Active Defense in Cyberspace - Review of Technology and Politics (WEST)

Running head: ACTIVE DEFENSE IN CYBERSPACE: REVIEW OF TECHNOLOGY 1
Active Defense in Cyberspace:
Review of Technology and Politics
Daniel West
The Pennsylvania State University
Author Note
Daniel West, Graduate Student at Pennsylvania State University
Correspondence concerning this article should be addressed to Daniel West
Contact: dlw79@psu.edu
Table of Contents
Abstract ........................................................................................................................................... 3
Introduction ..................................................................................................................................... 4
Literature Review............................................................................................................................ 5
Defining the Environment ........................................................................................................... 5
Lexicon ........................................................................................................................................ 7
Barriers to Combating Cybercrime ............................................................................................. 8
Proximity & Difficulties in Attribution ................................................................................. 10
Scale, Scope, & Artificial Intelligence .................................................................................. 14
Defining Active Cyber Defense ............................................................................................ 14
Government Responsibility ................................................................................................... 19
Balancing Civil Liberties & Security .................................................................................... 20
Sovereign and Citizen Self-Defense ...................................................................................... 21
Deconfliction of Cyber Activities Between Friendly Actors ................................................ 22
Proposed Solutions .................................................................................................................... 25
H.R. 4036 Active Cyber Defense Certainty Act ................................................................... 25
Cyber Community Watch Program (The Community Policing Model) ............................... 30
Cyber 9-1-1 ............................................................................................................................ 31
Research Objective ....................................................................................................................... 31
Research Methodology ................................................................................................................. 32
Data Collection Instrument ....................................................................................................... 32
Access to Data Sources and Sampling Techniques ................................................................... 32
Data Collection & Analysis ...................................................................................................... 33
Results ........................................................................................................................................... 34
Conclusion .................................................................................................................................... 44
Limitations and Future Research .................................................................................................. 45
References ..................................................................................................................................... 48
Appendix A ................................................................................................................................... 54
Appendix B ................................................................................................................................... 61
Appendix C ................................................................................................................................... 63
Appendix D ................................................................................................................................... 64
Abstract
Cyber fraud and related cyber-enabled crimes on US citizens and organizations continue
to grow beyond manageability for government resources resulting in a struggle to overcome
legal and technological obstacles that have been erected by the advent of new technologies and
the growing prevalence of threat actors who exploit those technologies. In response to this
growing problem, elected officials have started discussions on the controversial topic of allowing
citizens and organizations to conduct active cyber defense (ACD) as a means of cyber self-
defense for the exclusive purpose of attributing and disrupting attackers. Policymakers and
defenders must first review the technical and political environment surrounding the proposed
ACD measures before enacting legislation that promotes cyber self-defense through ACD
measures or hacking-back. This study reviews the cyberspace environment and lexicon, barriers
to combating cyber-crime and proposed solutions. The primary objectives of this study are to
determine a total count of supporters, opposers, and undecided for the ACDC Act and to
determine relationships between bill support and opposition, personal and organizational history
of victimization, level of cyber knowledge and experience, age, industry, occupational category
and government employment. Data collection was performed using a survey instrument, and an
analysis was performed to achieve these objectives. The results identified that the majority of
respondents supported the ACDC Act. Among other inferences, the results imply that a
relationship exists between support for the legislation and organizational victimization in critical
industries.
Introduction
to grow beyond manageability for government resources (United States Congress, 2017). In
2015, the Federal Bureau of Investigation Internet Crime Complaint Center received 288,012
complaints of Internet-related crime (Federal Bureau of Investigation Internet Crime Complaint
Center, 2015, p. 4). This included 7,838 business email compromise (BEC) complaints totaling
over $263 million in damage, 281 email account compromises (EAC) totaling over $11 million
in damage, and 2,453 ransomware complaints totaling over $1.6 million in damage (Federal
Bureau of Investigation Internet Crime Complaint Center, 2015, p. 10-11). The Department of
Justice, however, only prosecuted 153 of these computer fraud cases in 2015 (United States
Congress, 2017). In response to this growing problem, elected officials have started discussions
on the controversial topic of allowing citizens and organizations to conduct “active cyber
defense” as a means of cyber self-defense for the exclusive purpose of attributing and disrupting
attackers. On October 12, 2017, U.S. Representative Tom Graves and Kyrsten Sinema
introduced H.R. 4036 Active Cyber Defense Certainty (ACDC) Act to the House of
Representatives (United States Congress, 2017). The act amends title 18, United States Code “to
provide a defense to prosecution for fraud and related activity in connection with computers for
persons defending against unauthorized intrusions into their computers, and for other purposes”
(United States Congress, 2017).
Many cybersecurity leaders and experts assert that counter-hacking, which is also
controversially synonymized with “active cyber defense” (ACD), involves “too many variables”
that “make it ineffective and potentially catastrophic” (Iasiello, 2014). Policymakers and
defenders must first review the technical and political environment surrounding the proposed
ACD measures before enacting legislation that promotes cyber self-defense through ACD
measures or hacking-back. This qualitative case study will review the cyberspace environment
and lexicon, barriers to combating cyber-crime, and proposed solutions. Additional data is
collected via a survey instrument from a specific population and analyzed to determine:
1. The total count of supporters, opposers, and undecided for the ACDC Act.
2. The total count of reasons for opposition and support for the ACDC Act.
3. The total count of the probability of organizational use of ACD measures.
4. The total count of supporters for alternative solutions to ACD measures.
5. The total count of parties responsible for cyber defense.
6. Cross-tabulation to determine relationships between bill support and opposition with
a personal and organizational history of victimization, level of cyber knowledge and
experience, age, industry, occupational category and government employment.
Literature Review
Defining the Environment
Cyberspace is a complex global domain consisting of network, nodes, system data, and
cyber-personas which are typically described in terms of three layers: physical network layer,
logical network later, and cyber-persona layers (Chairman Joint Chiefs of Staff, 2013, p. I-2).
The Department of Homeland Security (2014) estimates that “two billion people have at least 12
billion computers and devices, including global positioning systems, mobile phones, satellites,
data routers, desktop computers, and industrial control computers that run power plants, water
systems, and more” (p. 19-20). In cyberspace, actors can conduct a range of cyberspace activities
or actions across physical borders using various cyber-personas that make attribution and a
proportionate response through cyber self-defense difficult. In A Genealogy of Hacking, Jordan

(2017) discusses “nation-state—based hacking,” and the use of government-sponsored hackers to
conduct cyber espionage against other governments (p. 538). In Non-State Actors in Cyberspace
Operations, Sigholm (2013) defines the “main non-state actors in cyber conflict” (p. 11-26). This
includes companies and corporations, ordinary citizens, cyber-activists and hacktivists, cyber
terrorists, script kiddies, cyber insiders, black-hat hackers, patriot hackers, cyber scammers,
organized cybercriminals, cyber espionage agents, and cyber militias as shown in Table 1
(Sigholm, 2013, p. 11).
Table 1: List of Main Cyber Actors.
Note. Reprinted from “Non-state Actors in Cyberspace Operations,” by J. Sigholm, 2013, Journal of
Military Studies, 4(1), p. 22.
Companies and corporations in cyberspace are “usually thought to be law-abiding entities, as
serious transgressions may lead to sizeable economic sanctions or even personal accountability
for key officials with the organization” (Sigholm, 2013, p. 21). Sigholm (2013) offers evidence
that large international corporations have found “themselves on both sides of the line” with
nation-states during cyber conflict (p. 21). Ordinary citizens are “the most common actors in
cyberspace” utilizing the “Internet for various lawful purposes, such as browsing the web and
using online services” (Sigholm, 2013, p. 13).
Malicious actors “seek to steal financial information, intellectual property, trade secrets, and
other sensitive information from businesses small and large” and “personal and financial
information from citizens” (Department of Homeland Security, 2014, p. 19-20). An advanced
persistent threat (APT) can present one of the greatest challenges to an organization’s
information security program. The book Advanced Persistent Threat, provides an in-depth
discussion on the “advanced persistent threat (APT)” (Cole, 2013). Cole (2013) describes an
APT as a “well-funded, organized group that systematically compromises government and
commercial entities” (p. 3). The term had been utilized as a code name for intrusions into US
military organizations from Chinese-related actors (Cole, 2013, p.3). However, the term is now
used “to refer to advanced adversaries that are focused on critical data with the goal of exploiting
information in a covert manner” (Cole, 2013, p.3). Mitigating an APT may require the
involvement of external organizations and government agencies that can intervene by publicly
exposing, indicting, or imposing sanctions on the actors involved.
Lexicon
After considering the complexities of cyberspace, it is essential to examine the terms and
definitions that are accepted by cybersecurity subject matter experts (SME) as part of an ever-
expanding lexicon. The book Cybersecurity Lexicon provides a common language for terms
describing activities and actions in cyberspace. Key terms extracted for this study are
“cyberspace,” “cyber-attack,” “intrusion,” “cyberwarfare,” “cybersecurity,” and “cyber-crime”

(Ayala, 2016, p. 10-89). Cyberspace is “a global domain within the information environment
consisting of the interdependent network of information systems infrastructures including the
Internet, telecommunications networks, computer systems, and embedded processors and
controllers” (Ayala, 2016, p. 48). A cyber-attack is “an attack, via cyberspace, targeting an
enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously
controlling a computing environment/infrastructure; or destroying the integrity of the data or
stealing controlled information” (Ayala, 2016, p. 43). A cyber-attack differs from an intrusion
which is simply “an unauthorized act of bypassing the security mechanisms of a network or
building control system” (Ayala, 2016, p. 89). Ayala (2016) defines a cyber-crime as “any crime
to which a computer or computer technology has been used,” where either the computer is the
target of or the instrument of the crime (p. 46). Within the United States, the authoritative source
of what constitutes a cyber-crime is 18 U.S.C. § 1030, Computer Fraud and Abuse Act (CFAA).
Lastly, cyberwarfare is “actions by a nation-state to penetrate another nation’s computers or
networks for the purposes of causing damage or disruption,” whereas cybersecurity is “the ability
to protect or defend the use of cyberspace from cyber-attacks” (Ayala, 2016, p. 48-49).
Barriers to Combating Cybercrime
to grow beyond manageability for government resources (United States Congress, 2017). The
Department of Homeland Security (2014) attributes difficulties in securing cyberspace to “the
ability of malicious actors to operate from anywhere in the world, the linkages between
cyberspace and physical systems, and the difficulty of reducing vulnerabilities and consequences
in complex cyber networks” (p. 39). In 2015, the Federal Bureau of Investigation Internet Crime
Complaint Center received 288,012 complaints of Internet-related crime (Federal Bureau of

Investigation Internet Crime Complaint Center, 2015, p. 4). This included 7,838 business email
compromise (BEC) complaints totaling over $263 million in damage, 281 email account
compromises (EAC) totaling over $11 million in damage, and 2,453 ransomware complaints
totaling over $1.6 million in damage (Federal Bureau of Investigation Internet Crime Complaint
Center, 2015, p. 10-11). The Department of Justice, however, only prosecuted 153 of these
computer fraud cases in 2015 (United States Congress, 2017). These cases were likely
investigated and prosecuted using the traditional “reactive model of law enforcement” that
consists of “identifying a crime, apprehending the perpetrator, and meting out some punishment
of justice” (Jones, 2007, p. 603). This model is well-suited for “traditional, realspace crime” that
is bounded by constraints such as the “laws of physics” which requires “physical proximate to
[the] victim” (Jones, 2007, p. 603). The current strategies employed by law enforcement,
including the reactive approach, are ineffective and ill-suited to prevent or punish cybercrime
which “defies the traditional notions of criminal behavior” and is limited by proximity and scale
in the corporeal world (Jones, 2007, p. 601). Essentially, cyberspace acts as a “force multiplier”
for criminal activities (Jones, 2007, p. 613).
Policymakers have “struggled to close the gap between the technological world and the
legal world” and to overcome obstacles that have been erected by the advent of new technologies
and the growing prevalence of threat actors who exploit those technologies (Jones, 2007, p. 602).
Legislation has already been enacted and measures implemented to address other systemic issues
that inhibit the ability to combat cybercrime, including cyber threat intelligence information
sharing and qualified personnel shortages that are rooted in talent management and educational
deficiencies. Recent legislation includes the Cybersecurity Information Sharing Act, Department
of Homeland Security Workforce Recruitment and Retention Act, Strengthening State and Cyber
Crime Fighting Act of 2017, Cyber Preparedness Act of 2017, Small Business Advanced
Cybersecurity Enhancements Act of 2017, and State and Local Cyber Protection Act of 2017
among others. Although these issues are outside of the scope of this study, they are significant in
painting an accurate depiction of the overall difficulties in combating cybercrime. For this study,
the focus will be on 1) proximity and difficulties in attribution, 2) scale, scope, and artificial
intelligence, 3) defining active cyber defense, 4) government responsibility, 5) balancing civil
liberties and security, 6) sovereign and citizen self-defense, and 7) deconfliction of cyber
activities between actors (Figure 1).
Figure 1. Barriers to combatting cybercrime
Proximity & Difficulties in Attribution
As previously mentioned, actors can conduct a range of cyberspace activities or actions
across physical borders using various cyber-personas that make attribution and a proportionate
response through cyber self-defense difficult. Most traditional crimes within the physical world
require physical proximity to the victim (Jones, 2007, p. 610). Law enforcement relies heavily on
spatial and temporal limitations of a crime when attributing a crime to a subject (Jones, 2007, p.
611). Many obstacles can prevent a defender from reliably ascertaining attribution and
characterizing the type of attack. At a nation-state level attribution is a prerequisite for an
“injured state” to seek reparations or self-defense under international law (Payne and Finlay,
2017, p. 556). Attribution “could involve multiple steps” including:
1. “identification of the cyberweapon used to launch the [attack],”
2. “identification of the country or city of the [attacker],”
3. “identification of the [attacker]” (Shamsi et al., 2016, p. 2889).
Attribution can be accomplished through:
1. “digital forensics” which includes “forensics on static data” (e.g. “storage-based and
RAM-based analysis”) and “network forensics or forensics on dynamic data” (e.g.
“traceback and logging” and “deceptive techniques” such as honeypots),
2. “malware-based analysis” which includes “static and dynamic analysis”, “similarity-
based attribution”, and “reverse-engineering,”
3. “indirect attribution” which includes “machine learning techniques” (e.g. “behavioral
analysis,” “genetic algorithms,” and “neural networks and support vector machines”),
“attribution through social networks,” and “linking with geopolitical scenarios” (Shamsi
et al., 2016, p. 2891-2895).
There is also the more “controversial technique” of hacking-back, which is typically executed by
“reversing the attack chain” and exploiting the intermediate systems until the defender reaches
and exploits the attacker (Institute for Defense Analyses, 2007, p. 23). At BlackHat 2013,
Wilhoit (2013) employed a “honeypot” with “the Browser Exploitation Framework (BeEF)” to
again attributional data on attackers of industrial control systems (ICS) (p. 10). BeEF enabled
Wilhoit (2013) to utilize scripts that exploited (also known as hooking) the browser of an
attacker accessing a web-based Human Management Interface (HMI) of an ICS (p. 10). This
script downloaded and executed a signed Java applet on the attacker’s system. BeEF’s “physical
location module will retrieve geographical location information based on neighboring wireless
access points” using commands that have been encapsulated within the signed Java applet
(Wilhoit, 2013, p. 10). This geographical location information is more precise than an IP address
which can be obfuscated by an attacker using an anonymizer (Wilhoit, 2013, p. 10).
Additionally, BeEF obtains “operating system details, number of processors, network interface
card names and IP addresses, [anonymizer use], and other details” (Wilhoit, 2013, p. 10). Wilhoit
(2013) mentions that “several other attribution methods and internal tools were used” on the
honeypot, but he could not “specifically share what these methods are” (p. 10).
Attribution of a real-world persona from a cyber-persona may require the cooperation of
the information owner (e.g., an intermediary) that maintains the cyber-persona and transaction
record that links the cyber-persona to a logical identifier (e.g., an IP address) (Jones, 2007, p.
611). Attribution may prove to be an “onerous procedural burden” for victims using the
“traditional legal process” if the attacker is utilizing compromised intermediary systems, cloud-
based infrastructure, and anonymity services that conceal the threat actor's true identity from the
victim and law enforcement, especially across jurisdictional boundaries (Jones, 2007, p. 612;
Huang, 2014, p. 1237). Anonymizers such as The Onion Router (TOR), virtual private networks
(VPN), virtual private servers (VPS), and proxies are frequently utilized by attackers as
intermediate systems or hopping/pivot points to conceal the threat actor’s source IP address.
Payne and Finlay (2017) present one “hypothetical scenario” that demonstrates the complications
in attribution. Essentially, “one state [can] effectively ‘frame’ another by routing cyber-attacks
through systems based within the second state’s territory” (p. 556). Essentially, the first state can
use the second state as a hopping point, with or without the second state’s consent or knowledge.
In military cyber jargon, this is known as a false-flag attack and falls under the realm of “cyber
denial, deception, (D&D) and counter-deception” techniques that are employed by both nation-
state and non-nation state actors (Heckman, Stech, Thomas, Schmoker, and Tsow, 2015).
This hypothetical scenario highlights the “importance of attribution” and the dangers of
misattribution which is far more likely in relation to cyber-attacks than to traditional kinetic
attacks (Payne and Finlay, 2017, p. 556). Issues with attribution have both legal and technical
implications. Previous rulings by the International Court of Justice (ICJ) “suggest that the
standard for proof will be commensurate with the seriousness of the allegation” (Payne and
Finlay, 2017, p. 558). To establish legal attribution, the victim state must have “the ability to
satisfactorily answer highly technical questions concerning the origin of a particular attack”
which “requires overcoming significant technical evidentiary hurdles” (Payne and Finlay, 2017,
p. 559-560). During the cyber-attacks on Estonia in 2007, it was reported that the attacks
“originated from at least 177 countries” and “from within Estonia itself” (Payne and Finlay,
2017, p. 560). This lack of attribution prevented the North Atlantic Treaty Organization (NATO)
from helping Estonia to “prepare a lawful response against the attackers” (Shamsi et al., 2016, p.
2886). A threat actor “can work in comparatively small groups or even as individuals” using
“commodity computer systems that can be easily, cheaply, and covertly acquired” and the
complex architecture of the Internet to conduct their attacks (Payne and Finlay, 2017, p. 560).
It is “widely acknowledged” that the “serious difficulty of technical attribution” is
“inherently the most significant practical obstacle to addressing cyber-attack under public
international law” (Payne and Finlay, 2017, p. 560). Payne and Finlay (2017) propose that
“conflicting [attribution] requirements can be resolved by determining attribution requirements
based upon the course of action the victim state chooses to pursue” (p. 566).
Scale, Scope, & Artificial Intelligence
Technologies, such as automation, within cyberspace, allow cybercriminals to “reverse
the traditional notion of the one-to-one scale of crime” within the physical world (Jones, 2007, p.
613). This allows individual criminals and groups of criminals the ability to overcome spatial
and temporal limitations of traditional criminal activities while maximizing the effects on a
greater population of victims (Jones, 2007, p. 613). Lastline, predicts that cybercriminals will
employ more sophisticated attacks during 2018 by leveraging “artificial intelligence (AI) and
machine learning (ML) powered hacking kits” (Sacoco, 2017, p. 1). The use of AI and ML will
significantly extend the scale and scope of cyber intrusions and attacks while minimizing the
time and personnel constraints that may impede the cybercriminal. Additionally, 2018 is
predicted to behold an increase in hardware-based malware and mobile and Internet of Things
(IoT) intrusions and attacks while defenders continue to battle a continuing increase in traditional
cybersecurity intrusions and attacks on enterprise environments (Sacoco, 2017, p. 1).
Defining Active Cyber Defense
The term “cyber defense” and “cybersecurity” are often used synonymously. In the article US
Policy on Active Cyber Defense, Flowers and Zeadally (2014) examine two types of cyber
defense: passive cyber defense and active cyber defense (p. 292). Flowers and Zeadally (2014)
define passive cyber defense practices as a four-step model that includes (1) locating invading
code, (2) unplugging affected systems, (3) deploying security patches and solutions to thwart that
particular attack; and (4) applying the patches and solutions system-wide (p. 292). This varies
from the approaches described for active defense which includes “detection and forensics,
deception, and attack termination” with the latter including “denial of service (DoS) attacks
against the attackers” (Flowers and Zeadally, 2014, p. 293). Rosenzweig (2014) states that the
“definition of hack back, is also sometimes called an ‘active cyber defense’” (p. 105). Flowers
and Zeadally (2014), Rosenzweig (2014), and Iasiello (2014) reference the U.S. Department of
Defense Strategy for Operating in Cyberspace (2011) for the following definition of “active
cyber defense”:
“[The] synchronized, real-time capability to discover, detect, analyze, and

mitigate threats and vulnerability... It operates at network speed by using
sensors, software, and intelligence to detect and stop malicious activity before
it can affect DoD networks and systems. As intrusions may not always be
stopped at the network boundary, DoD will continue to operate and improve
upon its advanced sensors to detect, discover, map, and mitigate malicious
activity on DoD networks” (U.S. Department of Defense, 2011).
Iasiello (2014) defines active cyber defense as “a range of offensive, damaging or destructive
actions, such as counter-hacking, that engage an adversary during or promptly after an initial
cyber attack” (p. 105-106). This definition includes “counter-hacking and technical
countermeasures with weaponized payloads,” but “does not include nonviolent actions such as
diplomatic or economic sanctions” (Iasiello, 2014, p. 106). The definition of active cyber defense
is further convoluted by the National Security Agency (NSA) Information Assurance
Directorate’s (IAD) view of Active Cyber Defense (ACD) as a “component of the DoD’s overall
approach to defensive cyber operations” that “complements preventative and regenerative cyber-
defense efforts by synchronizing the real-time detection, analysis, and mitigation of threats to
critical networks and systems” (NSA IAD, 2015). This concept extends to “all U.S. Government
and critical infrastructure networks” and is “active within the networks it protects” but is “not
offensive, and its capabilities affect only the networks where they have been installed by network
operators and owners” (NSA IAD, 2015). Kuchler (2015), however, states that “legal or not,
some say hacking back is necessary given the threat” as a form of self-defense (p. 2).
George Washington University's Center for Cyber and Homeland Defense issued a report
that “calls on Congress and the federal government to take a series of steps to clarify what
private companies can do under the [2015 Cybersecurity Act] to improve their active
cybersecurity defenses” (Curran, 2016, p. 2). The report, Into the Gray Zone: Active Defense by
the Private Sector against Cyber Threats, states that active cybersecurity defenses “should not be
synonymous with ‘hacking back’ against an attacker” (Curran, 2016, p. 2; Center for Cyber &
Homeland Security, 2016, p. 8). A thorough examination of the origin of the term ‘active
defense’ and its application within cyberspace reveals the term’s controversial and conflicting
definitions (Center for Cyber & Homeland Security, 2016, p. 6). This “lack of common
definition complicates discussion surrounding active defense and precludes meaningful progress
on developing a commonly understood framework for its implementation” (Center for Cyber &
Homeland Security, 2016, p. 8).
Legal ambiguity forces organizations to adopt “passive, reactive postures on their own
networks” rather than the “full range of defenses” against unknown attackers (Huang, 2014, p.
1223-1229). Some US organizations have utilized active defense measures due to a lack of
confidence in the government’s skill, determination, and resources “required to pursue
perpetrators effectively and provide adequate remediation” which US organizations feel is
“essential to deterrence and prevention” (Center for Cyber & Homeland Security, 2016, p. 18).
In 2010, Google responded to the ‘Operation Aurora” attack by Chinese actors by using active
defense measures to gain access to a Taiwanese server that had been used to perpetrate attacks on
Google servers (Huang, 2014, p. 1248). Google “collected information about the nature of the
attacks, the perpetrators of the attacks, and other victims of the attacks” (Huang, 2014, p. 1248).
Although Google likely committed an offense under the CFAA, the Department of Justice has
not prosecuted any company, including Google, who has engaged in active defense measures,
although the DOJ has expressed that it has the authority to prosecute those that utilize active
defense measures (Center for Cyber & Homeland Security, 2016, p. 14-17; Huang, 2014, p.
1249).
The Center for Cyber & Homeland Security at The George Washington University (2016)
“defines active defense as activities covering technical interactions between a defender and an
attacker, operations that enable defenders to collect intelligence on threat actors and indicators on
the Internet, and other policy tools including sanctions, indictments, and trade remedies that can
modify the behavior of malicious actors” (p. XI). Huang (2014) states that measures must be
“proportional to the threat and will restrain harmful or unlawful actions” (p. 23). The Center for
Cyber & Homeland Security (2016) provided “Figure 2. Active defense: The gray zone (2016)”,
“Figure 3. Active defense techniques defined (2016)”, and “Figure 4. Where active defense
interdicts a cyber-attack (2016)” to further elaborate on differences between passive defense,
offensive actions, and active cyber defense measures (p. 10-13).
Figure 2. Active defense: The gray zone.
Note. Reprinted from “Into the gray zone: The private sector and active defense against cyber threats,” by the Center
for Cyber & Homeland Security, 2016, the Georgia Washington University, p. 10.
Figure 3. Active defense techniques defined.

Note. Reprinted from “Into the gray zone: The private sector and active defense against cyber threats,” by the Center
for Cyber & Homeland Security, 2016, the Georgia Washington University, p. 11.
Figure 4. Where active defense interdicts a cyber-attack.
Note. Reprinted from “Into the gray zone: The private sector and active defense against cyber threats,” by
the Center for Cyber & Homeland Security, 2016, the Georgia Washington University, p. 13.
The following list summarizes the considerations recommended by the Center for Cyber &
Homeland Security (2016) and Huang (2014), before utilizing active cyber defense measures:
 Temporal (ex-ante/preemptive, during, and post ante)
 Spatial (location)
 Actors (incl. financially and legally responsible parties)
 Function (detective, preventative, corrective, compensatory, et al.)
 Impacts (on confidentiality, integrity, and availability)
 Authorities of the actor (defender)
 Escalatory responses
 Proportionality
 Precision of techniques
 Information sharing
 Intermediate systems and misattribution
 Compensation for damages to third-party systems
 Need for ACD arises from persistence
Graves (2017) reiterated multiple times that “that it’s not the Wild West” and “guard rails are in
place” for the legislation discussed in a subsequent section (Graves, 2017).
Government Responsibility
The government’s inability to manage threats to U.S. citizens and organizations within
cyberspace is “unacceptable and if left unchecked, the trend in cyber crime will only continue to
deteriorate” (United States Congress, 2017, p. 2). Rooted deep in the theories of philosophers
such as John Locke, the United States Constitution appoints the United States Government
(USG) with the duty to protect the inalienable rights to life, liberty, and the pursuit of happiness
of its citizens (Heyman, 1991, p. 508-571). Article IV, Section 4 of the United States
Constitution states that the United States shall protect each [state] against invasion. In
cyberspace, the inalienable rights of U.S. citizens and organizations are encroached upon by
foreign and domestic invaders on every second of every day, requiring a balanced response of
sovereign self-defense and citizen and organization self-defense. However, Huang (2014) states
that the “government cannot be expected to deter cyber attackers targeting U.S. public and
private sector interests everywhere” due to “limited resources and available personnel” (p. 18-
23). This is particularly true when the private sector continues to “outbid the government for
highly skilled cyber experts” (Huang, 2014, p. 18).
The federal government is focused on threats to national interest. However, the “sum of
the impacts” of attacks on the private sector can lead to detrimental harm to the economy and
national security (Huang, 2014, p. 25). In an interview on The Cyberlaw Podcast, United States
Representative Tom Graves (2017) stated that the “NSA has their hands full with national
security…type issues and the private sector has been left on their own” (Graves, 2017). Graves
(2017) acknowledged that “DHS has a budget for protecting the entire civilian sector that is less
than the top four banks are spending to protect” (Graves, 2017). Graves (2017) adds that the
“government…is under-resourced, can’t do it and we shouldn’t expect them to do it” when
discussing the government’s responsibility in protecting citizens and organizations in cyberspace
(Graves, 2017).
Balancing Civil Liberties & Security
Although it is a highly convoluted topic and was not mentioned in reviewed literature, it
is important to note that the government’s inability to provide adequate protection of citizens and
organizations in cyberspace is also likely compounded with challenges in balancing surveillance

activities and civil liberties, which has been impacted by recent incidents involving Edward
Snowden and the National Security Agency (NSA) (Marguiles, 2017, p. 459). Unfortunately,
finding the right balance between security and the “protections for our citizens” is difficult
(United States Congress House Committee on Homeland Security-Subcommittee on
Cybersecurity, Infrastructure Protection, and Security Technologies, 2013, p. 1). The United
States Congress House Committee on Homeland Security (2013) states that “no one should
mistake the common cause of securing our homeland for authority to violate the civil liberties of
Americans” (p. 3). Lucas (2017) states that part of the tension between privacy and security is
“an alleged right of anonymity (a demand for lack of accountability that is completely distinct
from either privacy or personal liberty)” in cyberspace (Lucas, 2017). Privacy safeguards impact
cybersecurity efforts, such as information sharing on cyber-attacks (Marguiles, 2017, p. 470).
Interestingly, those that advocate for privacy “fail to fully acknowledge that cybersecurity threats
jeopardize individuals’ privacy interests” (Marguiles, 2017, p. 470).
Sovereign and Citizen Self-Defense
Citizen and organization self-defense is a convoluted topic, given that the international
community cannot reach a consensus on sovereign self-defense in response to cyber activities
originating from outside of a nation’s borders. Although proposed ACD measures are focused on
attribution, an intrusion to determine attribution could inadvertently cause unintentional and
unforeseen reactions, including damage to intermediary or adversary systems, which could result
in an international crisis. This could be characterized by a nation-state as an armed-attack since
the definition of an armed attack in cyberspace has not been agreed upon by the whole of the
international community. Payne and Finlay (2017) discuss a nation’s right to self-defense as
outlined by United Nations Charter Article 51, notably that the “right to self-defense is
implicated only in the event of an armed attack” (p. 541). There is not an “established definition
of ‘armed attack’ in the Charter of elsewhere in treaty law” and thus “its meaning is determined
by custom” (Payne and Finlay, 2017, p. 541). The ICJ “has repeatedly emphasized” that an “act
of self-defense is subject to meeting the elements of necessity and proportionality” with
necessity including an “aspect of immediacy” and proportionality requiring “that the response
involve ‘nothing unreasonable or excessive’” (Payne and Finlay, 2017, p. 541-543). A victim
state could establish “that the cyber-attack was a breach of international law” by characterizing
“cyber-aggression” as a “use of force in breach of the Charter” (Payne and Finlay, 2017, p. 545).
Problems arise in this characterization as there is no “conclusive definition of force” and no
method to “determine that a cyber-attack has exceeded the threshold necessary to be ‘force’”
(Payne and Finlay, 2017, p. 545). In the case of an attack such as Stuxnet, “it is unclear what
form of response would constitute a meaningful act of self-defense” (Payne and Finlay, 2017, p.
554). A subsequent section of this study will address the topic of citizen and organization cyber
self-defense through the use of “active cyber defense” for attribution purposes as part of the
proposed H.R. 4036 Active Cyber Defense Certainty (ACDC) Act.
Deconfliction of Cyber Activities Between Friendly Actors
Deconfliction of activities between friendly actors is of utmost importance when operating
within cyberspace. This is especially true when the possibility exists for states to “be held
indirectly responsible for the acts of private individuals that breach international law, even when
there is no causal link between an action of the state and that breach” (Payne and Finlay, 2017, p.
559). The government would need to deconflict cyber self-defense activities conducted by
private U.S. organizations and individuals. There are several policies and strategies that define
the government’s approach to cyberspace operations and cybersecurity of the Nation (Crowther
and Ghori, 2015, p. 76). Three Federal agencies share prominence and have overlapping
responsibilities in implementing those policies and strategies: the Department of Homeland of
Security (DHS), Department of Justice (DOJ), and Department of Defense (DOD) (Crowther and
Ghori, 2015, p. 76). DHS “coordinates the national protection, prevention, and mitigation of and
recovery from cyber incidents; disseminates domestic cyber threat and vulnerability analysis;
protects critical infrastructure; secures Federal civilian systems (the dot.gov domain); and
investigates cyber crimes under its jurisdiction” (Crowther and Ghori, 2015, p. 76). DHS
“essentially sees itself as facilitating the cyber neighborhood watch for the United States”
(Crowther and Ghori, 2015, p. 77). The Department of Homeland Security’s National
Cybersecurity and Communications Integration Center “serves as a focal point for coordinating
cybersecurity information sharing with the private sector; provides technical assistance, onsite
analysis, mitigation support, and assessment assistance to cyber-attack victims, as well as
situational awareness capability that includes integrated, actionable information about emerging
trends, imminent threats, and the status of incidents that may impact critical infrastructure; and
coordinates the national response to significant cyber incidents affecting critical infrastructure”
(Department of Homeland Security, 2014, p. 85). The NCCIC is essential to enabling DHS
collaboration with other federal agencies to “conduct high-impact criminal investigations to
disrupt and defeat cyber criminals, prioritize the recruitment and training of technical experts,
develop standardized methods, and broadly share cyber response best practices and tools”
(Department of Homeland Security, 2014, p. 44-45).
The DOJ “investigates, attributes, disrupts, and prosecutes cyber crimes; has the lead for
domestic national security operations; conducts domestic collection, analysis, and dissemination
of cyber threat intelligence; supports the national protection, prevention, mitigation of, and
recovery from cyber incidents; and coordinates cyber threat investigations” (Crowther and Ghori,
2015, p. 78). The Federal Bureau of Investigation (FBI) “leads the National Cyber Investigative
Joint Task Force (NCIJTF) as a multi-agency national focal point for coordinating, integrating,
and sharing pertinent information related to cyber threat investigations in order to determine the
identity, location, intent, motivation, capabilities, alliances, funding, and methodologies of cyber
threat groups and individuals” (House judicery subcommittee on crime, terrorism, and homeland
security hearing, 2010, p. 4). The DOD “secures the Nation’s freedom of action in cyberspace
and helps mitigate risks to national security resulting from America’s growing dependence on
cyberspace” (Crowther and Ghori, 2015, p. 79). The DOD’s “specific mission sets include
directing, securing, and defending DOD Information Network (DODIN) operations (including
the dot.mil domain); maintaining freedom of maneuver in cyberspace; executing full-spectrum
military cyberspace operations; providing shared situational awareness of cyberspace operations,
including indications and warning; and providing support to civil authorities and international
partners” (Crowther and Ghori, 2015, p. 79). By working together, these federal agencies “foster
a secure and resilient cyberspace that protects privacy and other civil liberties by design;
supports innovation and economic growth; helps maintain national security and public health and
safety; and supports legitimate commerce” (Department of Homeland Security, 2014, p. 40-41).
As previously discussed in the context of cyber self-defense, cyber activities conducted
outside of the physical borders of the United States present additional complications within the
international political spectrum. Many nation states have unique views on how activities in
cyberspace should be conducted. The views of NATO countries are presented in The
International Conference on Cyber Conflict and the Tallinn Manual (Schmitt and NATO
CCDCOE, 2017) and views from other countries (e.g., Russia, China, Iran, and North Korea) are
expressed in The Quest to Cyber Superiority: Cybersecurity Regulations, Frameworks, and
Strategies of Major Economies (Kshetri, 2016) and Chinese Cybersecurity and Defense (Ventre,
2016). The United Kingdom, France, Estonia, and Israel also have their views concerning active
defense (Center for Cyber & Homeland Security, 2016, p. 45). Although a thorough review of
each country’s policies is not discussed in this study, it is important to note that each country’s
view further complicates the prospect of cyber self-defense.
Proposed Solutions
In a utopia, unlimited resources (e.g., funding and personnel) would be available to
Federal and SLTT government agencies to combat cybercrime “ex-ante” instead of “ex-post”
(Jones, 2007, p. 615). Unfortunately, prevention is not a total solution and dedicating unlimited
resources to combatting cybercrime is just as unrealistic as a crime-free world. Thus, unique
solutions have been proposed to target the causes of the previously mentioned problems.
H.R. 4036 Active Cyber Defense Certainty Act
On October 12, 2017, U.S. Representatives Tom Graves (R-GA-14) and Kyrsten Sinema
(D-AZ-9) introduced the bipartisan H.R. 4036 Active Cyber Defense Certainty (ACDC) Act to
the House of Representatives (United States Congress, 2017). The act amends title 18, United
States Code “to provide a defense to prosecution for fraud and related activity in connection with
computers for persons defending against unauthorized intrusions into their computers, and for
other purposes” (United States Congress, 2017). Untimely responses to cybercrimes by law
enforcement (LE) has led to fewer prosecutions resulting in a decrease in deterrence and an
increase in threat activity (United States Congress, 2017, p. 2). Cybercriminals have continued to
develop new tactics, while the Federal government has been unable to reform current law to
allow “new cyber tools and deterrence methods for defenders” (United States Congress, 2017, p.
2). U.S. citizens and organizations should always report cybercrime to LE and seek to improve
defensive measures first (United States Congress, 2017, p. 2). However, Federal agencies must
prioritize cyber incidents of national significance, while also being more responsive to reports of
cybercrime from individuals and organizations (United States Congress, 2017, p. 3).
When properly utilized, active cyber defense (ACD) measures can assist in improving
defenses and deterring threats (United States Congress, 2017, p. 3). ACD can also be used by
defenders within the “dark web” to return “private property such as intellectual property and
financial records” (United States Congress, 2017, p. 3). The bill defines ACD measures as “any
measure undertaken by a or at the discretion of a defender” that “consists of accessing without
authorization the computer of the attacker to the defender’s own network to gather information”
that “establishes attribution”, “disrupts continued unauthorized activity against the defender’s
own network”, or “monitors the behavior of an attacker to assist in developing future intrusion
prevention or cyber defense techniques” (United States Congress, 2017, p. 6-7). This does not
include destroying or rendering any information “inoperable”, “recklessly [causing] physical
injury or financial loss”, “[creating] a threat to the public health or safety”, “exceeding a level of
reconnaissance required on an intermediary’s computer to allow for attribution of the origin of
the persistent cyber intrusion”, “intrusive or remote access into an intermediary’s computer”,
“persistent disruption to a person or entities internet connectivity resulting in damages”, or
[impacting] “national security information”, “government computers”, or “computer systems
used by or for a Government entity for the furtherance of the administration of justice, national
defense, or national security” (United States Congress, 2017, p. 7-8). Note that the previously
discussed method of attribution, hacking-back, was typically executed by “reversing the attack
chain” and exploiting the intermediate systems until the defender reaches and exploits the
attacker (Institute for Defense Analyses, 2007, p. 23). The “distinction between attributional
technology and active cyber defense measures” aims to end “legal and technical arguments”
(Forscey, 2017). Ultimately, it paves the way for “innovation in attributional techniques by
removing the cloud of potential criminal charges” over defenders “who utilize active cyber
defense measures” (Forscey, 2017). It seems that the attributional methods previously described
by Wilhoit (2013) using BeEF would be permissible under this exemption (p. 10). The definition
of active cyber defense within the bill seems to follow the disputed definition that Flowers and
Zeadally (2014), Rosenzweig (2014), and Iasiello (2014) reference from the U.S. Department of
Defense Strategy for Operating in Cyberspace (2011).
Following the laws of other nations when conducting ACD is on the onus of “qualified
defenders with a high degree of confidence in attribution” (United States Congress, 2017, p. 4).
The bill does not define the educational requirements, nor does it state the required licensing and
credentialing of a qualified defender. The Center for Cyber & Homeland Security (2016)
recommends that the government “grant licenses to certain cybersecurity companies that would
allow them to engage in limited active defense techniques” (p. 28). Graves (2017) states “that he
would not recommend anyone who is not trained to attempt to leave their system and engage in
some sort of attribution attempt outside of their system.” Those who were to do so and “caused
harm or damage or something to somebody else’s even if it is an attacker system, they would be
accountable under current law” (Graves, 2017). Instead, Graves (2017) recommends that an
organization “hire a company to help protect them when it is occurring”. The defender must
“avoid impacting intermediary computers” and causing an “escalatory cycle of cyber activity”
(United States Congress, 2017, p. 4). The term “impact” is not defined regarding denial,
disruption, degradation, destruction, or manipulation which allows room for interpretation.

Huang (2014) recommends the implementation of a deputation scheme by the government that
grant express approval to conduct ACD measures (p. 1263).
The bill states that the purpose of the Act is to “provide legal certainty by clarifying the
type of tools and techniques that defenders can use that exceed the boundaries of their own
computer network” (United States Congress, 2017, p. 4). Unfortunately, updates to legislation
may not be as rapid as changes to tools, tactics, techniques, and procedures utilized by defenders
as a result to changes in tools, tactics, techniques, and procedures employed by attackers. Since
January 1, 2017, the 115th Congress has passed 130 bills into law. This averages out to 156 days
from bill introduction to law, a minimum of one day from bill introduction to law, and a
maximum of 411 days from bill introduction to law (see “Appendix D: 115th Congress Average
Days from Bill Introduction to Law” for queried data). The bill should delegate the responsibility
of clarifying the types of tools and “procedures” that defenders can use to the NCIJTF, while
maintaining that the bill prescribes the “tactics” and “techniques” in accordance with the
definitions of the terms “tactics”, “techniques”, and “procedures” outlined in Joint Publication 1-
02: Department of Defense Dictionary of Military and Associated Terms (Chairman Joint Chiefs
of Staff, 2018, p. 188-231).
The bill provides an exception to Section 1030 of Title 18, United States Code, to allow
defenders to utilize “attributional technology” such as “a program, code, or command” that
“beacons or returns locational or attributional data in response to a cyber intrusion” (United
States Congress, 2017, p. 4-5). The “program, code, or command” can be copied or removed
from the computer of the defender to an unauthorized user; this code cannot impair the “essential
operating functionality or create a backdoor in the attacker’s computer system” (United States
Congress, 2017, p. 5). Attributional data includes “any digital information such as log files, text
strings, timestamps, malware sample, identifiers such as usernames and Internet Protocol
addresses and metadata or other digital artifacts gathered through forensic analysis” (United
States Congress, 2017, p. 5). The bill also provides an exception to Section 1030 of Title 18,
United States Code, to allow defenders to utilize ACD measures (United States Congress, 2017,
p. 5). This, however, “does not prevent a United States person or entity who is targeted by an
active defense measure from seeking a civil remedy, including compensatory damages or
injunctive relief” (United States Congress, 2017, p. 6).
Defenders are required to notify and receive a response from the NCIJTF before using an
ACD measure (United States Congress, 2017, p. 9). The notification is required to include
information about the “type of cyber breach,” “intended target of the ACD measure,” evidence
preservation plans, damage prevention plans, and all other information required by the FBI
(United States Congress, 2017, p. 9-10). This notification may be submitted in advance for
review and assessment by the FBI and other agencies for conformance to law and for technical
improvement (United States Congress, 2017, p. 10). The FBI will have the authority to prioritize
requests based on “the availability” of resources (United States Congress, 2017, p. 10).
Defenders should keep in mind that this process of deconfliction with the FBI could be
met with untimely responses, which was one of the founding Congressional findings that form
the basis for the necessity of this bill (United States Congress, 2017, p. 2). This is also
counterproductive to the “the real-time detection, analysis, and mitigation of threats” as defined
in the NSA IAD’s definition of ACD (NSA IAD, 2015). Huang (2014) states there are
“fundamental weaknesses in efficiency and efficacy” in requiring government approval that
revolve around the governments lack of resources (p. 1257). If responses to requests for ACD
measures to the FBI are untimely (that is exceeding a predefined threshold of what is considered
real-time and effective in mitigating a threat), it will significantly affect the ability of defenders
to utilize ACD measures to conduct attribution of a threat maneuvering rapidly within
cyberspace. If this is not addressed, it may undermine the overall effectiveness of the bill. The
bill also requires that the DOJ deliver a report “detailing the results of LE activities pertaining to
cybercriminal deterrence for the previous calendar year” eight items describe within the bill
(United States Congress, 2017, p. 11-12). This bill will require that the FBI create a “pilot
program to last for 2 years after the date of enactment of this Act, to allow for a voluntary
preemptive review of active defense measures” (United States Congress, 2017, p. 10).
Cyber Community Watch Program (The Community Policing Model)
One alternative presented by Jones (2007) is the idea of a “virtual neighborhood watch”
which he conceptualized from the community policing model (p. 601). For this study, this
concept will be discussed regarding a cyber community watch. Within cyberspace, a community
can revolve around a “virtual place (eBay),” a physical place (“realspace”), a “concept
(Maoism),” or even a “sport” (Jones, 2007, p. 618). The concept of a cyberspace community has
broadened since Jones (2007) wrote his original paper. Social media has “emerged as the
defining trend in the last decade” and it “continues to restructure communication and interactions
between individuals, communities, government, and businesses” (Heggde & Shainesh, 2018, p.
V).
The concept of community policing has been around since the 1970s and 1980s to
combat crime “plaguing America’s inner cities” (Jones, 2007, p. 615). This concept is founded
upon the “notion that even high crime communities are composed of a majority of law-abiding
citizens” (Jones, 2007, p. 616). Strategies include “community building events” and
“stewardship” that “calls on citizens to view themselves as responsible for the welfare of the
larger community” (Jones, 2007, p. 616-617). The goal is to “increase the cost of committing
cybercrime” through a traditional risk management strategy (Jones, 2007, p. 617-618).
Cyber 9-1-1
Literature that discussed a “cyber 9-1-1” was not available. However, this concept
revolves around a cyber-focused implementation of the 911 system. The 911 system “was
designed to provide a universal, easy-to-remember number for people to reach police, fire or
emergency medical assistance from any phone in any location, without having to look up
specific phone numbers” (911.gov, 2018). The Department of Homeland Security has a
Reporting a Cybercrime Complaint Tip Card that lists US-CERT.gov, FTC.gov, IC3.gov, and
SSA.gov as resources for reporting cybercrime (Department of Homeland Security, 2018).
However, there does not appear to be a centralized, universal, timely, easy-to-remember point of
contact for people to reach assistance for cyber-related crimes from any device in any location.
Research Objective
Although barriers and solution to combatting cybercrime have been identified and
thoroughly analyzed by large technology firms, academic institutes, and parts of the federal
government, there are still some unknowns regarding support and opposition to the proposed
solutions. Before conducting this research, the author notes that there was strong opposition to
the ACDC Act within the author’s LinkedIn network. The primary objective of this research
study is to identify the relationships between support and opposition to the proposed solutions
and various demographics. The data collected during this research was used to answer the
primary research question. “How many and what types of individuals and organizations support
or oppose active cyber defense measures by US citizens and organizations (e.g., cyber
knowledge, history of victimization)?”

Research Methodology
To accurately answer the primary research question, it is necessary to collect information
from a large and diverse population. Thus, a quantitative method for data collection and analysis
was collected. This was orchestrated through the use of an electronic survey instrument that was
designed, developed, and distributed to increase the potential number of respondents, and
increase the number of data point available for further analytics. Specifically, the survey
questions will determine a percentage of individuals who support and oppose counter-hacking
and the ACDC Act.
Data Collection Instrument
The types of data collected throughout this survey included a count of support and
opposition for the ACDC Act, support and opposition for alternative solutions to combatting
cybercrime, and basic demographic data. Formatting of questions included single answer
multiple choice, multiple answer multiple choice, and manual text entries. Additionally, the
questions covered topics, including, history of victimization (work and personal), the cause of
opposition and support, the likelihood of engaging in “active cyber defense” if legalized,
industry/occupational category, and self-assessed level of cybersecurity knowledge and
experience.
Refer to Appendix A for the survey collection instrument and questions.
Refer to Appendix B for the “Invitation to Participate” in the survey.
Access to Data Sources and Sampling Techniques
The survey leveraged existing relationship networks, with a strong emphasis on The
Pennsylvania State University World campus community. The survey was distributed to all
graduate students attending The Pennsylvania State University World Campus. The results of the
survey demonstrate the diverse demographics of the respondents. A separate survey was also
distributed to the author’s LinkedIn network consisting of over 1,000 professional connections
within the various industries, academia, and government. Four separate LinkedIn posts were
distributed using colorful, eye-catching word clouds that were generated using all of the words
from a draft of this research paper. Collectively, these posts had over 900 views based on
LinkedIn analytics (see Appendix B). The results, however, were excluded from the results as
there were only ten usable responses.
Data Collection & Analysis
Qualtrics was used utilized to develop, collect and report of quantitative survey data
obtained from the respondents. Although students do not have access to send electronic survey
invitations to an entire e-mail distribution list, a list of two-letter combinations (Aa-Zz) was used
to fuzz the names of all students within the ALL students group. The students were then sent the
invitation to participate in the electronic survey. The survey responses are stored in Qualtrics’
proprietary database, which allows the survey administrator to export data into various formats,
including comma-separated value (CSV) files that can be imported into Excel and Minitab.
Minitab was utilized to gather counts of support/opposition/undecided for the ACDC Act,
alternative programs selected, opposition reasons, support reasons, the probability of
organizational use, government vs. citizen responsibility, and government vs. organization
responsibility. Additionally, cross-tabulation of the responses in Minitab was conducted to
correlate support/opposition to government employment, age, history of victimization (work and
personal), industry and occupational category, self-assessed level of cybersecurity knowledge
and experience, and the likelihood of engaging in “active cyber defense” if legalized.
Results
Data collection occurred during the period of March 7, 2018, through March 26, 2018. In
total, there were 66 respondents who addressed the questions included in the data collection
instrument. However, after analyzing the Qualtrics metadata, it was noted that 17 respondents
did not complete the survey. Progress rates for these respondents included 26% (5 respondents),
9% (5 respondents), and 0% (7 respondents). All answers associated with these individuals were
removed from the total population. This resulted in 49 respondents for which data analytics
could be performed.
The majority (59%) of the respondents were between 35 to 49 years of age as depicted in
“Figure 5. Age of respondents”. The majority (35%) of the respondents worked in the
Information Technology Services industry, followed by Aerospace and Defense (12%), Other
(12%), Financial Data Services (8%), and Healthcare (8%; subcategories combined) as shown in
“Table 2. Industry of respondents”. The majority (73%) of the respondents categorized their
occupation within Information Technology as shown in “Table 3. The occupational category of
respondents”.
Figure 5. Age of respondents.
Demographic: Age
of Respondents
16% 25% 25-34

35-49
59% 50-64
Table 2. Industry of respondents.
Variables Total Percent

Aerospace and Defense 6 12.24
Commercial Banks 2 4.08

Computer Software 1 2.04
Construction / Farm Equipment 1 2.04
Education 3 6.12
Energy 1 2.04
Financial Data Services 4 8.16
Food Services 1 2.04
General Merchandisers 1 2.04
Healthcare: Medical Facilities 2 4.08
Healthcare: Pharmacy and Other 2 4.08
Information Technology Services 17 34.69
Insurance: Health, Life 1 2.04
Other 6 12.24
Securities 1 2.04
Table 3. The occupational category of respondents
Variables Count Percent

Business Management and Administration 1 2.04
Education and Training 1 2.04
Finance 1 2.04
Government and Public Administration 3 6.12
Information Technology 36 73.47
Law, Public Safety, Corrections 1 2.04
Other 4 8.16
Science, Technology, Engineering, Math 2 4.08
After reading an abstract of the Active Cyber Defense Certainty (ACDC) Act, the
respondents were asked to determine their view of the legislation as “support,” “oppose,” or “not
sure.” As depicted in “Figure 6. Total Count of Support/Opposition/Undecided” the majority of
respondents either supported (45%) or were undecided (45%) with the remaining 10% opposing.
Cross-tabulation of bill support with other variables yielded exciting results. The majority (63%)
of respondents who supported the ACDC Act had not, to their knowledge, personally been the
victim of a cyber-crime as depicted in “Table 4. Cross-tab bill support/opposition with a history
of victimization (personal)”. The majority (41%) of respondents did report that their
organization/employer had been the victim of a cyber-crime as depicted in “Table 5. Cross-tab
bill support/opposition with a history of victimization (personal)”. The majority (67%) of

government employees, which represented 24% of the total respondents, supported the
legislation as depicted in “Table 6. Cross-tab bill support/opposition with government
employment”. The cross-tabulation of age range with support, oppose, and undecided responses
yielded the following as shown in “Figure 7: Cross-tabulation of bill support/opposition with age
group”:
 55% of supporters are age 35-49
 22.7% of supporters are age 25-34
 22.7% of supporters are 50-64
 80% of opposers are age 35-49
 20% of opposers are age 25-34
 59% of undecided are age 35-49
Figure 6. Total Count of Support/Opposition/Undecided.

Support vs. Opposition of ACDC Act
Support
45% 45% Oppose
Undecided
10%
Table 4. Cross-tab bill support/opposition with a history of victimization (personal).
Variables No Not Sure Yes

Support 15 0 7
Oppose 3 0 2
Not Sure 13 2 7
Table 5. Cross-tab bill support/opposition with a history of victimization (organization).
Variables No Not Sure Yes

Support 6 5 11
Oppose 2 2 1
Not Sure 6 8 8
Table 6. Cross-tab bill support/opposition with government employment.
Variables No Yes
Support 14 8
Oppose 4 1
Not Sure 19 3
Figure 7. Cross-tabulation of bill support/opposition with age group.
Cross-tabulation of bill support/opposition

with age group
35
30
25
20
15
10
0
25-34 35-49 50-64
Support Oppose Not Sure
Of the total respondents, supporters of the legislation represent the information
technology (16%), other (10%), financial data services (6%), healthcare (4%), education (4%),
construction / farm equipment (2%), and aerospace and defense (2%) industries as depicted in
“Figure 8. Cross-tabulation of bill support and opposition with industry”. Of the total
respondents, supporters of the legislation represent the information technology (29%),

government and public administration (4%), other (4%), finance (2%), education and training
(2%), business management (2%), law, public safety, and corrections (2%) occupational
categories as depicted in “Figure 9. Cross-tabulation of bill support and opposition with
occupational category”.
Figure 8. Cross-tabulation of bill support and opposition with industry.

Cross-tabulation of bill support and opposition with industry
Information Technology Services

Healthcare: Pharmacy and Other
Healthcare: Medical Facilities
General Merchandisers
Food Services
Financial Data Services
Energy
Education
Construction / Farm Equipment
Computer Software
Commercial Banks
Aerospace and Defense
0 2 4 6 8 10 12 14 16 18
Figure 9. Cross-tabulation of bill support and opposition with occupational category.

Cross-tabulation of bill support and opposition with

occupational category
Science, Technology, Engineering, Math

Other
Law, Public Safety, Corrections
Information Technology
Government and Public Administration
Finance
Education and Training
Business Management and Administration
0 5 10 15 20 25 30 35 40
Respondents were asked to provide a self-assessment of their level of cyber knowledge
and practical experience. “Table 7. Cross-tab bill support/opposition with cyber knowledge” and
“Table 8. Cross-tab bill support/opposition with practical cyber experience” reveal the following:
 100% of opposers ranged from knowledgeable to very knowledgeable in cybersecurity
 100% of opposers had practical experience in cybersecurity
 92% of the undecided ranged from average knowledge to very knowledgeable in
cybersecurity
 73% of the undecided had practical experience in cybersecurity
 88% of supporters ranged from average knowledge to very knowledgeable in
cybersecurity
 59% of supporters had practical experience in cybersecurity
Table 7. Cross-tab bill support/opposition with cyber knowledge.

No
Variables Knowledge Average Knowledgeable Some Very
Knowledge Knowledge Knowledgeable
Support 3* 5 6 3 8
Oppose 0* 0 2 0 3
Not Sure 2* 6 12 2 2
*Value added
Table 8. Cross-tab bill support/opposition with practical cyber experience.
Variables Practical No Practical

Experience Experience
Support 13 9
Oppose 5 0
Not Sure 16 6
Respondents were asked to select (all that apply) from a list of justifications for their
support or opposition to the legislation. Respondents that elected to oppose the legislation
reasoned that difficulties in attribution (80%), possibilities of collateral damage (80%),
difficulties in approving active [cyber] defense measures through Federal agencies (60%), and
possibilities of an escalated response from the attacker[s] (80%) contributed to their decision as
depicted in “Table 9. Total count of opposition reasons”. One manual entry to “other” was also
provided: “botnets and other command and control situations utilize third-party machines, and
ACD would be an invasion of privacy, and probably a slew of other legal issues.” This response
could be split into three separate responses and interpreted as:
 Attacker use of intermediary systems (e.g., botnets)
 Invasion of the privacy of unspecified parties (likely intermediary systems)
 Other unspecified legal issues
Respondents that elected to support the legislation reasoned that defensive measures alone will
not curve cyber threats (86%) and citizens and organizations have the right to self-defense (82%)
contributed to their decision as depicted in “Table 10. Total count of support reasons”. One
manual response to “other” was also provided: “more information about attackers will help law
enforcement more effectively combat attackers.” This response could be interpreted literally.
Table 9. Total count of opposition reasons.
Variables Count
Difficulties in attribution 4
The possibility of collateral damage 4
Difficulties in approving active [cyber] defense measures with 3
Federal agencies
The possibility of an escalated response from the attacker 4
Other (respondent provided)
Botnets and other Command and Control situations 1
utilize third-party machines, and ACD would be an
invasion of privacy, and probably a slew of other legal
issues.
Table 10. Total count of support reasons.
Variables Count
Defensive measures alone will not curve cyber threats 19
Citizens and organizations have the right to self-defense 18
Other (respondent provided) 1
More information about attackers will help law 1
enforcement more effectively combat attackers
Respondents were asked to provide the likelihood that their organization/employer would
engage in the ACD measures outlined in the legislation as depicted in “Figure 10. Total count of
the likelihood of organizational use”. The majority (31%) of respondents reported that it was
“likely” that their organization would engage in ACD measures with the remainder reporting that
they were unsure (25%) or that it was unlikely (20%), highly unlikely (10%), and highly likely
(8%).
Figure 10. Total count of the likelihood of organizational use.

TOTAL COUNT OF LIKELIHOOD OF ORGANIZATIONAL
USE
Highly Likely Highly Unlikely Likely Not Sure Unlikely No Response
6% 8%
10%
20%
31%
25%
All respondents were asked to select (all that apply) the parties that they felt were
responsible for protecting citizens and organizations in cyberspace as depicted in “Figure 11.
Total count of responsible parties”. The majority (80%) of respondents reported that they felt
that the Federal government was responsible for protecting individual citizens in cyberspace.
This was followed by SLTT government (74%), myself/individual (69%), and undecided (4%).
The majority (78%) of respondents reported that they felt that the Federal government was
responsible for protecting organizations in cyberspace. This was followed by the organization
(63%), SLTT government (47%), and undecided (8%).

Figure 11. Total count of responsible parties.

Total count of responsible parties
45
40
35
30
25
20
15
10
5
0
Federal SLTT government Individual / Undecided
government Organization
Citizen vs. Government Organization vs. Government
Finally, all respondents were asked to select (all that apply) alternative
programs/solutions to the legislation that they would support. No descriptive information was
provided to respondents for these programs/solutions. The majority (71%) supported increasing
resources available to Federal agencies that handle cyber cases as depicted in “Table 11.Total
count of alternative programs selected”. Other responses included increasing resource available
to SLTT governments (59%), a cyber 9-1-1 program (57%), community cyber neighborhood
watch programs (45%), other (6%). One manual entry stated that they would like to see
“increased education to organizations and individuals to build ACD skills and tools.”
Table 11. Total count of alternative programs selected.
Variables Count
Community cyber neighborhood watch programs 22
Increasing resources available to Federal agencies that handle 35
cyber cases
A cyber 9-1-1 program 28
Increasing resources available to SLTT governments 29
Other (respondent provided) 3
Increased education to organizations and individuals to build 1
ACD skills and tools
Conclusion
Based upon the results, the majority of respondents supported the ACDC Act, which was
contrary to anecdotal observations of discussions on LinkedIn opposing the ACDC Act. The
majority of respondents reported that their organization/employer had been the victim of a cyber-
crime, although the majority of respondents had not personally been the victim of cybercrime.
This supports the hypothesis that a relationship between support of the legislation and history of
organization/employer victimization may exist. The majority of supporters represented the
information technology, financial data services, healthcare, education, construction/farm
equipment, and aerospace and defense industries. Interestingly, the Verizon 2017 Data Breach
Investigations Report Executive Summary illustrates that victims of breaches in 2017 affected
financial organizations (24%), healthcare organizations (15%), public sector entities (12%), and
retail and accommodation (15%) (Verizon Enterprise Solutions, 2018, p.2). This implies that
there may be a relationship between organizational victimization in these industries and support
for the ACDC Act, as hypothesized.
All of the respondents opposing the legislation reported that they were knowledgeable
and had practical experience in cybersecurity. However, the majority of supporters and those
who were undecided also had knowledge and experience in cybersecurity. The majority of
respondents opposing the legislation reasoned that difficulties in attribution, possibilities of
collateral damage, difficulties in approving ACD measures through Federal agencies, and
possibilities of an escalated response from the attacker[s] contributed to their decision. These
selections were created from and were consistent with the anecdotal observations of discussions
on LinkedIn opposing the ACDC Act. The majority of respondents that supported the legislation
reasoned that defensive measures alone would not curve cyber threats and that citizens and
organizations have the right to self-defense. This was consistent with the literature reviewed in
the sections "Defining Active Cyber Defense" and "Government Responsibility." The majority
of respondents reported that it was likely that their organization would engage in ACD measures.
However, when comparing the combination of those that responded high likely or likely (39%)
with the combination of those that responded high unlikely and unlikely (30%), there was not an
overwhelming difference.
There was support for a cyber 9-1-1 program, and a community cyber neighborhood
watch program, however, no detail was given in the survey instrument about what these
programs would consist of. The majority of all respondents felt that the Federal government was
responsible for protecting citizens and organizations in cyberspace, though there was also a
significant percentage that felt that citizens and organizations also have a role in protecting
themselves in cyberspace. One possible issue with this result is that the term protection was not
described regarding passive or active defense. The majority of all respondents supported
increasing resources available to Federal and SLTT agencies that handle cyber cases. This
majority view by the respondents is counter to Graves’ (2017) view that “we shouldn’t expect
them to do it” when discussing the government’s responsibility in protecting citizens and
organizations in cyberspace. It is important to note, however, that the literature review
demonstrates that resource deficiencies within the government are not easily solved, even with
increased monetary resources due to personnel shortages that are linked to the private sector
outbidding the Federal government for qualified personnel.
Limitations and Future Research
Although this research study examined support and opposition for the ACD measures
outlined in the ACDC Act, it did not analyze support for all of the ACD measures that have been
recommended in the literature review. Additionally, it is unknown how these results would scale
across the entire US population. Future research should be conducted to determine the possibility
of combining and leveraging components of each of the solutions above to build all-
encompassing approach to individual, community, and organizational resiliency. This would
include a cyber community watch program that can communicate with a centralized cyber
emergency management system (e.g., 9-1-1). A successful cyber community watch program
would likely include government and non-government (NGO) sponsored cyber self-defense
training programs that focus on resiliency through identification (including cyber threat
intelligence), protection, detection, response (including ACD response measures), and recovery,
as outlined in the NIST Cybersecurity Framework (National Institute of Standards and
Technology, 2018).
However, without the adoption of artificial intelligence and machine learning, this
resiliency is limited by the speed of human intervention. Sacoco (2017) of Lastline, recently
published an article that suggested that “organizations would start to automate as many
cybersecurity functions as possible during 2018” (p. 3). Additionally, DHS (2014) states that the
“cyber ecosystem needs self-mitigating and self-healing systems to address threats
at machine speed” (p. 45). Reporting incidents, sharing intelligence, and approving and
executing ACD measures could all be accomplished at machine speed while also integrating
humans-in-the-loop. During the interview with Graves (2017), Stewart Baker, the interviewer,
states that “you don’t have time to call the government” during an attack, rather you have
“seconds or minutes not 24, 36, or 72 hours” to take action (Graves, 2017). Baker recommends
to Graves (2017) that the Justice Department approve tools “as long as they are used in [a
prespecified] way” (Graves, 2017). Graves (2017) states responds “that’s a great
recommendation and that’s exactly what this legislation, I hope, promises—ideas just like that”
(Graves, 2017). Graves (2017) goes on to describe beaconing technology that would do
something similar to Baker’s recommendation (Graves, 2017).
Huang (2014) also believes that defenders should also “be able to isolate botnets from
their controllers” and go further by installing updates “to remove the underlying malware itself”
(p. 1265). The DARPA project, Harnessing Autonomy for Countering Cyberadversary Systems
(HACCS), aims to accomplish this by “developing safe, reliable, and effect capabilities for
conducting Internet-scale counter-cyber operations to deny adversaries’ use of neutral (gray)
systems and networks (e.g., botnets)” (Keromytis, 2017, p. 3). If the ACDC Act is passed, it will
only be the first step of many towards an overarching active cyber defense strategy that will
enforce costs on cybercriminals.

References
911.gov (2018). 911.gov. [online] 911.gov. Available at:
https://www.911.gov/about_national_911program.html
Ayala, L. (2016). Cybersecurity lexicon (1st 2017;1; ed.). Berkeley, CA: Apress.
doi:10.1007/978-1-4842-2068-9
Center for Cyber & Homeland Security (2016). Into the gray zone: The private sector and active
defense against cyber threats. [online] District of Columbia: The George Washington
University. Available at:
https://cchs.gwu.edu/sites/g/files/zaxdzs2371/f/downloads/CCHS-
ActiveDefenseReportFINAL.pdf
Chairman Joint Chiefs of Staff (2018). Department of Defense Dictionary of Military and
Associated Terms. Chairman Joint Chiefs of Staff. Retrieved from
http://www.jcs.mil/doctrine/dod_dictionary/
Chairman Joint Chiefs of Staff. (2013). JP 3-12: Cyberspace Operations. Chairman Joint Chiefs
of Staff. Retrieved from
http://www.jcs.mil/Portals/36/Documents/Doctrine/pubs/jp3_12R.pdf
Cole, E. (2013). Advanced persistent threat: Understanding the danger and how to protect your
organization. Waltham, MA: Syngress.
Crowther, G. A., & Ghori, S. (2015). Detangling the web: A screenshot of U.S. government
cyber activity. Joint Force Quarterly: JFQ, (78), 75.
Curran, J. (2016). Report calls on government to clarify 'active' cyber defense. Cybersecurity
Policy Report, 1.
Department of Homeland Security (2014). The 2014 Quadrennial Homeland Security Review.
Department of Homeland Security.
Department of Homeland Security (2018). Reporting a Cybercrime Complaint Tip Card.
Department of Homeland Security. Retrieved from
https://www.dhs.gov/sites/default/files/publications/Reporting%20a%20Cybercrime%20
Complaint_0.pdf
Federal Bureau of Investigation Internet Crime Complaint Center. (2017). 2015 Internet Crime
Report (p. 3). Department of Justice and Federal Bureau of Investigation Internet Crime
Complaint Center.
Flowers, A. & Zeadally, S. (2014). US Policy on Active Cyber Defense. Journal of Homeland
Security and Emergency Management, 11(2), pp. 289-308. Retrieved 1 Sep. 2017, from
doi:10.1515/jhsem-2014-0021
Forscey, D. (2017). New ‘Hack Back’ Legislation Makes Improvements and Raises New
Questions. [online] Lawfare. Available at: https://www.lawfareblog.com/new-hack-back-
legislation-makes-improvements-and-raises-new-questions
Garrie, D., & Reeves, S. R. (2016). An unsatisfactory state of the law: The limited options for a
corporation dealing with cyber hostilities by state actors. Cardozo Law Review, 37(5),
1827.
Goode, A. C. (2015). Cyberterrorists: The identification and classification of non-state actors
who engage in cyber-hostilities. Military Law Review, 223(No. 1), 157.
Graves, T. (2017). The Cyberlaw Podcast: Interview with United States Representative Tom
Graves.
Heckman, K., Stech, F., Thomas, R., Schmoker, B. and Tsow, A. (2015). Cyber Denial,
Deception and Counter Deception. Cham: Springer International Publishing.
Heggde, G., Shainesh, G., & SpringerLink (Online service). (2018). Social media marketing:
Emerging concepts and applications. Singapore: Springer Singapore.
House judicery subcommittee on crime, terrorism, and homeland security hearing. (2010).
Washington: Federal Information & News Dispatch, Inc.
Huang, S. (2014). Proposing a self-help privilege for victims of cyber attacks. The George
Washington Law Review, [online] 82(4), pp.1229-1266. Available at:
http://www.gwlr.org/wp-content/uploads/2014/10/Huang_82_4.pdf
Iasiello, E. (2014). Hacking back: Not the right solution. Parameters, 44(3), 105.
Institute for Defense Analyses (2007). Techniques for Cyber Attack Attribution. Alexandria, VA:
Defense Technical Information Center, p.23.
Jones, B. R. (2007). Comment: virtual neighborhood watch: open source software and
community policing against cybercrime. Journal of Criminal Law & Criminology, 97(2),
601-629.
Jordan, T. (2017). A genealogy of hacking. Convergence: The International Journal of Research
into New Media Technologies, 23(5), 528-544. doi:10.1177/1354856516640710
Keromytis, A. (2017). Harnessing Autonomy for Countering Cyberadversary Systems (HACCS).
Kshetri, N. (2016). The quest to cyber superiority: Cybersecurity regulations, frameworks, and
strategies of major economies. Cham: Springer International Publishing.
Kuchler, H. (2015). Cyber insecurity: Hacking back. FT.Com.
Lucas, G. R. (2017). Ethics and cyber warfare: The quest for responsible security in the age of
digital warfare. New York, NY, United States of America: Oxford University Press.
Margulies, P. (2013). Sovereignty and cyber attacks: Technology's challenge to the law of state
responsibility. Melbourne Journal of International Law, 14(2), 496-519.
Margulies, P. (2017). Global cybersecurity, surveillance, and privacy: The obama
administration's conflicted legacy. Indiana Journal of Global Legal Studies, 24(2), 459.
National Institute for Standards and Technology (2018). Cybersecurity Framework. [online]
National Institute for Standards and Technology. Available at:
https://www.nist.gov/cyberframework
NSA IAD (2015). Active Cyber Defense (ACD). [online] Information Assurance by The National
Security Agency. Available at: https://www.iad.gov/iad/programs/iad-initiatives/active-
cyber-defense.cfm
Payne, C., & Finlay, L. (2017). Addressing obstacles to cyber-attribution: A model based on
state response to cyber-attack. The George Washington International Law Review, 49(3),
535.
Portman, R. (2015). Portman bill to improve cybersecurity workforce passes the senate. (2015).
(). Washington: Federal Information & News Dispatch, Inc. Retrieved from Social
Science Premium Collection.
Rosenzweig, P. (2014). International law and private actor active cyber defensive measures.
Stanford Journal of International Law, 50(1), 103.
Sacoco, N. (2017). Lastline reveals predictions and trends for the 2018 cyberthreat
landscape. NASDAQ OMX's News Release Distribution Channel.
Schmitt, M. N., & NATO Cooperative Cyber Defence Centre of Excellence. (2017). Tallinn
manual 2.0 on the international law applicable to cyber operations (Second ed.). New
York, NY, USA;Cambridge, United Kingdom;: Cambridge University Press.

Shamsi, J. A., Zeadally, S., Sheikh, F., & Flowers, A. (2016). Attribution in cyberspace:
Techniques and legal implications. Security and Communication Networks, 9(15), 2886-
2900. doi:10.1002/sec.1485
Sigholm, J., Militärtekniska avdelningen (MTA), Försvarshögskolan, & Militärvetenskapliga
institutionen (MVI). (2013). Non-state actors in cyberspace operations. Journal of
Military Studies, 4(1)
United States Congress. (2017). Text - H.R.4036 - 115th Congress (2017-2018): Active Cyber
Defense Certainty Act. Congress.gov. Retrieved 29 October 2017, from
https://www.congress.gov/bill/115th-congress/house-bill/4036/text?r=1
United States Congress House Committee on Homeland Security Subcommittee on
Cybersecurity, Infrastructure Protection, and Security Technologies. (2013). Striking the
right balance: Protecting our nation's critical infrastructure from cyber attack and
ensuring privacy and civil liberties. Bethesda, Md: ProQuest.
U.S. Department of Defense. (2011) Strategy for Operating in Cyberspace. Washington,
DC,2011.
Ventre, D. (2014). Chinese cybersecurity and defense (1st ed.). Hoboken, London; ISTE, Ltd.
Verizon Enterprise Solutions (2018). 2017 DBIR: Understand Your Cybersecurity Threats.
[online] Verizon Enterprise Solutions. Available at:
http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/
Wilhoit, K. (2013). The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your ICS
Equipment?. In: BlackHat USA. [online] Las Vegas: TrendMicro. Available at:
https://media.blackhat.com/us-13/US-13-Wilhoit-The-SCADA-That-Didnt-Cry-Wolf-
Whos-Really-Attacking-Your-ICS-Devices-Slides.pdf
Winkler, I. (2017). Hack back law would create cyber vigilantes. CSO (Online).
Appendix A
Data Collection Instrument
Introduction
Hello friends, my name is Daniel West. I am currently pursuing a Master’s Degree in Homeland
Security – InfoSec and Forensics (HLS/ISF). I kindly invite you to participate in a short survey
about counter-hacking in cyberspace. This survey is purely academic, contains 23 questions and
will take about 9 minutes to complete. If you have any questions, comments, or concerns then
please feel free to contact me at dlw79@psu.edu. See below for a privacy notice. Background
information on the survey is provided below, however you may continue with the survey at any
time by click the arrow at the bottom of the screen.
Background: Elected officials have started discussions on allowing citizens and organizations to
conduct "active cyber defense" for the exclusive purposes of attributing, disrupting, and
monitoring attackers. On October 12, 2017, U.S. Representatives Tom Graves and Kyrsten
Sinema introduced H.R. 4036 Active Cyber Defense Certainty (ACDC) Act to the House of
Representatives. The act amends Title 18, United States Code “to provide a defense to
prosecution for fraud and related activity in connection with computers for persons defending
against unauthorized intrusions into their computers, and for other purposes”.
Untimely responses to cybercrimes by law enforcement (LE) has led to less prosecutions
resulting in a decrease in deterrence and an increase in threat activity. Cybercriminals have
continued to develop new tactics, while the Federal government has been unable to reform
current law to allow “new cyber tools and deterrence methods for defenders”. U.S. citizens and
organizations should always report cybercrime to LE and seek to improve defensive measures
first. However, Federal agencies must prioritize cyber incidents of national significance, while
also being more responsive to reports of cybercrime from individuals and organizations. When
properly utilized, active cyber defense (ACD) measures can assist in improving defenses and
deterring threats. ACD can also be used by defenders within the “dark web” to return “private
property such as intellectual property and financial records”.
The bill's definition of "active cyber defense":
Active cyber defense (ACD) is defined in the bill as “any measure undertaken by a or at the
discretion of a defender” that “consists of accessing without authorization the computer of the
attacker to the defender’s own network to gather information” that “establishes attribution”,
“disrupts continued unauthorized activity against the defender’s own network”, or “monitors the
behavior of an attacker to assist in developing future intrusion prevention or cyber defense
techniques”. This does not include destroying or rendering any information “inoperable”,
“recklessly [causing] physical injury or financial loss”, “[creating] a threat to the public health or
safety”, “exceeding a level of reconnaissance required on an intermediary’s computer to allow
for attribution of the origin of the persistent cyber intrusion”, “intrusive or remote access into an
intermediary’s computer”, “persistent disruption to a person or entities Internet connectivity
resulting in damages”, or [impacting] “national security information”, “government computers”,
or “computer systems used by or for a Government entity for the furtherance of the
administration of justice, national defense, or national security”. Following the laws of other
nations when conducting ACD is on the onus of “qualified defenders with a high degree of
confidence in attribution” (United States Congress, 2017, p. 4). The bill does not define the
educational requirements, nor does it state the required licensing and/or credentialing of a
qualified defender. Defenders are required to notify and receive a response from the FBI
National Cyber Investigative Joint Task Force (NCIJTF) prior to using an ACD measure.
If you prefer to read the full bill, please visit: https://www.congress.gov/bill/115th-
congress/house-bill/4036/text
PRIVACY NOTICE: Your privacy is important to me. The data being collected is solely to
satisfy an academic requirement for conferral of the graduate degree. Although there are a few
generic demographics questions, the survey does not capture any Personally Identifiable
Information (PII) about you or uniquely identifying information about your organization. All raw
data and aggregate information gathered and reported will be anonymous. If you prefer you may
use any anonymity service such as Tor to take the survey. The individual datasets will be
securely discarded once this research has been completed.

Data Collection Items
1. Would you support or oppose this legislation?
a. Support
b. Oppose
c. Not Sure
2a. [ROUTED FROM Q1] You selected “oppose” as your answer to Question 1. Please select
the reason(s) that best aligns with why you oppose. Select all that apply.
d. Difficulties in attribution
e. Possibility of collateral damage
f. Difficulties in approving active defense measures with Federal agencies
g. Possibility of an escalated response from the attacker
h. Other (You will be able to provide feedback in the next question)
2b. [ROUTED FROM Q1] You selected “support” as your answer to Question 1. Please select
the reason(s) that best aligns with why you support. Select all that apply.
a. Defensive measures alone will not curve cyber threats
b. Citizens and organizations have the right to self-defense
3a. [ROUTED FROM Q2a] You responded “other” to Question 2. Please provide your response.
3b. [ROUTED FROM Q2b] You responded “other” to Question 2. Please provide your response.
4. If the ACDC Act was passed how likely would it be that your organization would engage in
the activities that are outlined?
a. Highly Likely
b. Likely
c. Unlikely
d. Highly Unlikely
e. Not sure
f. Not Applicable
5. Who do you feel is responsible for protecting US citizens against attackers in cyberspace,
particularly in regards to “offensive actions” such as counter-hacking or hacking back a threat?
(Select all that apply)
a. Federal Government
b. State, Local, Tribal, and Territorial Government
c. Myself
d. Not sure
6. Who do you feel is responsible for protecting US organizations against attackers in
cyberspace, particularly in regards to “offensive actions” such as counter-hacking or hacking
back a threat? (Select all that apply)
a. Federal Government
b. State, Local, Tribal, and Territorial Government
c. Myself
d. Not sure
7. From the list below, select all of the alternatives to the “Active Cyber Defense Certainty Act”
that you would support. Alternatively, you can specify other to provide a unique response.
(Select all that apply)
a. Community “Cyber Neighborhood Watch” Programs
b. Increasing resources available to Federal agencies that handle cyber cases (e.g., FBI)
c. Increasing resources available to State, Local, Tribal, and Territorial Government

d. A cyber 911
e. None of the above
f. Other (You will be able to provide feedback in the next question)
7a. [ROUTED FROM Q7] You responded “other” to Question 7. Please provide your response.
8. Which of the following selections best describes the industry of the organization you work
for? [LIST PROVIDED BASED ON FORTUNE 500 INDUSTRIES]
9. Which of the following best describes your occupational category? [LIST PROVIDED
BASED ON FORTUNE 500 OCCUPATIONS]
10. Are you a Federal, State, Local, Tribal, or Territorial government employees?
a. Yes
b. No
c. Prefer not to answer
11. How would you rate your level of cybersecurity knowledge?
a. No Knowledge
b. Some Knowledge
c. Average Knowledge
d. Knowledgeable
e. Very Knowledgeable
12. Do you have any practical experience in cybersecurity?
13. How many years of practical experience in cybersecurity do you have?
a. 0-3 years
b. 4-7 years
c. 8-15 years
d. 16-20 years
e. 21+ years
14. What age group do you belong?
a. 16-24
b. 25-34
c. 35-49
d. 50-64
e. 65 and over
15. Outside of the workplace, have you ever been the victim of a cyber-crime or cyber-attack
(e.g. personal computer infected with ransomware)?
a. Yes
b. No
c. Not Sure
16. To your knowledge has your employer ever been the victim of a cyber-crime or cyber-attack
(e.g. a breach that resulted in financial loss)?

Appendix B
Survey Invitation: The Pennsylvania State University World Campus Graduate Students
<Subject>: ☞ Counter-hacking in Cyberspace – Graduate Research Survey
<Body>:
Hello,
My name is Daniel West. I am currently pursuing a Master’s Degree in Homeland Security –
InfoSec and Forensics (HLS/ISF). I kindly invite you to participate in a short survey about the
Active Cyber Defense Certainty (ACDC) Act and counter-hacking in cyberspace. This survey is
purely academic, contains 23 questions and will take about 9 minutes to complete. This is a very
important topic of debate and your feedback is important to me. Feel free to contact me if you
have any questions, comments, or concerns. See below for a privacy notice.
Please click or copy this anonymous link to begin the survey:
https://pennstate.qualtrics.com/jfe/form/SV_ezagOAl94OXpzJb
PRIVACY NOTICE: Your privacy is important to me. The data being collected is solely to
satisfy an academic requirement for conferral of the graduate degree. Although there are a few
generic demographics questions, the survey does not capture any Personally Identifiable
Information (PII) about you or uniquely identifying information about your organization. All raw
data and aggregate information gathered and reported will be anonymous. If you prefer you may
use any anonymity service such as Tor to take the survey. The individual datasets will be
securely discarded once this research has been completed.

Thank you for your time and consideration.
Very Respectfully,
Daniel West
dlw79@psu.edu
LinkedIn: https://www.linkedin.com/in/danielwest1/
Survey Invitation: LinkedIn Connections

Below are the posts that were made on LinkedIn. Additionally, LinkedIn was queried for public
posts that contained discussion on the “Active Cyber Defense Certainty Act.”
Q1 Q2a_1 Q2a_2 Q2a_3 Q2a_5 Q2a_4 Q3a Q2b_1 Q2b_2 Q2b_3 Q3b Q4 Q5_1 Q5_2 Q5_3 Q5_4 Q6_1 Q6_2 Q6_3 Q6_4 Q7_1 Q7_2 Q7_3 Q7_4 Q7_6 Q7a Q8 Q8a Q9 Q9a Q10 Q11 Q12 Q12a Q13 Q14 Q15
Not Sure Highly Likely Federal Government
State Government,
Myself Local, Tribal, and Territorial Government Not sure CommunityIncreasing
"Cyber Neighborhood
resources
Increasingavailable
resources
AWatch"
cyber 911
toPrograms
available
Other
Federal
(You
agencies
to IState,
will
think
bethat
Local,
itable
really
Computer
handle
to
Tribal,
depends
provide
cyber
and
Software
feedback
on
Territorial
cases
the (e.g.
asset
in
Information
Government
the
FBI)
itself.
nextWhile
question)
Technology
I get where
No you are Verycoming
Knowledgable
from
Yes as it's 8-15
the government's
years 35-49 job Yes
to protect us
Yesfrom "invaders" I also feel that there are privacy and rights of self-defense that we have
Not Sure Likely Federal Government
State Government,
Myself Local, Tribal, and
Federal
Territorial
Government
Government Increasing resources available
A cyber 911
to Federal agencies that Healthcare:
handle cyberMedical
cases (e.g.
Facilities
Information
FBI) TechnologyNo Knowledgable No 50-64 No Not Sure
Support Defensive measures alone will not curve cyber Likely
threats Federal Government Myself The organization Community "Cyber NeighborhoodAWatch"cyber 911Programs Construction / Farm Equipment
Information Technology No Average Knowledge
Yes 4-7 years 35-49 Yes Yes
Not Sure Likely Federal Government Federal Government CommunityIncreasing
"Cyber Neighborhood
resources
Increasingavailable
resources
AWatch"
cyber 911
toPrograms
available
Federal agencies
to State, that
Local,Information
handle
Tribal,cyber
and Technology
Territorial
cases (e.g.
Information
Government
FBI)
Services Technology No Knowledgable No 35-49 No Yes
Oppose Difficulties Possibility
in attribution
of collateralPossibility
damage of an escalated response from the attacker Likely Federal Government
State Government,
Federal
Territorial
Government
State,
Government
Local,
TheTribal,
organization
and Territorial Government Financial Data ServicesInformation Technology No Very Knowledgable
Yes 16-20 years35-49 Yes Yes
Support Defensive measures alone will not curve cyber Notthreats
sure Federal Government
State Government,
Federal
Territorial
Government
State,
Government
Local,
TheTribal,
organization
and TerritorialCommunity
Government
Increasing
"Cyber Neighborhood
resources
Increasingavailable
resources
Watch"toPrograms
available
Federal agencies
to State, that
Local,Other
handle
Tribal,cyber
andGovernment
Territorial
cases (e.g.
Government
Government
FBI) and PublicYes
Administration
Knowledgable Yes 0-3 years 50-64 Yes Not Sure
Support Defensive measures
Citizens and
alone
organizations
will not curve
have
cyber
the
Likely
right
threats
to self-defense
Federal Government
State Government,
Federal
Territorial
Government
State,
Government
Local,
TheTribal,
organization
and Territorial Government
Increasing resources
Increasingavailable
resources
A cyber 911
toavailable
Federal agencies
to State, that
Local,Information
handle
Tribal,cyber
and Technology
Territorial
cases (e.g.
Information
Government
FBI)
Services Technology Yes Knowledgable Yes 0-3 years 25-34 No No
Citizens and
alone
organizations
will not curve
have
cyber
the
Unlikely
right
threats
to self-defense
Federal Government
State Government, Local, Tribal, and
Federal
Territorial
Government
State,
Government
Local,
TheTribal,
organization
Government
Increasing
"Cyber Neighborhood
resources
Increasingavailable
resources
AWatch"
cyber 911
toPrograms
available
Federal agencies
to State, that
Local,Education
handle
Tribal,cyber
and Territorial
cases (e.g.
Information
Government
FBI) TechnologyNo Knowledgable Yes 4-7 years 25-34 No Yes
Not Sure Unlikely State Government, Local, Tribal, and
Federal
Territorial
Government
Government Community "Cyber Neighborhood
AWatch"
cyber 911Programs
available to State, Local, Commercial
Tribal, and Banks
TerritorialInformation
Government TechnologyNo Knowledgable Yes 8-15 years 35-49 Yes No
Not Sure Not sure Federal Government
State Government,
Federal
Territorial
Government
State,
Government
Local,
TheTribal,
organization
Increasingavailable
resources
A cyber 911
toavailable
Federal agencies
to State, that
Local,Information
handle
Tribal,cyber
and Technology
Territorial
cases (e.g.
Science,
Government
FBI)
Services
Technology, Engineering
No Average
and Mathematics
Knowledge
No 35-49 No Yes
Not Sure Highly Unlikely
Federal Government Not sure Increasing resources available
A cyber 911
to Federal agencies that Education
handle cyber cases (e.g. Information
FBI) TechnologyYes Knowledgable Yes 4-7 years 25-34 No Yes
Federal
Territorial
Government
State,
Government
Local,
TheTribal,
organization
Government
Increasing
"Cyber Neighborhood
resources
Increasingavailable
resources
AWatch"
cyber 911
toPrograms
available
Federal agencies
to State, that
Local,Information
handle
Tribal,cyber
and Technology
Territorial
cases (e.g.
Information
Government
FBI)
Services Technology Yes Some Knowledge
No 35-49 No Not Sure
Not Sure Unlikely Federal Government
State Government,
Federal
Territorial
Government
State,
Government
Local,
TheTribal,
organization
Government
Increasing
"Cyber Neighborhood
resources
Increasingavailable
resources
AWatch"
cyber 911
toPrograms
available
Federal agencies
to State, that
Local,Information
handle
Tribal,cyber
and Technology
Territorial
cases (e.g.
Information
Government
FBI)
Services Technology No Average Knowledge
Citizens and
alone
organizations
will not curve
have
cyber
the
Highly
right
threats
Likely
to self-defense
Federal Government
State Government,
Federal
Territorial
Government
State,
Government
Local,
TheTribal,
organization
Increasingavailable
resources
A cyber 911
toavailable
Other
Federal
(You
agencies
to Increased
State,
will bethat
Local,
able
education
Other
handle
to
Tribal,
provide
cyber
and
toUS
feedback
organizations
Territorial
cases
Government
(e.g.
in
Information
Government
the
FBI)and
nextindividuals
question)
Technology
toNobuild ACD skills
Very and
Knowledgable
tools
Yes 16-20 years35-49 No Yes
Citizens and
alone
organizations
will not curve
have
cyber
the
Likely
right
threats
to self-defenseState Government,
Federal
Territorial
Government
Government CommunityIncreasing
"Cyber Neighborhood
resources
Increasingavailable
resources
AWatch"
cyber 911
toPrograms
available
Federal agencies
to State, that
Local,Healthcare:
handle
Tribal,cyber
andPharmacy
Territorial
cases (e.g.
Information
and
Government
FBI)Other Services
TechnologyNo Very Knowledgable
Yes 21+ years 35-49 Yes Yes
Citizens and
alone
organizations
will not curve
have
cyber
the
Notright
threats
sureto self-defense Myself Federal Government CommunityIncreasing
"Cyber Neighborhood
resources
Increasingavailable
resources
Watch"toPrograms
available
Federal agencies
to State, that
Local,Information
handle
Tribal,cyber
and Technology
Territorial
cases (e.g.
Information
Government
FBI)
Services Technology No Some Knowledge
No 35-49 Yes No
Citizens and
alone
organizations
will not curve
have
cyber
the
Unlikely
right
threats
to self-defense
Federal Government Myself Federal Government The organization CommunityIncreasing
"Cyber Neighborhood
resources available
AWatch"
cyber 911
toPrograms
Federal agencies that Education
handle cyber cases (e.g. Education
FBI) and TrainingNo Average Knowledge
Citizens and
alone
Other
organizations
will notMore
curve
have
information
cyber
the right
threats
about
to self-defense
Federal
attackers
Government
will help law enforcement moreFederal
effectively
Government
combat attackers
The organization CommunityIncreasing
"Cyber Neighborhood
resources available
Watch"toPrograms
Federal agencies that Other
handle cyber Federal
caseslaw
(e.g.
Law,
enforcement
FBI)Public Safety, Corrections
Yes and
Knowledgable
Security No 25-34 No Yes
Support Citizens and organizations have the right to self-defense
Federal Government
State Government,
Federal
Territorial
Government
Government CommunityIncreasing
"Cyber Neighborhood
resources
Increasingavailable
resources
AWatch"
cyber 911
toPrograms
available
Federal agencies
to State, that
Local,Information
handle
Tribal,cyber
and Technology
Territorial
cases (e.g.
Government
Government
FBI)
Services and PublicYes Administration
Very Knowledgable
Not Sure Not sure Myself The organization A cyber 911 Aerospace and Defense Information Technology No Knowledgable Yes 8-15 years 35-49 No No
in attribution
of
Difficulties
collateralindamage
approvingOther
active
(You
defense
Bot
will nets
bemeasures
able
andtoother
provide
with
Command
Federal
feedback
agencies
andinControl
the nextsituations,
question).utilize
Highly a third
Unlikely
Federal
party machines,
Government
State Government,
and ACD
Myself
would
Local,
be anTribal,
invasion
and
Federal
of
Territorial
privacy,
Government
State,
Government
andLocal,
probably
TheTribal,
organization
a slew
and Territorial
of other legal
Government
issues.Increasing resources available
A cyber 911
to Federal agencies that Commercial
handle cyberBanks
cases (e.g.
Information
FBI) TechnologyNo Knowledgable Yes 21+ years 35-49 Yes No
Not Sure Unlikely Federal Government Federal Government Community "Cyber NeighborhoodAWatch"cyber 911Programs Aerospace and Defense Information Technology No Knowledgable Yes 0-3 years 25-34 No Not Sure
Support Defensive measures alone will not curve cyber Highly
threats
Unlikely
Federal Government
State Government,
Federal
Territorial
Government
State,
Government
Local,
TheTribal,
organization
and Territorial Government Increasing resources
A cyber 911available to State, Local, Other
Tribal, andFacilities
Territorial
Maintenance
Information
Government Contractor
TechnologyNo Average Knowledge
Federal
Territorial
Government
State,
Government
Local,
TheTribal,
organization
Government
Increasing
"Cyber Neighborhood
resources
Increasingavailable
resources
AWatch"
cyber 911
toPrograms
available
Federal agencies
to State, that
Local,Information
handle
Tribal,cyber
and Technology
Territorial
cases (e.g.
Information
Government
FBI)
Services Technology No Average Knowledge
Yes 0-3 years 35-49 Yes No
Support Citizens and organizations have the Highly
rightLikely
to self-defense
Federal Government Federal Government
State, Local,
TheTribal,
organization
Increasingavailable
resources
A cyber 911
toavailable
Federal agencies
to State, that
Local,Information
handle
Tribal,cyber
and Technology
Territorial
cases (e.g.
Information
Government
FBI)
Services Technology Yes Very Knowledgable
Yes 0-3 years 25-34 No No
in attribution
of
Difficulties
collateralPossibility
indamage
approvingof active
an escalated
defenseresponse
measures from
with
the
Federal
attacker
agencies Unlikely Federal Government Myself Federal Government The organization Aerospace and Defense Science, Technology, Engineering
No Very
and Mathematics
Knowledgable
Yes 21+ years 35-49 No Not Sure
Not Sure Highly Likely Federal Government
State Government,
Federal
Territorial
Government
Government
The organization Aerospace and Defense Information Technology No Some Knowledge
Yes 4-7 years 50-64 No Not Sure
Citizens and
alone
organizations
will not curve
have
cyber
the
Notright
threats
sureto self-defense Myself The organization Community "Cyber Neighborhood Watch" Programs Information Technology Business
Services ManagementNo and Administration
Some Knowledge
No 50-64 No No
State Government,
Federal
Territorial
Government
State,
Government
Local,
TheTribal,
organization
Government
Increasing
"Cyber Neighborhood
resources
Increasingavailable
resources
AWatch"
cyber 911
toPrograms
available
Federal agencies
to State, that
Local,Food
handle
Tribal,
Services
cyber
and Territorial
cases (e.g.
Information
Government
FBI) TechnologyNo Average Knowledge
Yes 4-7 years 35-49 Not Sure No
Citizens and
alone
organizations
will not curve
have
cyber
the
Likely
right
threats
to self-defense
Federal Government
State Government,
Federal
Territorial
Government
State,
Government
Local, Tribal, and TerritorialCommunity
Government
Increasing
"Cyber Neighborhood
resources
Increasingavailable
resources
AWatch"
cyber 911
toPrograms
available
Federal agencies
to State, that
Local,Information
handle
Tribal,cyber
and Technology
Territorial
cases (e.g.
Information
Government
FBI)
Services Technology No Knowledgable No 35-49 Yes Not Sure
Federal Government
State Government,
Federal
Territorial
Government
State,
Government
Local,
TheTribal,
organization
and Territorial Government Aerospace and Defense Information Technology No Knowledgable Yes 4-7 years 35-49 Not Sure Yes
Federal Government Myself Federal Government Increasing resources available to Federal agencies that Information
handle cyberTechnology
cases (e.g.
Information
FBI)
Services Technology No Very Knowledgable
Yes 21+ years 35-49 No Yes
Not Sure Not sure Not sure Not sure Insurance: Health, LifeInformation
(Mutual) Technology No Average Knowledge
No 50-64 Yes Not Sure
State Government,
Federal
Territorial
Government
State,
Government
Local,
TheTribal,
organization
Increasingavailable
resources
A cyber 911
toavailable
Federal agencies
to State, that
Local,Information
handle
Tribal,cyber
and Technology
Territorial
cases (e.g.
Information
Government
FBI)
Services Technology No Knowledgable Yes 4-7 years 35-49 No No
Not Sure Unlikely Federal Government Myself Federal Government Increasing resources available to Federal agencies that Otherhandle cyber cases (e.g. Other
FBI) Yes Average Knowledge
Survey Results (PSU Students)

State Government,
Federal
Territorial
Government
State,
Government
Local,
TheTribal,
organization
Increasingavailable
resources
A cyber 911
toavailable
Federal agencies
to State, that
Local,General
handle
Tribal,cyber
Merchandisers
and Territorial
cases (e.g.
Information
Government
FBI) TechnologyNo Knowledgable Yes 4-7 years 25-34 Yes No
Support Defensive measures alone will not curve cyber Unlikely
threats Federal Government
State Government, Local, Tribal, and Territorial Government
The organization Increasing resources available to State, Local, Information
Tribal, and Technology
TerritorialInformation
Government
Services Technology Yes Very Knowledgable
Not Sure Not sure Not sure Other (You N/A
will be ableEnergy
to provide feedback in Other
the next question)
Cyber Security
No Knowledgable Yes 8-15 years 25-34 Yes Yes
in attribution
of collateralPossibility
damage of an escalated response from the attacker Not sure Federal Government
Federal
Territorial
Government
State,
Government
Local, Tribal, and Territorial Government
Increasingavailable
resourcestoavailable
Federal agencies
to State, that
Local,Securities
handle
Tribal,cyber
and Territorial
cases (e.g.
Government
Government
FBI) and PublicYes
Administration
Very Knowledgable
Citizens and
alone
organizations
will not curve
have
cyber
the
Unlikely
right
threats
to self-defense
Federal Government
State Government,
Federal
Territorial
Government
State,
Government
Local,
TheTribal,
organization
Government
Increasing
"Cyber Neighborhood
resources
Increasingavailable
resources
AWatch"
cyber 911
toPrograms
available
Federal agencies
to State, that
Local,Other
handle
Tribal,cyber
andGovernment
Territorial
cases (e.g.
Other
Government
FBI) Cyber Yes Very Knowledgable
Yes 8-15 years 35-49 No Yes
in approvingof active
an escalated
defenseresponse
measures from
with
the
Federal
attacker
agencies Likely Myself The organization Information Technology Information
Services Technology No Knowledgable Yes 4-7 years 35-49 No No
Citizens and
alone
organizations
will not curve
have
cyber
the
Likely
right
threats
to self-defense Myself Federal Government
State, Local, Tribal, and TerritorialCommunity
Government
Increasing
"Cyber Neighborhood
resources
Increasingavailable
resources
Watch"toPrograms
available
Federal agencies
to State, that
Local,Financial
handle
Tribal,cyber
and
DataTerritorial
cases
Services
(e.g.
Information
Government
FBI) TechnologyNo Knowledgable Yes 8-15 years 35-49 No No
Citizens and
alone
organizations
will not curve
have
cyber
the
Likely
right
threats
to self-defense Myself The organization CommunityIncreasing
"Cyber Neighborhood
resources available
Watch"toPrograms
Federal agencies that Information
handle cyberTechnology
cases (e.g.
Information
FBI)
Services Technology No Very Knowledgable
State Government,
Myself Local, Tribal, and Territorial Government
The organization Increasing resources available to Federal agencies that Healthcare:
handle cyberMedical
cases (e.g.
Facilities
Information
FBI) TechnologyNo Knowledgable Yes 8-15 years 35-49 No Not Sure
Support Citizens and organizations have the Likely
right to self-defense
Federal Government Federal Government Increasing resources
Increasingavailable
Federal agencies
to State, that
Local,Financial
handle
Tribal,cyber
and
DataTerritorial
cases
Services
(e.g.
Finance
Government
FBI) No Some Knowledge
No 50-64 No No
Citizens and
alone
organizations
will not curve
have
cyber
the
Likely
right
threats
to self-defense
Federal Government
State Government,
Federal
Territorial
Government
State,
Government
Local,
TheTribal,
organization
Increasingavailable
resources
A cyber 911
toavailable
Federal agencies
to State, that
Local,Healthcare:
handle
Tribal,cyber
andPharmacy
Territorial
cases (e.g.
Information
and
Government
FBI)Other Services
TechnologyNo Average Knowledge
No 50-64 Yes Yes
Citizens and
alone
organizations
will not curve
have
cyber
the
Unlikely
right
threats
to self-defense
Federal Government
Federal
Territorial
Government
State,
Government
Local, Tribal, and Territorial Government
Increasingavailable
Federal agencies
to State, that
Local,Financial
handle
Tribal,cyber
and
DataTerritorial
cases
Services
(e.g.
Information
Government
FBI) TechnologyNo Very Knowledgable
Citizens and
alone
organizations
will not curve
have
cyber
the
Notright
threats
sureto self-defense
Federal Government
State Government,
Federal
Territorial
Government
State,
Government
Local,
TheTribal,
organization
Government
Increasing
"Cyber Neighborhood
resources
Increasingavailable
resources
AWatch"
cyber 911
toPrograms
available
Federal agencies
to State, that
Local,Aerospace
handle
Tribal,cyber
andand
Territorial
cases
Defense
(e.g.
Other
Government
FBI) OperationsYes (DoD) Average Knowledge
No 35-49 No Yes
Not Sure Likely Federal Government Myself Federal Government The organization Increasing resources
Increasingavailable
Federal agencies
to State, that
Local,Information
handle
Tribal,cyber
and Technology
Territorial
cases (e.g.
Information
Government
FBI)
Services Technology No Knowledgable Yes 0-3 years 25-34 No Not Sure
Appendix C
Running head: ACTIVE DEFENSE IN CYBERSPACE: REVIEW OF TECHNOLOGY
63
Appendix D
115th Congress Average Days from Bill Introduction to Law
Downloade 2/28/2018 Download Link

d on Link
Legislation Date of Number of Latest Latest Number of
Number Introductio Cosponsor Action Action Days from
n s Date Introductio
n to Law
H.R. 39 1/3/2017 0 1/20/2017 Became Public Law No: 17
115-1.
115-3.
7 115-85.
115-120.
7 115-93.
S.J.Res. 1 1/3/2017 24 3/31/2017 Became Public Law No: 87
115-18.
115-31.
115-6.
115-108.
115-34.
7 115-83.
115-7.
115-53.
115-25.
115-38.
115-49.
115-39.

115-109.
S. 84 1/10/2017 0 1/20/2017 Became Public Law No: 10
115-2.
115-129.
115-50.
115-46.
115-122.
115-118.
115-115.
115-32.
115-101.
115-127.
7 115-70.
115-56.
115-9.
115-78.
115-59.
115-40.
115-110.
H.J.Res. 37 1/30/2017 17 3/27/2017 Became Public Law No: 56
115-11.
115-5.
115-8.
115-4.
115-17.

115-23.
115-12.
115-13.
115-14.
115-111.
115-15.
115-51.
115-116.
115-121.
115-35.
115-24.
115-20.
115-66.
7 115-94.
7 115-69.
115-54.
115-36.
115-10.
115-21.
115-19.
115-43.
115-102.
115-124.

115-103.
115-75.
115-33.
115-79.
115-27.
115-16.
7 115-96.
115-126.
115-26.
115-22.
115-37.
7 115-73.
115-28.
115-29.
7 115-86.
7 115-71.
115-76.
7 115-87.
115-82.
115-123.
115-67.
115-104.
115-80.

115-112.
115-30.
115-47.
115-113.
7 115-72.
115-55.
115-114.
115-42.
115-41.
115-52.
115-68.
115-65.
115-117.
7 115-95.
7 115-91.
115-77.
115-105.
7 115-84.
115-128.
115-61.
115-106.
115-99.
115-48.

7 115-88.
115-45.
H.J.Res. 7/20/2017 34 11/1/2017 Became Public Law No: 104
111 115-74.
115-44.
115-60.
115-81.
115-107.
115-58.
115-57.
115-119.
115-62.
115-63.
115-64.
7 115-89.
7 115-97.
7 115-92.
H.J.Res. 12/4/2017 0 12/8/2017 Became Public Law No: 4
123 115-90.
H.R. 4641 12/13/2017 0 1/29/2018 Became Private Law No: 47
115-1.
115-98.
115-125.
115-100.
Average 156.4923
Number
of Days
Minimu 1
m
Maximu 411
m

Active Defense in Cyberspace - Review of Technology and Politics (WEST)

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Active Defense in Cyberspace - Review of Technology and Politics (WEST)

Uploaded by

Copyright:

Available Formats

Running head: ACTIVE DEFENSE IN CYBERSPACE: REVIEW OF TECHNOLOGY 1

Active Defense in Cyberspace:

Review of Technology and Politics

The Pennsylvania State University

Daniel West, Graduate Student at Pennsylvania State University

Correspondence concerning this article should be addressed to Daniel West

to grow beyond manageability for government resources resulting in a struggle to overcome

complaints of Internet-related crime (Federal Bureau of Investigation Internet Crime Complaint

(United States Congress, 2017).

3. The total count of the probability of organizational use of ACD measures.

4. The total count of supporters for alternative solutions to ACD measures.

5. The total count of parties responsible for cyber defense.

6. Cross-tabulation to determine relationships between bill support and opposition with

a personal and organizational history of victimization, level of cyber knowledge and

experience, age, industry, occupational category and government employment.

Defining the Environment

proportionate response through cyber self-defense difficult. In A Genealogy of Hacking, Jordan

(2017) discusses “nation-state—based hacking,” and the use of government-sponsored hackers to

(Sigholm, 2013, p. 11).

Table 1: List of Main Cyber Actors.

using online services” (Sigholm, 2013, p. 13).

information from citizens” (Department of Homeland Security, 2014, p. 19-20). An advanced

APT as a “well-funded, organized group that systematically compromises government and

exposing, indicting, or imposing sanctions on the actors involved.

“cyberspace,” “cyber-attack,” “intrusion,” “cyberwarfare,” “cybersecurity,” and “cyber-crime”

consisting of the interdependent network of information systems infrastructures including the

Internet, telecommunications networks, computer systems, and embedded processors and

controlling a computing environment/infrastructure; or destroying the integrity of the data or

Lastly, cyberwarfare is “actions by a nation-state to penetrate another nation’s computers or

Barriers to Combating Cybercrime

Department of Homeland Security (2014) attributes difficulties in securing cyberspace to “the

Complaint Center received 288,012 complaints of Internet-related crime (Federal Bureau of

for criminal activities (Jones, 2007, p. 613).

intelligence, 3) defining active cyber defense, 4) government responsibility, 5) balancing civil

activities between actors (Figure 1).

Figure 1. Barriers to combatting cybercrime

Proximity & Difficulties in Attribution

As previously mentioned, actors can conduct a range of cyberspace activities or actions

characterizing the type of attack. At a nation-state level attribution is a prerequisite for an

2017, p. 556). Attribution “could involve multiple steps” including:

1. “identification of the cyberweapon used to launch the [attack],”

2. “identification of the country or city of the [attacker],”

3. “identification of the [attacker]” (Shamsi et al., 2016, p. 2889).

Attribution can be accomplished through:

RAM-based analysis”) and “network forensics or forensics on dynamic data” (e.g.

“traceback and logging” and “deceptive techniques” such as honeypots),

2. “malware-based analysis” which includes “static and dynamic analysis”, “similarity-

based attribution”, and “reverse-engineering,”

3. “indirect attribution” which includes “machine learning techniques” (e.g. “behavioral

et al., 2016, p. 2891-2895).

which can be obfuscated by an attacker using an anonymizer (Wilhoit, 2013, p. 10).

Attribution of a real-world persona from a cyber-persona may require the cooperation of

It is “widely acknowledged” that the “serious difficulty of technical attribution” is

“conflicting [attribution] requirements can be resolved by determining attribution requirements

Scale, Scope, & Artificial Intelligence

Technologies, such as automation, within cyberspace, allow cybercriminals to “reverse

cybersecurity intrusions and attacks on enterprise environments (Sacoco, 2017, p. 1).

Defining Active Cyber Defense

“[The] synchronized, real-time capability to discover, detect, analyze, and

is further convoluted by the National Security Agency (NSA) Information Assurance

Homeland Security, 2016, p. 8).

confidence in the government’s skill, determination, and resources “required to pursue

perpetrators effectively and provide adequate remediation” which US organizations feel is

interdicts a cyber-attack (2016)” to further elaborate on differences between passive defense,