Proposed Solutions .................................................................................................................... 25
H.R. 4036 Active Cyber Defense Certainty Act ................................................................... 25
Cyber Community Watch Program (The Community Policing Model) ............................... 30
Cyber 9-1-1 ............................................................................................................................ 31
Research Objective ....................................................................................................................... 31
Research Methodology ................................................................................................................. 32
Data Collection Instrument ....................................................................................................... 32
Access to Data Sources and Sampling Techniques ................................................................... 32
Data Collection & Analysis ...................................................................................................... 33
Results ........................................................................................................................................... 34
Conclusion .................................................................................................................................... 44
Limitations and Future Research .................................................................................................. 45
References ..................................................................................................................................... 48
Appendix A ................................................................................................................................... 54
Appendix B ................................................................................................................................... 61
Appendix C ................................................................................................................................... 63
Appendix D ................................................................................................................................... 64
Running head: ACTIVE DEFENSE IN CYBERSPACE: REVIEW OF TECHNOLOGY 3
Abstract
Cyber fraud and related cyber-enabled crimes on US citizens and organizations continue
legal and technological obstacles that have been erected by the advent of new technologies and
the growing prevalence of threat actors who exploit those technologies. In response to this
growing problem, elected officials have started discussions on the controversial topic of allowing
citizens and organizations to conduct active cyber defense (ACD) as a means of cyber self-
defense for the exclusive purpose of attributing and disrupting attackers. Policymakers and
defenders must first review the technical and political environment surrounding the proposed
ACD measures before enacting legislation that promotes cyber self-defense through ACD
measures or hacking-back. This study reviews the cyberspace environment and lexicon, barriers
to combating cyber-crime and proposed solutions. The primary objectives of this study are to
determine a total count of supporters, opposers, and undecided for the ACDC Act and to
determine relationships between bill support and opposition, personal and organizational history
of victimization, level of cyber knowledge and experience, age, industry, occupational category
and government employment. Data collection was performed using a survey instrument, and an
analysis was performed to achieve these objectives. The results identified that the majority of
respondents supported the ACDC Act. Among other inferences, the results imply that a
relationship exists between support for the legislation and organizational victimization in critical
industries.
Running head: ACTIVE DEFENSE IN CYBERSPACE: REVIEW OF TECHNOLOGY 4
Introduction
Cyber fraud and related cyber-enabled crimes on US citizens and organizations continue
to grow beyond manageability for government resources (United States Congress, 2017). In
2015, the Federal Bureau of Investigation Internet Crime Complaint Center received 288,012
Center, 2015, p. 4). This included 7,838 business email compromise (BEC) complaints totaling
over $263 million in damage, 281 email account compromises (EAC) totaling over $11 million
in damage, and 2,453 ransomware complaints totaling over $1.6 million in damage (Federal
Bureau of Investigation Internet Crime Complaint Center, 2015, p. 10-11). The Department of
Justice, however, only prosecuted 153 of these computer fraud cases in 2015 (United States
Congress, 2017). In response to this growing problem, elected officials have started discussions
on the controversial topic of allowing citizens and organizations to conduct “active cyber
defense” as a means of cyber self-defense for the exclusive purpose of attributing and disrupting
attackers. On October 12, 2017, U.S. Representative Tom Graves and Kyrsten Sinema
introduced H.R. 4036 Active Cyber Defense Certainty (ACDC) Act to the House of
Representatives (United States Congress, 2017). The act amends title 18, United States Code “to
provide a defense to prosecution for fraud and related activity in connection with computers for
persons defending against unauthorized intrusions into their computers, and for other purposes”
Many cybersecurity leaders and experts assert that counter-hacking, which is also
controversially synonymized with “active cyber defense” (ACD), involves “too many variables”
that “make it ineffective and potentially catastrophic” (Iasiello, 2014). Policymakers and
defenders must first review the technical and political environment surrounding the proposed
Running head: ACTIVE DEFENSE IN CYBERSPACE: REVIEW OF TECHNOLOGY 5
ACD measures before enacting legislation that promotes cyber self-defense through ACD
measures or hacking-back. This qualitative case study will review the cyberspace environment
and lexicon, barriers to combating cyber-crime, and proposed solutions. Additional data is
collected via a survey instrument from a specific population and analyzed to determine:
1. The total count of supporters, opposers, and undecided for the ACDC Act.
2. The total count of reasons for opposition and support for the ACDC Act.
Literature Review
Cyberspace is a complex global domain consisting of network, nodes, system data, and
cyber-personas which are typically described in terms of three layers: physical network layer,
logical network later, and cyber-persona layers (Chairman Joint Chiefs of Staff, 2013, p. I-2).
The Department of Homeland Security (2014) estimates that “two billion people have at least 12
billion computers and devices, including global positioning systems, mobile phones, satellites,
data routers, desktop computers, and industrial control computers that run power plants, water
systems, and more” (p. 19-20). In cyberspace, actors can conduct a range of cyberspace activities
or actions across physical borders using various cyber-personas that make attribution and a
conduct cyber espionage against other governments (p. 538). In Non-State Actors in Cyberspace
Operations, Sigholm (2013) defines the “main non-state actors in cyber conflict” (p. 11-26). This
includes companies and corporations, ordinary citizens, cyber-activists and hacktivists, cyber
terrorists, script kiddies, cyber insiders, black-hat hackers, patriot hackers, cyber scammers,
organized cybercriminals, cyber espionage agents, and cyber militias as shown in Table 1
Note. Reprinted from “Non-state Actors in Cyberspace Operations,” by J. Sigholm, 2013, Journal of
Military Studies, 4(1), p. 22.
Companies and corporations in cyberspace are “usually thought to be law-abiding entities, as
serious transgressions may lead to sizeable economic sanctions or even personal accountability
for key officials with the organization” (Sigholm, 2013, p. 21). Sigholm (2013) offers evidence
Running head: ACTIVE DEFENSE IN CYBERSPACE: REVIEW OF TECHNOLOGY 7
that large international corporations have found “themselves on both sides of the line” with
nation-states during cyber conflict (p. 21). Ordinary citizens are “the most common actors in
cyberspace” utilizing the “Internet for various lawful purposes, such as browsing the web and
Malicious actors “seek to steal financial information, intellectual property, trade secrets, and
other sensitive information from businesses small and large” and “personal and financial
persistent threat (APT) can present one of the greatest challenges to an organization’s
information security program. The book Advanced Persistent Threat, provides an in-depth
discussion on the “advanced persistent threat (APT)” (Cole, 2013). Cole (2013) describes an
commercial entities” (p. 3). The term had been utilized as a code name for intrusions into US
military organizations from Chinese-related actors (Cole, 2013, p.3). However, the term is now
used “to refer to advanced adversaries that are focused on critical data with the goal of exploiting
information in a covert manner” (Cole, 2013, p.3). Mitigating an APT may require the
involvement of external organizations and government agencies that can intervene by publicly
Lexicon
After considering the complexities of cyberspace, it is essential to examine the terms and
definitions that are accepted by cybersecurity subject matter experts (SME) as part of an ever-
expanding lexicon. The book Cybersecurity Lexicon provides a common language for terms
describing activities and actions in cyberspace. Key terms extracted for this study are
(Ayala, 2016, p. 10-89). Cyberspace is “a global domain within the information environment
controllers” (Ayala, 2016, p. 48). A cyber-attack is “an attack, via cyberspace, targeting an
enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously
stealing controlled information” (Ayala, 2016, p. 43). A cyber-attack differs from an intrusion
which is simply “an unauthorized act of bypassing the security mechanisms of a network or
building control system” (Ayala, 2016, p. 89). Ayala (2016) defines a cyber-crime as “any crime
to which a computer or computer technology has been used,” where either the computer is the
target of or the instrument of the crime (p. 46). Within the United States, the authoritative source
of what constitutes a cyber-crime is 18 U.S.C. § 1030, Computer Fraud and Abuse Act (CFAA).
networks for the purposes of causing damage or disruption,” whereas cybersecurity is “the ability
to protect or defend the use of cyberspace from cyber-attacks” (Ayala, 2016, p. 48-49).
Cyber fraud and related cyber-enabled crimes on US citizens and organizations continue
to grow beyond manageability for government resources (United States Congress, 2017). The
ability of malicious actors to operate from anywhere in the world, the linkages between
cyberspace and physical systems, and the difficulty of reducing vulnerabilities and consequences
in complex cyber networks” (p. 39). In 2015, the Federal Bureau of Investigation Internet Crime
Investigation Internet Crime Complaint Center, 2015, p. 4). This included 7,838 business email
compromise (BEC) complaints totaling over $263 million in damage, 281 email account
compromises (EAC) totaling over $11 million in damage, and 2,453 ransomware complaints
totaling over $1.6 million in damage (Federal Bureau of Investigation Internet Crime Complaint
Center, 2015, p. 10-11). The Department of Justice, however, only prosecuted 153 of these
computer fraud cases in 2015 (United States Congress, 2017). These cases were likely
investigated and prosecuted using the traditional “reactive model of law enforcement” that
consists of “identifying a crime, apprehending the perpetrator, and meting out some punishment
of justice” (Jones, 2007, p. 603). This model is well-suited for “traditional, realspace crime” that
is bounded by constraints such as the “laws of physics” which requires “physical proximate to
[the] victim” (Jones, 2007, p. 603). The current strategies employed by law enforcement,
including the reactive approach, are ineffective and ill-suited to prevent or punish cybercrime
which “defies the traditional notions of criminal behavior” and is limited by proximity and scale
in the corporeal world (Jones, 2007, p. 601). Essentially, cyberspace acts as a “force multiplier”
Policymakers have “struggled to close the gap between the technological world and the
legal world” and to overcome obstacles that have been erected by the advent of new technologies
and the growing prevalence of threat actors who exploit those technologies (Jones, 2007, p. 602).
Legislation has already been enacted and measures implemented to address other systemic issues
that inhibit the ability to combat cybercrime, including cyber threat intelligence information
sharing and qualified personnel shortages that are rooted in talent management and educational
deficiencies. Recent legislation includes the Cybersecurity Information Sharing Act, Department
of Homeland Security Workforce Recruitment and Retention Act, Strengthening State and Cyber
Running head: ACTIVE DEFENSE IN CYBERSPACE: REVIEW OF TECHNOLOGY 10
Crime Fighting Act of 2017, Cyber Preparedness Act of 2017, Small Business Advanced
Cybersecurity Enhancements Act of 2017, and State and Local Cyber Protection Act of 2017
among others. Although these issues are outside of the scope of this study, they are significant in
painting an accurate depiction of the overall difficulties in combating cybercrime. For this study,
the focus will be on 1) proximity and difficulties in attribution, 2) scale, scope, and artificial
liberties and security, 6) sovereign and citizen self-defense, and 7) deconfliction of cyber
across physical borders using various cyber-personas that make attribution and a proportionate
response through cyber self-defense difficult. Most traditional crimes within the physical world
require physical proximity to the victim (Jones, 2007, p. 610). Law enforcement relies heavily on
spatial and temporal limitations of a crime when attributing a crime to a subject (Jones, 2007, p.
611). Many obstacles can prevent a defender from reliably ascertaining attribution and
Running head: ACTIVE DEFENSE IN CYBERSPACE: REVIEW OF TECHNOLOGY 11
“injured state” to seek reparations or self-defense under international law (Payne and Finlay,
1. “digital forensics” which includes “forensics on static data” (e.g. “storage-based and
analysis,” “genetic algorithms,” and “neural networks and support vector machines”),
“attribution through social networks,” and “linking with geopolitical scenarios” (Shamsi
There is also the more “controversial technique” of hacking-back, which is typically executed by
“reversing the attack chain” and exploiting the intermediate systems until the defender reaches
and exploits the attacker (Institute for Defense Analyses, 2007, p. 23). At BlackHat 2013,
Wilhoit (2013) employed a “honeypot” with “the Browser Exploitation Framework (BeEF)” to
again attributional data on attackers of industrial control systems (ICS) (p. 10). BeEF enabled
Wilhoit (2013) to utilize scripts that exploited (also known as hooking) the browser of an
attacker accessing a web-based Human Management Interface (HMI) of an ICS (p. 10). This
Running head: ACTIVE DEFENSE IN CYBERSPACE: REVIEW OF TECHNOLOGY 12
script downloaded and executed a signed Java applet on the attacker’s system. BeEF’s “physical
location module will retrieve geographical location information based on neighboring wireless
access points” using commands that have been encapsulated within the signed Java applet
(Wilhoit, 2013, p. 10). This geographical location information is more precise than an IP address
Additionally, BeEF obtains “operating system details, number of processors, network interface
card names and IP addresses, [anonymizer use], and other details” (Wilhoit, 2013, p. 10). Wilhoit
(2013) mentions that “several other attribution methods and internal tools were used” on the
honeypot, but he could not “specifically share what these methods are” (p. 10).
the information owner (e.g., an intermediary) that maintains the cyber-persona and transaction
record that links the cyber-persona to a logical identifier (e.g., an IP address) (Jones, 2007, p.
611). Attribution may prove to be an “onerous procedural burden” for victims using the
“traditional legal process” if the attacker is utilizing compromised intermediary systems, cloud-
based infrastructure, and anonymity services that conceal the threat actor's true identity from the
victim and law enforcement, especially across jurisdictional boundaries (Jones, 2007, p. 612;
Huang, 2014, p. 1237). Anonymizers such as The Onion Router (TOR), virtual private networks
(VPN), virtual private servers (VPS), and proxies are frequently utilized by attackers as
intermediate systems or hopping/pivot points to conceal the threat actor’s source IP address.
Payne and Finlay (2017) present one “hypothetical scenario” that demonstrates the complications
in attribution. Essentially, “one state [can] effectively ‘frame’ another by routing cyber-attacks
through systems based within the second state’s territory” (p. 556). Essentially, the first state can
use the second state as a hopping point, with or without the second state’s consent or knowledge.
Running head: ACTIVE DEFENSE IN CYBERSPACE: REVIEW OF TECHNOLOGY 13
In military cyber jargon, this is known as a false-flag attack and falls under the realm of “cyber
denial, deception, (D&D) and counter-deception” techniques that are employed by both nation-
state and non-nation state actors (Heckman, Stech, Thomas, Schmoker, and Tsow, 2015).
This hypothetical scenario highlights the “importance of attribution” and the dangers of
misattribution which is far more likely in relation to cyber-attacks than to traditional kinetic
attacks (Payne and Finlay, 2017, p. 556). Issues with attribution have both legal and technical
implications. Previous rulings by the International Court of Justice (ICJ) “suggest that the
standard for proof will be commensurate with the seriousness of the allegation” (Payne and
Finlay, 2017, p. 558). To establish legal attribution, the victim state must have “the ability to
satisfactorily answer highly technical questions concerning the origin of a particular attack”
which “requires overcoming significant technical evidentiary hurdles” (Payne and Finlay, 2017,
p. 559-560). During the cyber-attacks on Estonia in 2007, it was reported that the attacks
“originated from at least 177 countries” and “from within Estonia itself” (Payne and Finlay,
2017, p. 560). This lack of attribution prevented the North Atlantic Treaty Organization (NATO)
from helping Estonia to “prepare a lawful response against the attackers” (Shamsi et al., 2016, p.
2886). A threat actor “can work in comparatively small groups or even as individuals” using
“commodity computer systems that can be easily, cheaply, and covertly acquired” and the
complex architecture of the Internet to conduct their attacks (Payne and Finlay, 2017, p. 560).
“inherently the most significant practical obstacle to addressing cyber-attack under public
international law” (Payne and Finlay, 2017, p. 560). Payne and Finlay (2017) propose that
based upon the course of action the victim state chooses to pursue” (p. 566).
Running head: ACTIVE DEFENSE IN CYBERSPACE: REVIEW OF TECHNOLOGY 14
the traditional notion of the one-to-one scale of crime” within the physical world (Jones, 2007, p.
613). This allows individual criminals and groups of criminals the ability to overcome spatial
and temporal limitations of traditional criminal activities while maximizing the effects on a
greater population of victims (Jones, 2007, p. 613). Lastline, predicts that cybercriminals will
employ more sophisticated attacks during 2018 by leveraging “artificial intelligence (AI) and
machine learning (ML) powered hacking kits” (Sacoco, 2017, p. 1). The use of AI and ML will
significantly extend the scale and scope of cyber intrusions and attacks while minimizing the
time and personnel constraints that may impede the cybercriminal. Additionally, 2018 is
predicted to behold an increase in hardware-based malware and mobile and Internet of Things
(IoT) intrusions and attacks while defenders continue to battle a continuing increase in traditional
The term “cyber defense” and “cybersecurity” are often used synonymously. In the article US
Policy on Active Cyber Defense, Flowers and Zeadally (2014) examine two types of cyber
defense: passive cyber defense and active cyber defense (p. 292). Flowers and Zeadally (2014)
define passive cyber defense practices as a four-step model that includes (1) locating invading
code, (2) unplugging affected systems, (3) deploying security patches and solutions to thwart that
particular attack; and (4) applying the patches and solutions system-wide (p. 292). This varies
from the approaches described for active defense which includes “detection and forensics,
deception, and attack termination” with the latter including “denial of service (DoS) attacks
against the attackers” (Flowers and Zeadally, 2014, p. 293). Rosenzweig (2014) states that the
Running head: ACTIVE DEFENSE IN CYBERSPACE: REVIEW OF TECHNOLOGY 15
“definition of hack back, is also sometimes called an ‘active cyber defense’” (p. 105). Flowers
and Zeadally (2014), Rosenzweig (2014), and Iasiello (2014) reference the U.S. Department of
Defense Strategy for Operating in Cyberspace (2011) for the following definition of “active
cyber defense”:
Iasiello (2014) defines active cyber defense as “a range of offensive, damaging or destructive
actions, such as counter-hacking, that engage an adversary during or promptly after an initial
cyber attack” (p. 105-106). This definition includes “counter-hacking and technical
countermeasures with weaponized payloads,” but “does not include nonviolent actions such as
diplomatic or economic sanctions” (Iasiello, 2014, p. 106). The definition of active cyber defense
Directorate’s (IAD) view of Active Cyber Defense (ACD) as a “component of the DoD’s overall
approach to defensive cyber operations” that “complements preventative and regenerative cyber-
defense efforts by synchronizing the real-time detection, analysis, and mitigation of threats to
critical networks and systems” (NSA IAD, 2015). This concept extends to “all U.S. Government
and critical infrastructure networks” and is “active within the networks it protects” but is “not
offensive, and its capabilities affect only the networks where they have been installed by network
operators and owners” (NSA IAD, 2015). Kuchler (2015), however, states that “legal or not,
some say hacking back is necessary given the threat” as a form of self-defense (p. 2).
Running head: ACTIVE DEFENSE IN CYBERSPACE: REVIEW OF TECHNOLOGY 16
George Washington University's Center for Cyber and Homeland Defense issued a report
that “calls on Congress and the federal government to take a series of steps to clarify what
private companies can do under the [2015 Cybersecurity Act] to improve their active
cybersecurity defenses” (Curran, 2016, p. 2). The report, Into the Gray Zone: Active Defense by
the Private Sector against Cyber Threats, states that active cybersecurity defenses “should not be
synonymous with ‘hacking back’ against an attacker” (Curran, 2016, p. 2; Center for Cyber &
Homeland Security, 2016, p. 8). A thorough examination of the origin of the term ‘active
defense’ and its application within cyberspace reveals the term’s controversial and conflicting
definitions (Center for Cyber & Homeland Security, 2016, p. 6). This “lack of common
definition complicates discussion surrounding active defense and precludes meaningful progress
on developing a commonly understood framework for its implementation” (Center for Cyber &
Legal ambiguity forces organizations to adopt “passive, reactive postures on their own
networks” rather than the “full range of defenses” against unknown attackers (Huang, 2014, p.
1223-1229). Some US organizations have utilized active defense measures due to a lack of
“essential to deterrence and prevention” (Center for Cyber & Homeland Security, 2016, p. 18).
In 2010, Google responded to the ‘Operation Aurora” attack by Chinese actors by using active
defense measures to gain access to a Taiwanese server that had been used to perpetrate attacks on
Google servers (Huang, 2014, p. 1248). Google “collected information about the nature of the
attacks, the perpetrators of the attacks, and other victims of the attacks” (Huang, 2014, p. 1248).
Although Google likely committed an offense under the CFAA, the Department of Justice has
Running head: ACTIVE DEFENSE IN CYBERSPACE: REVIEW OF TECHNOLOGY 17
not prosecuted any company, including Google, who has engaged in active defense measures,
although the DOJ has expressed that it has the authority to prosecute those that utilize active
defense measures (Center for Cyber & Homeland Security, 2016, p. 14-17; Huang, 2014, p.
1249).
The Center for Cyber & Homeland Security at The George Washington University (2016)
“defines active defense as activities covering technical interactions between a defender and an
attacker, operations that enable defenders to collect intelligence on threat actors and indicators on
the Internet, and other policy tools including sanctions, indictments, and trade remedies that can
modify the behavior of malicious actors” (p. XI). Huang (2014) states that measures must be
“proportional to the threat and will restrain harmful or unlawful actions” (p. 23). The Center for
Cyber & Homeland Security (2016) provided “Figure 2. Active defense: The gray zone (2016)”,
“Figure 3. Active defense techniques defined (2016)”, and “Figure 4. Where active defense
Note. Reprinted from “Into the gray zone: The private sector and active defense against cyber threats,” by the Center
for Cyber & Homeland Security, 2016, the Georgia Washington University, p. 10.
Note. Reprinted from “Into the gray zone: The private sector and active defense against cyber threats,” by the Center
for Cyber & Homeland Security, 2016, the Georgia Washington University, p. 11.
Note. Reprinted from “Into the gray zone: The private sector and active defense against cyber threats,” by
the Center for Cyber & Homeland Security, 2016, the Georgia Washington University, p. 13.
Running head: ACTIVE DEFENSE IN CYBERSPACE: REVIEW OF TECHNOLOGY 19
The following list summarizes the considerations recommended by the Center for Cyber &
Homeland Security (2016) and Huang (2014), before utilizing active cyber defense measures:
Spatial (location)
Escalatory responses
Proportionality
Precision of techniques
Information sharing
Graves (2017) reiterated multiple times that “that it’s not the Wild West” and “guard rails are in
Government Responsibility
The government’s inability to manage threats to U.S. citizens and organizations within
cyberspace is “unacceptable and if left unchecked, the trend in cyber crime will only continue to
deteriorate” (United States Congress, 2017, p. 2). Rooted deep in the theories of philosophers
such as John Locke, the United States Constitution appoints the United States Government
(USG) with the duty to protect the inalienable rights to life, liberty, and the pursuit of happiness
Running head: ACTIVE DEFENSE IN CYBERSPACE: REVIEW OF TECHNOLOGY 20
of its citizens (Heyman, 1991, p. 508-571). Article IV, Section 4 of the United States
Constitution states that the United States shall protect each [state] against invasion. In
cyberspace, the inalienable rights of U.S. citizens and organizations are encroached upon by
foreign and domestic invaders on every second of every day, requiring a balanced response of
sovereign self-defense and citizen and organization self-defense. However, Huang (2014) states
that the “government cannot be expected to deter cyber attackers targeting U.S. public and
private sector interests everywhere” due to “limited resources and available personnel” (p. 18-
23). This is particularly true when the private sector continues to “outbid the government for
The federal government is focused on threats to national interest. However, the “sum of
the impacts” of attacks on the private sector can lead to detrimental harm to the economy and
national security (Huang, 2014, p. 25). In an interview on The Cyberlaw Podcast, United States
Representative Tom Graves (2017) stated that the “NSA has their hands full with national
security…type issues and the private sector has been left on their own” (Graves, 2017). Graves
(2017) acknowledged that “DHS has a budget for protecting the entire civilian sector that is less
than the top four banks are spending to protect” (Graves, 2017). Graves (2017) adds that the
(Graves, 2017).
Although it is a highly convoluted topic and was not mentioned in reviewed literature, it
is important to note that the government’s inability to provide adequate protection of citizens and
activities and civil liberties, which has been impacted by recent incidents involving Edward
Snowden and the National Security Agency (NSA) (Marguiles, 2017, p. 459). Unfortunately,
finding the right balance between security and the “protections for our citizens” is difficult
Cybersecurity, Infrastructure Protection, and Security Technologies, 2013, p. 1). The United
States Congress House Committee on Homeland Security (2013) states that “no one should
mistake the common cause of securing our homeland for authority to violate the civil liberties of
Americans” (p. 3). Lucas (2017) states that part of the tension between privacy and security is
“an alleged right of anonymity (a demand for lack of accountability that is completely distinct
from either privacy or personal liberty)” in cyberspace (Lucas, 2017). Privacy safeguards impact
Interestingly, those that advocate for privacy “fail to fully acknowledge that cybersecurity threats
Citizen and organization self-defense is a convoluted topic, given that the international
originating from outside of a nation’s borders. Although proposed ACD measures are focused on
unforeseen reactions, including damage to intermediary or adversary systems, which could result
the definition of an armed attack in cyberspace has not been agreed upon by the whole of the
international community. Payne and Finlay (2017) discuss a nation’s right to self-defense as
outlined by United Nations Charter Article 51, notably that the “right to self-defense is
Running head: ACTIVE DEFENSE IN CYBERSPACE: REVIEW OF TECHNOLOGY 22
implicated only in the event of an armed attack” (p. 541). There is not an “established definition
of ‘armed attack’ in the Charter of elsewhere in treaty law” and thus “its meaning is determined
by custom” (Payne and Finlay, 2017, p. 541). The ICJ “has repeatedly emphasized” that an “act
necessity including an “aspect of immediacy” and proportionality requiring “that the response
involve ‘nothing unreasonable or excessive’” (Payne and Finlay, 2017, p. 541-543). A victim
state could establish “that the cyber-attack was a breach of international law” by characterizing
“cyber-aggression” as a “use of force in breach of the Charter” (Payne and Finlay, 2017, p. 545).
method to “determine that a cyber-attack has exceeded the threshold necessary to be ‘force’”
(Payne and Finlay, 2017, p. 545). In the case of an attack such as Stuxnet, “it is unclear what
form of response would constitute a meaningful act of self-defense” (Payne and Finlay, 2017, p.
554). A subsequent section of this study will address the topic of citizen and organization cyber
self-defense through the use of “active cyber defense” for attribution purposes as part of the
within cyberspace. This is especially true when the possibility exists for states to “be held
indirectly responsible for the acts of private individuals that breach international law, even when
there is no causal link between an action of the state and that breach” (Payne and Finlay, 2017, p.
559). The government would need to deconflict cyber self-defense activities conducted by
private U.S. organizations and individuals. There are several policies and strategies that define
the government’s approach to cyberspace operations and cybersecurity of the Nation (Crowther
Running head: ACTIVE DEFENSE IN CYBERSPACE: REVIEW OF TECHNOLOGY 23
and Ghori, 2015, p. 76). Three Federal agencies share prominence and have overlapping
Security (DHS), Department of Justice (DOJ), and Department of Defense (DOD) (Crowther and
Ghori, 2015, p. 76). DHS “coordinates the national protection, prevention, and mitigation of and
recovery from cyber incidents; disseminates domestic cyber threat and vulnerability analysis;
protects critical infrastructure; secures Federal civilian systems (the dot.gov domain); and
investigates cyber crimes under its jurisdiction” (Crowther and Ghori, 2015, p. 76). DHS
“essentially sees itself as facilitating the cyber neighborhood watch for the United States”
(Crowther and Ghori, 2015, p. 77). The Department of Homeland Security’s National
Cybersecurity and Communications Integration Center “serves as a focal point for coordinating
cybersecurity information sharing with the private sector; provides technical assistance, onsite
situational awareness capability that includes integrated, actionable information about emerging
trends, imminent threats, and the status of incidents that may impact critical infrastructure; and
coordinates the national response to significant cyber incidents affecting critical infrastructure”
(Department of Homeland Security, 2014, p. 85). The NCCIC is essential to enabling DHS
disrupt and defeat cyber criminals, prioritize the recruitment and training of technical experts,
develop standardized methods, and broadly share cyber response best practices and tools”
The DOJ “investigates, attributes, disrupts, and prosecutes cyber crimes; has the lead for
domestic national security operations; conducts domestic collection, analysis, and dissemination
of cyber threat intelligence; supports the national protection, prevention, mitigation of, and
Running head: ACTIVE DEFENSE IN CYBERSPACE: REVIEW OF TECHNOLOGY 24
recovery from cyber incidents; and coordinates cyber threat investigations” (Crowther and Ghori,
2015, p. 78). The Federal Bureau of Investigation (FBI) “leads the National Cyber Investigative
Joint Task Force (NCIJTF) as a multi-agency national focal point for coordinating, integrating,
and sharing pertinent information related to cyber threat investigations in order to determine the
identity, location, intent, motivation, capabilities, alliances, funding, and methodologies of cyber
threat groups and individuals” (House judicery subcommittee on crime, terrorism, and homeland
security hearing, 2010, p. 4). The DOD “secures the Nation’s freedom of action in cyberspace
and helps mitigate risks to national security resulting from America’s growing dependence on
cyberspace” (Crowther and Ghori, 2015, p. 79). The DOD’s “specific mission sets include
directing, securing, and defending DOD Information Network (DODIN) operations (including
including indications and warning; and providing support to civil authorities and international
partners” (Crowther and Ghori, 2015, p. 79). By working together, these federal agencies “foster
a secure and resilient cyberspace that protects privacy and other civil liberties by design;
supports innovation and economic growth; helps maintain national security and public health and
safety; and supports legitimate commerce” (Department of Homeland Security, 2014, p. 40-41).
outside of the physical borders of the United States present additional complications within the
international political spectrum. Many nation states have unique views on how activities in
cyberspace should be conducted. The views of NATO countries are presented in The
International Conference on Cyber Conflict and the Tallinn Manual (Schmitt and NATO
CCDCOE, 2017) and views from other countries (e.g., Russia, China, Iran, and North Korea) are
Running head: ACTIVE DEFENSE IN CYBERSPACE: REVIEW OF TECHNOLOGY 25
Strategies of Major Economies (Kshetri, 2016) and Chinese Cybersecurity and Defense (Ventre,
2016). The United Kingdom, France, Estonia, and Israel also have their views concerning active
defense (Center for Cyber & Homeland Security, 2016, p. 45). Although a thorough review of
each country’s policies is not discussed in this study, it is important to note that each country’s
Proposed Solutions
Federal and SLTT government agencies to combat cybercrime “ex-ante” instead of “ex-post”
(Jones, 2007, p. 615). Unfortunately, prevention is not a total solution and dedicating unlimited
solutions have been proposed to target the causes of the previously mentioned problems.
On October 12, 2017, U.S. Representatives Tom Graves (R-GA-14) and Kyrsten Sinema
(D-AZ-9) introduced the bipartisan H.R. 4036 Active Cyber Defense Certainty (ACDC) Act to
the House of Representatives (United States Congress, 2017). The act amends title 18, United
States Code “to provide a defense to prosecution for fraud and related activity in connection with
computers for persons defending against unauthorized intrusions into their computers, and for
other purposes” (United States Congress, 2017). Untimely responses to cybercrimes by law
enforcement (LE) has led to fewer prosecutions resulting in a decrease in deterrence and an
increase in threat activity (United States Congress, 2017, p. 2). Cybercriminals have continued to
develop new tactics, while the Federal government has been unable to reform current law to
allow “new cyber tools and deterrence methods for defenders” (United States Congress, 2017, p.
Running head: ACTIVE DEFENSE IN CYBERSPACE: REVIEW OF TECHNOLOGY 26
2). U.S. citizens and organizations should always report cybercrime to LE and seek to improve
defensive measures first (United States Congress, 2017, p. 2). However, Federal agencies must
prioritize cyber incidents of national significance, while also being more responsive to reports of
cybercrime from individuals and organizations (United States Congress, 2017, p. 3).
When properly utilized, active cyber defense (ACD) measures can assist in improving
defenses and deterring threats (United States Congress, 2017, p. 3). ACD can also be used by
defenders within the “dark web” to return “private property such as intellectual property and
financial records” (United States Congress, 2017, p. 3). The bill defines ACD measures as “any
authorization the computer of the attacker to the defender’s own network to gather information”
that “establishes attribution”, “disrupts continued unauthorized activity against the defender’s
own network”, or “monitors the behavior of an attacker to assist in developing future intrusion
prevention or cyber defense techniques” (United States Congress, 2017, p. 6-7). This does not
injury or financial loss”, “[creating] a threat to the public health or safety”, “exceeding a level of
the persistent cyber intrusion”, “intrusive or remote access into an intermediary’s computer”,
used by or for a Government entity for the furtherance of the administration of justice, national
defense, or national security” (United States Congress, 2017, p. 7-8). Note that the previously
discussed method of attribution, hacking-back, was typically executed by “reversing the attack
chain” and exploiting the intermediate systems until the defender reaches and exploits the
Running head: ACTIVE DEFENSE IN CYBERSPACE: REVIEW OF TECHNOLOGY 27
attacker (Institute for Defense Analyses, 2007, p. 23). The “distinction between attributional
technology and active cyber defense measures” aims to end “legal and technical arguments”
(Forscey, 2017). Ultimately, it paves the way for “innovation in attributional techniques by
removing the cloud of potential criminal charges” over defenders “who utilize active cyber
defense measures” (Forscey, 2017). It seems that the attributional methods previously described
by Wilhoit (2013) using BeEF would be permissible under this exemption (p. 10). The definition
of active cyber defense within the bill seems to follow the disputed definition that Flowers and
Zeadally (2014), Rosenzweig (2014), and Iasiello (2014) reference from the U.S. Department of
Following the laws of other nations when conducting ACD is on the onus of “qualified
defenders with a high degree of confidence in attribution” (United States Congress, 2017, p. 4).
The bill does not define the educational requirements, nor does it state the required licensing and
credentialing of a qualified defender. The Center for Cyber & Homeland Security (2016)
recommends that the government “grant licenses to certain cybersecurity companies that would
allow them to engage in limited active defense techniques” (p. 28). Graves (2017) states “that he
would not recommend anyone who is not trained to attempt to leave their system and engage in
some sort of attribution attempt outside of their system.” Those who were to do so and “caused
harm or damage or something to somebody else’s even if it is an attacker system, they would be
accountable under current law” (Graves, 2017). Instead, Graves (2017) recommends that an
organization “hire a company to help protect them when it is occurring”. The defender must
“avoid impacting intermediary computers” and causing an “escalatory cycle of cyber activity”
(United States Congress, 2017, p. 4). The term “impact” is not defined regarding denial,
Huang (2014) recommends the implementation of a deputation scheme by the government that
The bill states that the purpose of the Act is to “provide legal certainty by clarifying the
type of tools and techniques that defenders can use that exceed the boundaries of their own
computer network” (United States Congress, 2017, p. 4). Unfortunately, updates to legislation
may not be as rapid as changes to tools, tactics, techniques, and procedures utilized by defenders
as a result to changes in tools, tactics, techniques, and procedures employed by attackers. Since
January 1, 2017, the 115th Congress has passed 130 bills into law. This averages out to 156 days
from bill introduction to law, a minimum of one day from bill introduction to law, and a
maximum of 411 days from bill introduction to law (see “Appendix D: 115th Congress Average
Days from Bill Introduction to Law” for queried data). The bill should delegate the responsibility
of clarifying the types of tools and “procedures” that defenders can use to the NCIJTF, while
maintaining that the bill prescribes the “tactics” and “techniques” in accordance with the
definitions of the terms “tactics”, “techniques”, and “procedures” outlined in Joint Publication 1-
02: Department of Defense Dictionary of Military and Associated Terms (Chairman Joint Chiefs
The bill provides an exception to Section 1030 of Title 18, United States Code, to allow
States Congress, 2017, p. 4-5). The “program, code, or command” can be copied or removed
from the computer of the defender to an unauthorized user; this code cannot impair the “essential
operating functionality or create a backdoor in the attacker’s computer system” (United States
Congress, 2017, p. 5). Attributional data includes “any digital information such as log files, text
Running head: ACTIVE DEFENSE IN CYBERSPACE: REVIEW OF TECHNOLOGY 29
strings, timestamps, malware sample, identifiers such as usernames and Internet Protocol
addresses and metadata or other digital artifacts gathered through forensic analysis” (United
States Congress, 2017, p. 5). The bill also provides an exception to Section 1030 of Title 18,
United States Code, to allow defenders to utilize ACD measures (United States Congress, 2017,
p. 5). This, however, “does not prevent a United States person or entity who is targeted by an
active defense measure from seeking a civil remedy, including compensatory damages or
Defenders are required to notify and receive a response from the NCIJTF before using an
ACD measure (United States Congress, 2017, p. 9). The notification is required to include
information about the “type of cyber breach,” “intended target of the ACD measure,” evidence
preservation plans, damage prevention plans, and all other information required by the FBI
(United States Congress, 2017, p. 9-10). This notification may be submitted in advance for
review and assessment by the FBI and other agencies for conformance to law and for technical
improvement (United States Congress, 2017, p. 10). The FBI will have the authority to prioritize
requests based on “the availability” of resources (United States Congress, 2017, p. 10).
Defenders should keep in mind that this process of deconfliction with the FBI could be
met with untimely responses, which was one of the founding Congressional findings that form
the basis for the necessity of this bill (United States Congress, 2017, p. 2). This is also
counterproductive to the “the real-time detection, analysis, and mitigation of threats” as defined
in the NSA IAD’s definition of ACD (NSA IAD, 2015). Huang (2014) states there are
revolve around the governments lack of resources (p. 1257). If responses to requests for ACD
measures to the FBI are untimely (that is exceeding a predefined threshold of what is considered
Running head: ACTIVE DEFENSE IN CYBERSPACE: REVIEW OF TECHNOLOGY 30
real-time and effective in mitigating a threat), it will significantly affect the ability of defenders
cyberspace. If this is not addressed, it may undermine the overall effectiveness of the bill. The
bill also requires that the DOJ deliver a report “detailing the results of LE activities pertaining to
cybercriminal deterrence for the previous calendar year” eight items describe within the bill
(United States Congress, 2017, p. 11-12). This bill will require that the FBI create a “pilot
program to last for 2 years after the date of enactment of this Act, to allow for a voluntary
preemptive review of active defense measures” (United States Congress, 2017, p. 10).
One alternative presented by Jones (2007) is the idea of a “virtual neighborhood watch”
which he conceptualized from the community policing model (p. 601). For this study, this
concept will be discussed regarding a cyber community watch. Within cyberspace, a community
can revolve around a “virtual place (eBay),” a physical place (“realspace”), a “concept
(Maoism),” or even a “sport” (Jones, 2007, p. 618). The concept of a cyberspace community has
broadened since Jones (2007) wrote his original paper. Social media has “emerged as the
defining trend in the last decade” and it “continues to restructure communication and interactions
between individuals, communities, government, and businesses” (Heggde & Shainesh, 2018, p.
V).
The concept of community policing has been around since the 1970s and 1980s to
combat crime “plaguing America’s inner cities” (Jones, 2007, p. 615). This concept is founded
upon the “notion that even high crime communities are composed of a majority of law-abiding
citizens” (Jones, 2007, p. 616). Strategies include “community building events” and
“stewardship” that “calls on citizens to view themselves as responsible for the welfare of the
Running head: ACTIVE DEFENSE IN CYBERSPACE: REVIEW OF TECHNOLOGY 31
larger community” (Jones, 2007, p. 616-617). The goal is to “increase the cost of committing
Cyber 9-1-1
Literature that discussed a “cyber 9-1-1” was not available. However, this concept
revolves around a cyber-focused implementation of the 911 system. The 911 system “was
designed to provide a universal, easy-to-remember number for people to reach police, fire or
emergency medical assistance from any phone in any location, without having to look up
specific phone numbers” (911.gov, 2018). The Department of Homeland Security has a
Reporting a Cybercrime Complaint Tip Card that lists US-CERT.gov, FTC.gov, IC3.gov, and
However, there does not appear to be a centralized, universal, timely, easy-to-remember point of
contact for people to reach assistance for cyber-related crimes from any device in any location.
Research Objective
Although barriers and solution to combatting cybercrime have been identified and
thoroughly analyzed by large technology firms, academic institutes, and parts of the federal
government, there are still some unknowns regarding support and opposition to the proposed
solutions. Before conducting this research, the author notes that there was strong opposition to
the ACDC Act within the author’s LinkedIn network. The primary objective of this research
study is to identify the relationships between support and opposition to the proposed solutions
and various demographics. The data collected during this research was used to answer the
primary research question. “How many and what types of individuals and organizations support
or oppose active cyber defense measures by US citizens and organizations (e.g., cyber
Research Methodology
from a large and diverse population. Thus, a quantitative method for data collection and analysis
was collected. This was orchestrated through the use of an electronic survey instrument that was
designed, developed, and distributed to increase the potential number of respondents, and
increase the number of data point available for further analytics. Specifically, the survey
questions will determine a percentage of individuals who support and oppose counter-hacking
The types of data collected throughout this survey included a count of support and
opposition for the ACDC Act, support and opposition for alternative solutions to combatting
cybercrime, and basic demographic data. Formatting of questions included single answer
multiple choice, multiple answer multiple choice, and manual text entries. Additionally, the
questions covered topics, including, history of victimization (work and personal), the cause of
opposition and support, the likelihood of engaging in “active cyber defense” if legalized,
experience.
The survey leveraged existing relationship networks, with a strong emphasis on The
Pennsylvania State University World campus community. The survey was distributed to all
graduate students attending The Pennsylvania State University World Campus. The results of the
Running head: ACTIVE DEFENSE IN CYBERSPACE: REVIEW OF TECHNOLOGY 33
survey demonstrate the diverse demographics of the respondents. A separate survey was also
distributed to the author’s LinkedIn network consisting of over 1,000 professional connections
within the various industries, academia, and government. Four separate LinkedIn posts were
distributed using colorful, eye-catching word clouds that were generated using all of the words
from a draft of this research paper. Collectively, these posts had over 900 views based on
LinkedIn analytics (see Appendix B). The results, however, were excluded from the results as
Qualtrics was used utilized to develop, collect and report of quantitative survey data
obtained from the respondents. Although students do not have access to send electronic survey
invitations to an entire e-mail distribution list, a list of two-letter combinations (Aa-Zz) was used
to fuzz the names of all students within the ALL students group. The students were then sent the
invitation to participate in the electronic survey. The survey responses are stored in Qualtrics’
proprietary database, which allows the survey administrator to export data into various formats,
including comma-separated value (CSV) files that can be imported into Excel and Minitab.
Minitab was utilized to gather counts of support/opposition/undecided for the ACDC Act,
organizational use, government vs. citizen responsibility, and government vs. organization
and experience, and the likelihood of engaging in “active cyber defense” if legalized.
Running head: ACTIVE DEFENSE IN CYBERSPACE: REVIEW OF TECHNOLOGY 34
Results
Data collection occurred during the period of March 7, 2018, through March 26, 2018. In
total, there were 66 respondents who addressed the questions included in the data collection
instrument. However, after analyzing the Qualtrics metadata, it was noted that 17 respondents
did not complete the survey. Progress rates for these respondents included 26% (5 respondents),
9% (5 respondents), and 0% (7 respondents). All answers associated with these individuals were
removed from the total population. This resulted in 49 respondents for which data analytics
could be performed.
The majority (59%) of the respondents were between 35 to 49 years of age as depicted in
“Figure 5. Age of respondents”. The majority (35%) of the respondents worked in the
Information Technology Services industry, followed by Aerospace and Defense (12%), Other
(12%), Financial Data Services (8%), and Healthcare (8%; subcategories combined) as shown in
“Table 2. Industry of respondents”. The majority (73%) of the respondents categorized their
respondents”.
Demographic: Age
of Respondents
After reading an abstract of the Active Cyber Defense Certainty (ACDC) Act, the
respondents were asked to determine their view of the legislation as “support,” “oppose,” or “not
respondents either supported (45%) or were undecided (45%) with the remaining 10% opposing.
Cross-tabulation of bill support with other variables yielded exciting results. The majority (63%)
of respondents who supported the ACDC Act had not, to their knowledge, personally been the
of victimization (personal)”. The majority (41%) of respondents did report that their
government employees, which represented 24% of the total respondents, supported the
employment”. The cross-tabulation of age range with support, oppose, and undecided responses
yielded the following as shown in “Figure 7: Cross-tabulation of bill support/opposition with age
group”:
Support
45% 45% Oppose
Undecided
10%
Variables No Yes
Support 14 8
Oppose 4 1
Not Sure 19 3
30
25
20
15
10
0
25-34 35-49 50-64
technology (16%), other (10%), financial data services (6%), healthcare (4%), education (4%),
construction / farm equipment (2%), and aerospace and defense (2%) industries as depicted in
“Figure 8. Cross-tabulation of bill support and opposition with industry”. Of the total
government and public administration (4%), other (4%), finance (2%), education and training
(2%), business management (2%), law, public safety, and corrections (2%) occupational
occupational category”.
0 2 4 6 8 10 12 14 16 18
0 5 10 15 20 25 30 35 40
and practical experience. “Table 7. Cross-tab bill support/opposition with cyber knowledge” and
“Table 8. Cross-tab bill support/opposition with practical cyber experience” reveal the following:
cybersecurity
cybersecurity
No
Variables Knowledge Average Knowledgeable Some Very
Knowledge Knowledge Knowledgeable
Support 3* 5 6 3 8
Oppose 0* 0 2 0 3
Not Sure 2* 6 12 2 2
*Value added
Table 8. Cross-tab bill support/opposition with practical cyber experience.
Respondents were asked to select (all that apply) from a list of justifications for their
support or opposition to the legislation. Respondents that elected to oppose the legislation
difficulties in approving active [cyber] defense measures through Federal agencies (60%), and
possibilities of an escalated response from the attacker[s] (80%) contributed to their decision as
depicted in “Table 9. Total count of opposition reasons”. One manual entry to “other” was also
provided: “botnets and other command and control situations utilize third-party machines, and
ACD would be an invasion of privacy, and probably a slew of other legal issues.” This response
Respondents that elected to support the legislation reasoned that defensive measures alone will
not curve cyber threats (86%) and citizens and organizations have the right to self-defense (82%)
contributed to their decision as depicted in “Table 10. Total count of support reasons”. One
Running head: ACTIVE DEFENSE IN CYBERSPACE: REVIEW OF TECHNOLOGY 41
manual response to “other” was also provided: “more information about attackers will help law
enforcement more effectively combat attackers.” This response could be interpreted literally.
Variables Count
Difficulties in attribution 4
The possibility of collateral damage 4
Difficulties in approving active [cyber] defense measures with 3
Federal agencies
The possibility of an escalated response from the attacker 4
Other (respondent provided)
Botnets and other Command and Control situations 1
utilize third-party machines, and ACD would be an
invasion of privacy, and probably a slew of other legal
issues.
Variables Count
Defensive measures alone will not curve cyber threats 19
Citizens and organizations have the right to self-defense 18
Other (respondent provided) 1
More information about attackers will help law 1
enforcement more effectively combat attackers
Respondents were asked to provide the likelihood that their organization/employer would
engage in the ACD measures outlined in the legislation as depicted in “Figure 10. Total count of
the likelihood of organizational use”. The majority (31%) of respondents reported that it was
“likely” that their organization would engage in ACD measures with the remainder reporting that
they were unsure (25%) or that it was unlikely (20%), highly unlikely (10%), and highly likely
(8%).
Running head: ACTIVE DEFENSE IN CYBERSPACE: REVIEW OF TECHNOLOGY 42
6% 8%
10%
20%
31%
25%
All respondents were asked to select (all that apply) the parties that they felt were
responsible for protecting citizens and organizations in cyberspace as depicted in “Figure 11.
Total count of responsible parties”. The majority (80%) of respondents reported that they felt
that the Federal government was responsible for protecting individual citizens in cyberspace.
This was followed by SLTT government (74%), myself/individual (69%), and undecided (4%).
The majority (78%) of respondents reported that they felt that the Federal government was
responsible for protecting organizations in cyberspace. This was followed by the organization
Finally, all respondents were asked to select (all that apply) alternative
programs/solutions to the legislation that they would support. No descriptive information was
provided to respondents for these programs/solutions. The majority (71%) supported increasing
resources available to Federal agencies that handle cyber cases as depicted in “Table 11.Total
count of alternative programs selected”. Other responses included increasing resource available
to SLTT governments (59%), a cyber 9-1-1 program (57%), community cyber neighborhood
watch programs (45%), other (6%). One manual entry stated that they would like to see
“increased education to organizations and individuals to build ACD skills and tools.”
Variables Count
Community cyber neighborhood watch programs 22
Increasing resources available to Federal agencies that handle 35
cyber cases
A cyber 9-1-1 program 28
Increasing resources available to SLTT governments 29
Other (respondent provided) 3
Increased education to organizations and individuals to build 1
ACD skills and tools
Running head: ACTIVE DEFENSE IN CYBERSPACE: REVIEW OF TECHNOLOGY 44
Conclusion
Based upon the results, the majority of respondents supported the ACDC Act, which was
contrary to anecdotal observations of discussions on LinkedIn opposing the ACDC Act. The
majority of respondents reported that their organization/employer had been the victim of a cyber-
crime, although the majority of respondents had not personally been the victim of cybercrime.
This supports the hypothesis that a relationship between support of the legislation and history of
equipment, and aerospace and defense industries. Interestingly, the Verizon 2017 Data Breach
Investigations Report Executive Summary illustrates that victims of breaches in 2017 affected
financial organizations (24%), healthcare organizations (15%), public sector entities (12%), and
retail and accommodation (15%) (Verizon Enterprise Solutions, 2018, p.2). This implies that
there may be a relationship between organizational victimization in these industries and support
All of the respondents opposing the legislation reported that they were knowledgeable
and had practical experience in cybersecurity. However, the majority of supporters and those
who were undecided also had knowledge and experience in cybersecurity. The majority of
collateral damage, difficulties in approving ACD measures through Federal agencies, and
possibilities of an escalated response from the attacker[s] contributed to their decision. These
selections were created from and were consistent with the anecdotal observations of discussions
on LinkedIn opposing the ACDC Act. The majority of respondents that supported the legislation
reasoned that defensive measures alone would not curve cyber threats and that citizens and
Running head: ACTIVE DEFENSE IN CYBERSPACE: REVIEW OF TECHNOLOGY 45
organizations have the right to self-defense. This was consistent with the literature reviewed in
the sections "Defining Active Cyber Defense" and "Government Responsibility." The majority
of respondents reported that it was likely that their organization would engage in ACD measures.
However, when comparing the combination of those that responded high likely or likely (39%)
with the combination of those that responded high unlikely and unlikely (30%), there was not an
overwhelming difference.
There was support for a cyber 9-1-1 program, and a community cyber neighborhood
watch program, however, no detail was given in the survey instrument about what these
programs would consist of. The majority of all respondents felt that the Federal government was
responsible for protecting citizens and organizations in cyberspace, though there was also a
significant percentage that felt that citizens and organizations also have a role in protecting
themselves in cyberspace. One possible issue with this result is that the term protection was not
described regarding passive or active defense. The majority of all respondents supported
increasing resources available to Federal and SLTT agencies that handle cyber cases. This
majority view by the respondents is counter to Graves’ (2017) view that “we shouldn’t expect
them to do it” when discussing the government’s responsibility in protecting citizens and
demonstrates that resource deficiencies within the government are not easily solved, even with
increased monetary resources due to personnel shortages that are linked to the private sector
Although this research study examined support and opposition for the ACD measures
outlined in the ACDC Act, it did not analyze support for all of the ACD measures that have been
Running head: ACTIVE DEFENSE IN CYBERSPACE: REVIEW OF TECHNOLOGY 46
recommended in the literature review. Additionally, it is unknown how these results would scale
across the entire US population. Future research should be conducted to determine the possibility
of combining and leveraging components of each of the solutions above to build all-
include a cyber community watch program that can communicate with a centralized cyber
emergency management system (e.g., 9-1-1). A successful cyber community watch program
would likely include government and non-government (NGO) sponsored cyber self-defense
training programs that focus on resiliency through identification (including cyber threat
intelligence), protection, detection, response (including ACD response measures), and recovery,
Technology, 2018).
However, without the adoption of artificial intelligence and machine learning, this
resiliency is limited by the speed of human intervention. Sacoco (2017) of Lastline, recently
published an article that suggested that “organizations would start to automate as many
cybersecurity functions as possible during 2018” (p. 3). Additionally, DHS (2014) states that the
at machine speed” (p. 45). Reporting incidents, sharing intelligence, and approving and
executing ACD measures could all be accomplished at machine speed while also integrating
humans-in-the-loop. During the interview with Graves (2017), Stewart Baker, the interviewer,
states that “you don’t have time to call the government” during an attack, rather you have
“seconds or minutes not 24, 36, or 72 hours” to take action (Graves, 2017). Baker recommends
to Graves (2017) that the Justice Department approve tools “as long as they are used in [a
prespecified] way” (Graves, 2017). Graves (2017) states responds “that’s a great
Running head: ACTIVE DEFENSE IN CYBERSPACE: REVIEW OF TECHNOLOGY 47
recommendation and that’s exactly what this legislation, I hope, promises—ideas just like that”
(Graves, 2017). Graves (2017) goes on to describe beaconing technology that would do
Huang (2014) also believes that defenders should also “be able to isolate botnets from
their controllers” and go further by installing updates “to remove the underlying malware itself”
(p. 1265). The DARPA project, Harnessing Autonomy for Countering Cyberadversary Systems
(HACCS), aims to accomplish this by “developing safe, reliable, and effect capabilities for
systems and networks (e.g., botnets)” (Keromytis, 2017, p. 3). If the ACDC Act is passed, it will
only be the first step of many towards an overarching active cyber defense strategy that will
References
https://www.911.gov/about_national_911program.html
Ayala, L. (2016). Cybersecurity lexicon (1st 2017;1; ed.). Berkeley, CA: Apress.
doi:10.1007/978-1-4842-2068-9
Center for Cyber & Homeland Security (2016). Into the gray zone: The private sector and active
defense against cyber threats. [online] District of Columbia: The George Washington
https://cchs.gwu.edu/sites/g/files/zaxdzs2371/f/downloads/CCHS-
ActiveDefenseReportFINAL.pdf
Chairman Joint Chiefs of Staff (2018). Department of Defense Dictionary of Military and
http://www.jcs.mil/doctrine/dod_dictionary/
Chairman Joint Chiefs of Staff. (2013). JP 3-12: Cyberspace Operations. Chairman Joint Chiefs
http://www.jcs.mil/Portals/36/Documents/Doctrine/pubs/jp3_12R.pdf
Cole, E. (2013). Advanced persistent threat: Understanding the danger and how to protect your
Crowther, G. A., & Ghori, S. (2015). Detangling the web: A screenshot of U.S. government
Curran, J. (2016). Report calls on government to clarify 'active' cyber defense. Cybersecurity
Policy Report, 1.
Running head: ACTIVE DEFENSE IN CYBERSPACE: REVIEW OF TECHNOLOGY 49
Department of Homeland Security (2014). The 2014 Quadrennial Homeland Security Review.
https://www.dhs.gov/sites/default/files/publications/Reporting%20a%20Cybercrime%20
Complaint_0.pdf
Federal Bureau of Investigation Internet Crime Complaint Center. (2017). 2015 Internet Crime
Report (p. 3). Department of Justice and Federal Bureau of Investigation Internet Crime
Complaint Center.
Flowers, A. & Zeadally, S. (2014). US Policy on Active Cyber Defense. Journal of Homeland
Security and Emergency Management, 11(2), pp. 289-308. Retrieved 1 Sep. 2017, from
doi:10.1515/jhsem-2014-0021
Forscey, D. (2017). New ‘Hack Back’ Legislation Makes Improvements and Raises New
legislation-makes-improvements-and-raises-new-questions
Garrie, D., & Reeves, S. R. (2016). An unsatisfactory state of the law: The limited options for a
corporation dealing with cyber hostilities by state actors. Cardozo Law Review, 37(5),
1827.
Graves, T. (2017). The Cyberlaw Podcast: Interview with United States Representative Tom
Graves.
Running head: ACTIVE DEFENSE IN CYBERSPACE: REVIEW OF TECHNOLOGY 50
Heckman, K., Stech, F., Thomas, R., Schmoker, B. and Tsow, A. (2015). Cyber Denial,
Heggde, G., Shainesh, G., & SpringerLink (Online service). (2018). Social media marketing:
House judicery subcommittee on crime, terrorism, and homeland security hearing. (2010).
Huang, S. (2014). Proposing a self-help privilege for victims of cyber attacks. The George
http://www.gwlr.org/wp-content/uploads/2014/10/Huang_82_4.pdf
Iasiello, E. (2014). Hacking back: Not the right solution. Parameters, 44(3), 105.
Institute for Defense Analyses (2007). Techniques for Cyber Attack Attribution. Alexandria, VA:
Jones, B. R. (2007). Comment: virtual neighborhood watch: open source software and
community policing against cybercrime. Journal of Criminal Law & Criminology, 97(2),
601-629.
Kshetri, N. (2016). The quest to cyber superiority: Cybersecurity regulations, frameworks, and
Lucas, G. R. (2017). Ethics and cyber warfare: The quest for responsible security in the age of
digital warfare. New York, NY, United States of America: Oxford University Press.
Running head: ACTIVE DEFENSE IN CYBERSPACE: REVIEW OF TECHNOLOGY 51
Margulies, P. (2013). Sovereignty and cyber attacks: Technology's challenge to the law of state
administration's conflicted legacy. Indiana Journal of Global Legal Studies, 24(2), 459.
National Institute for Standards and Technology (2018). Cybersecurity Framework. [online]
https://www.nist.gov/cyberframework
NSA IAD (2015). Active Cyber Defense (ACD). [online] Information Assurance by The National
cyber-defense.cfm
Payne, C., & Finlay, L. (2017). Addressing obstacles to cyber-attribution: A model based on
state response to cyber-attack. The George Washington International Law Review, 49(3),
535.
Portman, R. (2015). Portman bill to improve cybersecurity workforce passes the senate. (2015).
(). Washington: Federal Information & News Dispatch, Inc. Retrieved from Social
Rosenzweig, P. (2014). International law and private actor active cyber defensive measures.
Sacoco, N. (2017). Lastline reveals predictions and trends for the 2018 cyberthreat
Schmitt, M. N., & NATO Cooperative Cyber Defence Centre of Excellence. (2017). Tallinn
manual 2.0 on the international law applicable to cyber operations (Second ed.). New
Shamsi, J. A., Zeadally, S., Sheikh, F., & Flowers, A. (2016). Attribution in cyberspace:
Techniques and legal implications. Security and Communication Networks, 9(15), 2886-
2900. doi:10.1002/sec.1485
United States Congress. (2017). Text - H.R.4036 - 115th Congress (2017-2018): Active Cyber
https://www.congress.gov/bill/115th-congress/house-bill/4036/text?r=1
right balance: Protecting our nation's critical infrastructure from cyber attack and
DC,2011.
Ventre, D. (2014). Chinese cybersecurity and defense (1st ed.). Hoboken, London; ISTE, Ltd.
Verizon Enterprise Solutions (2018). 2017 DBIR: Understand Your Cybersecurity Threats.
http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/
Wilhoit, K. (2013). The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your ICS
Equipment?. In: BlackHat USA. [online] Las Vegas: TrendMicro. Available at:
https://media.blackhat.com/us-13/US-13-Wilhoit-The-SCADA-That-Didnt-Cry-Wolf-
Whos-Really-Attacking-Your-ICS-Devices-Slides.pdf
Running head: ACTIVE DEFENSE IN CYBERSPACE: REVIEW OF TECHNOLOGY 53
Winkler, I. (2017). Hack back law would create cyber vigilantes. CSO (Online).
Running head: ACTIVE DEFENSE IN CYBERSPACE: REVIEW OF TECHNOLOGY 54
Appendix A
Introduction
Hello friends, my name is Daniel West. I am currently pursuing a Master’s Degree in Homeland
Security – InfoSec and Forensics (HLS/ISF). I kindly invite you to participate in a short survey
about counter-hacking in cyberspace. This survey is purely academic, contains 23 questions and
will take about 9 minutes to complete. If you have any questions, comments, or concerns then
please feel free to contact me at dlw79@psu.edu. See below for a privacy notice. Background
information on the survey is provided below, however you may continue with the survey at any
Background: Elected officials have started discussions on allowing citizens and organizations to
conduct "active cyber defense" for the exclusive purposes of attributing, disrupting, and
monitoring attackers. On October 12, 2017, U.S. Representatives Tom Graves and Kyrsten
Sinema introduced H.R. 4036 Active Cyber Defense Certainty (ACDC) Act to the House of
Representatives. The act amends Title 18, United States Code “to provide a defense to
Running head: ACTIVE DEFENSE IN CYBERSPACE: REVIEW OF TECHNOLOGY 55
prosecution for fraud and related activity in connection with computers for persons defending
against unauthorized intrusions into their computers, and for other purposes”.
Untimely responses to cybercrimes by law enforcement (LE) has led to less prosecutions
continued to develop new tactics, while the Federal government has been unable to reform
current law to allow “new cyber tools and deterrence methods for defenders”. U.S. citizens and
organizations should always report cybercrime to LE and seek to improve defensive measures
first. However, Federal agencies must prioritize cyber incidents of national significance, while
also being more responsive to reports of cybercrime from individuals and organizations. When
properly utilized, active cyber defense (ACD) measures can assist in improving defenses and
deterring threats. ACD can also be used by defenders within the “dark web” to return “private
Active cyber defense (ACD) is defined in the bill as “any measure undertaken by a or at the
discretion of a defender” that “consists of accessing without authorization the computer of the
attacker to the defender’s own network to gather information” that “establishes attribution”,
“disrupts continued unauthorized activity against the defender’s own network”, or “monitors the
techniques”. This does not include destroying or rendering any information “inoperable”,
“recklessly [causing] physical injury or financial loss”, “[creating] a threat to the public health or
Running head: ACTIVE DEFENSE IN CYBERSPACE: REVIEW OF TECHNOLOGY 56
for attribution of the origin of the persistent cyber intrusion”, “intrusive or remote access into an
or “computer systems used by or for a Government entity for the furtherance of the
administration of justice, national defense, or national security”. Following the laws of other
nations when conducting ACD is on the onus of “qualified defenders with a high degree of
confidence in attribution” (United States Congress, 2017, p. 4). The bill does not define the
educational requirements, nor does it state the required licensing and/or credentialing of a
qualified defender. Defenders are required to notify and receive a response from the FBI
National Cyber Investigative Joint Task Force (NCIJTF) prior to using an ACD measure.
congress/house-bill/4036/text
PRIVACY NOTICE: Your privacy is important to me. The data being collected is solely to
satisfy an academic requirement for conferral of the graduate degree. Although there are a few
generic demographics questions, the survey does not capture any Personally Identifiable
Information (PII) about you or uniquely identifying information about your organization. All raw
data and aggregate information gathered and reported will be anonymous. If you prefer you may
use any anonymity service such as Tor to take the survey. The individual datasets will be
a. Support
b. Oppose
c. Not Sure
2a. [ROUTED FROM Q1] You selected “oppose” as your answer to Question 1. Please select
the reason(s) that best aligns with why you oppose. Select all that apply.
d. Difficulties in attribution
2b. [ROUTED FROM Q1] You selected “support” as your answer to Question 1. Please select
the reason(s) that best aligns with why you support. Select all that apply.
3a. [ROUTED FROM Q2a] You responded “other” to Question 2. Please provide your response.
3b. [ROUTED FROM Q2b] You responded “other” to Question 2. Please provide your response.
4. If the ACDC Act was passed how likely would it be that your organization would engage in
a. Highly Likely
b. Likely
c. Unlikely
Running head: ACTIVE DEFENSE IN CYBERSPACE: REVIEW OF TECHNOLOGY 58
d. Highly Unlikely
e. Not sure
f. Not Applicable
5. Who do you feel is responsible for protecting US citizens against attackers in cyberspace,
a. Federal Government
c. Myself
d. Not sure
a. Federal Government
c. Myself
d. Not sure
7. From the list below, select all of the alternatives to the “Active Cyber Defense Certainty Act”
that you would support. Alternatively, you can specify other to provide a unique response.
b. Increasing resources available to Federal agencies that handle cyber cases (e.g., FBI)
d. A cyber 911
7a. [ROUTED FROM Q7] You responded “other” to Question 7. Please provide your response.
8. Which of the following selections best describes the industry of the organization you work
8a. [ROUTED FROM Q8] You responded “other” to Question 8. Please provide your response.
9. Which of the following best describes your occupational category? [LIST PROVIDED
9a. [ROUTED FROM Q9] You responded “other” to Question 8. Please provide your response.
10. Are you a Federal, State, Local, Tribal, or Territorial government employees?
a. Yes
b. No
a. No Knowledge
b. Some Knowledge
c. Average Knowledge
d. Knowledgeable
e. Very Knowledgeable
a. 0-3 years
Running head: ACTIVE DEFENSE IN CYBERSPACE: REVIEW OF TECHNOLOGY 60
b. 4-7 years
c. 8-15 years
d. 16-20 years
e. 21+ years
a. 16-24
b. 25-34
c. 35-49
d. 50-64
e. 65 and over
15. Outside of the workplace, have you ever been the victim of a cyber-crime or cyber-attack
a. Yes
b. No
c. Not Sure
16. To your knowledge has your employer ever been the victim of a cyber-crime or cyber-attack
Appendix B
Survey Invitation: The Pennsylvania State University World Campus Graduate Students
<Body>:
Hello,
InfoSec and Forensics (HLS/ISF). I kindly invite you to participate in a short survey about the
Active Cyber Defense Certainty (ACDC) Act and counter-hacking in cyberspace. This survey is
purely academic, contains 23 questions and will take about 9 minutes to complete. This is a very
important topic of debate and your feedback is important to me. Feel free to contact me if you
have any questions, comments, or concerns. See below for a privacy notice.
https://pennstate.qualtrics.com/jfe/form/SV_ezagOAl94OXpzJb
PRIVACY NOTICE: Your privacy is important to me. The data being collected is solely to
satisfy an academic requirement for conferral of the graduate degree. Although there are a few
generic demographics questions, the survey does not capture any Personally Identifiable
Information (PII) about you or uniquely identifying information about your organization. All raw
data and aggregate information gathered and reported will be anonymous. If you prefer you may
use any anonymity service such as Tor to take the survey. The individual datasets will be
Very Respectfully,
Daniel West
dlw79@psu.edu
LinkedIn: https://www.linkedin.com/in/danielwest1/
Appendix D
Minimu 1
m
Maximu 411
m