Abstract
Abstract Private sector Active Cyber Defence (ACD) lies on the intersection of domestic security and international security and is a recurring subject, often under the more provocative flag of ‘hack back’, in the American debate about cyber security. This article looks at the theory and practice of private cyber security provision and analyses in more detail a number of recent reports and publications on ACD by Washington DC based commissions and think tanks. Many of these propose legalizing forms of active cyber defence, in which private cyber security companies would be allowed to operate beyond their own, or their clients’ networks, and push beyond American law as it currently stands. Generally, public-private governance solutions for security problems have to manage a balance between (i) questions of capacity and assigning responsibilities, (ii) the political legitimacy of public–private security solutions and (iii) the mitigation of their external effects. The case of private active cyber defence reveals a strong emphasis on addressing the domestic security (and political) problem, while failing to convincingly address the international security problems. The proposals aim to create a legitimate market for active cyber defence, anchored to the state through regulation and certification as a way to balance capacity, responsibilities and domestic political legitimacy. A major problem is that even though these reports anticipate international repercussions and political pushback, against what is likely be received internationally as an escalatory and provocative policy, they offer little to mitigate it.
Highlights
Corporate self-help in cyberspace is a contentious issue
This article looked at the theory and practice of private cyber security provision and analysed in more detail a number of recent reports and publications by Washington DC based commissions and think tanks that propose legalizing forms of active cyber defence, in which private cyber security companies would be allowed to operate beyond their own, or their clients’ networks, and push beyond American law as it currently stands
The proposals lack specificity: urging the government to move on expanding the possibilities for Active Cyber Defence (ACD), while reluctant to be very specific about which measures would be allowed under which circumstances
Summary
Corporate self-help in cyberspace is a contentious issue. Even though companies suffer great costs at the hands of internationally operating cyber criminals and state sponsored actors, and governments often lack capacity and political will to provide adequate protection, companies are not allowed to take matters into their own hands. Any proposal for a private or a public–private solution for Active Cyber Defence would need to provide a convincing arrangement of these different questions of capacity and legitimacy, taking into account that they are playing simultaneously on a domestic and an international political chess board. Many attributions of state sponsored cyberattacks were originally and in some case predominantly the work of private cyber security companies, exposing and naming some of the most notorious APTs, the overall view of the threat landscape that results is biased towards high-end threats to high-profile victims [63] While these forensic activities and attributions (mostly) do not venture into third party networks, they do venture into the realm of international cyber security (geo)politics as states sometimes build on these reports to (publicly) call out malicious state actors.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
