Private sector Active Cyber Defence (ACD) lies on the intersection of domestic security and international security and is a recurring subject, often under the more provocative flag of ‘hack back’,... Show morePrivate sector Active Cyber Defence (ACD) lies on the intersection of domestic security and international security and is a recurring subject, often under the more provocative flag of ‘hack back’, in the American debate about cyber security. This article looks at the theory and practice of private cyber security provision and analyses in more detail a number of recent reports and publications on ACD by Washington DC based commissions and think tanks. Many of these propose legalizing forms of active cyber defence, in which private cyber security companies would be allowed to operate beyond their own, or their clients’ networks, and push beyond American law as it currently stands. Generally, public-private governance solutions for security problems have to manage a balance between (i) questions of capacity and assigning responsibilities, (ii) the political legitimacy of public–private security solutions and (iii) the mitigation of their external effects. The case of private active cyber defence reveals a strong emphasis on addressing the domestic security (and political) problem, while failing to convincingly address the international security problems. The proposals aim to create a legitimate market for active cyber defence, anchored to the state through regulation and certification as a way to balance capacity, responsibilities and domestic political legitimacy. A major problem is that even though these reports anticipate international repercussions and political pushback, against what is likely be received internationally as an escalatory and provocative policy, they offer little to mitigate it. Show less
The United States struggles to impose meaningful costs for destructive or disruptive cyber operations. This article argues that the United States' restrained responses stem from a desire to avoid... Show moreThe United States struggles to impose meaningful costs for destructive or disruptive cyber operations. This article argues that the United States' restrained responses stem from a desire to avoid risk in an inherently uncertain operational environment. The societal desire for risk avoidance is the prism through which policymakers address the cyber domain and deliberate responses to attacks. The article shows that two particular operational characteristics of cyberspace—its complex adaptiveness and the ease of proliferation—combine to increase the risk of misattribution and the risk of unintended effects, including collateral damage, inadvertent escalation and blowback. These characteristics present a particular obstacle for risk societies such as the United States in the application of meaningful punishments. In addition to establishing the roots of US restraint, the article traces the application of risk management practices, including preventive action, increasing resilience and consequence management, from the Obama administration to the Trump administration. The analysis reveals that risk management has underpinned the overall US approach to the cyber domain. Show less