A growing number of states are looking into active cyber defence operations to diversify their available responses to cyber incidents. In order to not only create guidelines for its member states but also to serve as a norm setter for this controversial policy issue, the EU must act now. Starting by defining active cyber defence for itself, the EU should leverage its political and economic weight to provide a framework for responsible active cyber defence operations.
As threats from cyberspace continue to evolve and impose significant costs on society, states are trying to adopt new measures to counter them. The use of cyber tools in conflicts and the necessity of responding are likely to push governments towards more aggressive postures not only to protect against potential aggressors but also to provide tools to more actively counter malicious actions.
Now is the time for the EU to seriously think about whether and how to incorporate active cyber defence alongside existing EU tools in order to be able to effectively respond to the growing number of significant cyber incidents. While member states have been discussing active cyber defence operations (ACDO) for some years – both openly and behind closed doors – and occasionally even implementing them, questions about how states act in practice surfaced at the EU level in October 2021. Active cyber defence was mentioned during the deliberations of the European Parliament’s Committee on Industry, Research and Energy (ITRE) on the draft of the new Network and Information Security Directive (NIS 2 Directive).
ACDO carry their own risks and will not be a panacea for current or future threats. As an important digital norm setter, evidenced by the implementation of the General Data Protection Regulation (GDPR), the EU and its member states could play a central role in the global policy discussions on ACDO. Not only could the EU lead efforts to mitigate risk from active cyber defence operations – by spearheading the development of a framework including relevant principles, assessment criteria and safeguards – it could also ensure that European values and rights are upheld in cyberspace. Empowered by the Digital Single Market, which pulls in an estimated EUR 177 billion in annual contributions to the EU’s economic growth, the EU should leverage, once again, its regulatory ability to set norms for responsible active cyber defence. If the EU chooses to address this controversial cyber policy issue, it should act as a norm setter for responsible, government-led active cyber defence.
Active Cyber Defence: A Murky Matter
Active cyber defence was popularised through so-called “hack backs”, however, these are only a sub-category – and arguably the most intrusive form of – ACDO. Hack backs can be carried out by both governments and by private sector actors as a form of cyber privateering. In a hack back, defenders will pursue intruders outside of their home network, conducting a hot pursuit across organisational boundaries and sometimes national borders to target the perpetrators’ infrastructure and network. The objective is often to delete copied data before it can be accessed by third parties, render the operational infrastructure unusable or gather information about the perpetrators and their victims. While hack back operations are largely understood to be forbidden in some jurisdictions by national laws governing non-government actors, such as the Computer Fraud and Abuse Act (CFAA) in the United States, circumstantial evidence suggests that private companies may have reverted to such measures already.
Proponents argue that ACDO, and especially hack backs, are an option of last resort to disrupt perpetrators’ operations and infrastructure, imposing significant costs on them. Opponents, however, view ACDO as powerful measures that can spiral out of control, leading to instability and escalation in cyberspace, particularly in an already contentious and messy geopolitical environment. Operations that have raised concerns include botnet shutdowns, such as the 2021 Emotet takedown, and the removal of malicious software or patching of security vulnerabilities on a large number of privately owned computers without prior notifications, such as the countermeasures against Hafnium in the same year. Concerns raised include infringements of citizens’ rights; abuse of ACDO by law enforcement agencies; and the potential unintended effects and harmful consequences of failed ACDO, such as disruption of innocent third-party IT systems or escalation of geopolitical conflicts.
While active cyber defence involves more than following passive cybersecurity defence best practices – such as using firewalls, monitoring networks and patching vulnerabilities in defenders’ networks “at home” – it does not go as far as pre-emptive offensive cyber operations in infrastructure operated or controlled by others. There is a spectrum of technical measures in between: on the less-intrusive and -risky end, this includes canary tokens, honey traps and traffic redirection in the defenders’ computer systems. On the other end of the spectrum, and conducted at a higher risk, there are beacons and benevolent wiper software that, if activated on the attacker’s network, will inform defenders about the ‘cybertheft’ and give them the ability to wipe the copied data – for example to prevent third party collection.
The Definition of ACDO: Make It or Break It for the EU
Defining ACDO will be important for the EU’s policy considerations and a prerequisite for eventually establishing active cyber defence norms. In this process, the EU must clearly and early on define a working definition for what it understands to be active cyber defence and outline how ACDO relates to the EU’s cybersecurity policies, as well as relevant laws.
To work through the different aspects of ACDO, the EU could adopt the definition proposed in the recent “Active Cyber Defence Operations” study of the Stiftung Neue Verantwortung as a baseline. The report defines ACDO as: “one or more technical measures implemented by an individual state or collectively, carried out or mandated by a government entity with the goal to neutralize and/or mitigate the impact of and/or attribute technically a specific ongoing malicious cyber operation or campaign”.
The scope of the definition is likely to determine whether or not the EU will adopt ACDO. It seems unlikely that the EU would embrace a definition that would allow for intrusive measures conducted at the higher risk end of the ACDO spectrum. Such an approach would contradict various national laws and values of EU member states and be at odds with cyber norms of restraint that the EU has been advocating in international fora. A narrow, government-led ACDO approach – for example one limited to non-intrusive and domestic measures, at the national level – seems more likely to gain member states’ approval. In any case, an EU approach towards ACDO would allow for coordination among member states but with such operations being conducted at the national level by competent authorities and law enforcement agencies in accordance with EU guidelines. Government-led ACDO, though not without their share of challenges, can make a more convincing case for their legitimate use, operational capacity and accountability than such activities conducted by private third parties.
A Framework for Responsible Active Cyber Defence Operations Is Needed
Agreeing on a definition and communicating said definition externally is, however, just a first step towards coherent policy and norm shaping. What is further needed are principles, assessment criteria and safeguards that will allow EU member states to make informed, responsible decisions regarding the implementation, use and oversight of ACDO. What the EU really stands for will ultimately become clear from the detailed provisions, including – on an operational level – how risk is mitigated through ACDO impact assessment prior to conducting such operations and – on a legal level – what safeguards protect fundamental rights and core values.
ACDO decisions are complex, not just with regard to the vast range of possible technical measures that can be deployed but also the respect to individual situations and environments. Rather than developing a one-size-fits-all approach to ACDO, the EU should act as a norm setter by developing an ACDO policy, as proposed by Stiftung Neue Verantwortung. Relevant principles may include the establishment of national legal frameworks and confidence-building measures.
In addition to such principles, assessment criteria for ACDO risks and effects are needed. Prior to an ACDO, the situation and operation parameters need to be assessed to ensure that the operation can actually achieve its goal and do so without causing more harm than good. Such an analysis involves a range of criteria: defining the scope of the operation; the effect type, target and space; and potential collateral consequences as well as the risk of geopolitical escalation.
These assessment criteria could help, for example, in evaluating the effect space of an operation and analysing possible implications. The outcome of the risk equation depends on whether the ACDO is carried out in blue space (the government’s own jurisdiction), green space (allied jurisdictions), grey space (neutral governments’ jurisdictions) or red space (an adversary’s jurisdiction). For the EU, this criterion is of special interest, because one of the first issues it has to address regarding ACDO is how to deal with active cyber defence measures being deployed by one member state against another (green space). Should the EU require prior coordination, consent or notification for such actions or prohibit them outright? Such measures should be within the purview of the member states from which the threat is emanating and which have affected IT systems within their jurisdictions, respectively. A narrow exception to such a rule could be made in clear, previously agreed-upon exigent circumstances that would cause imminent danger if left unmitigated. While the authors believe that the prohibition of ACDO in EU green space without consent should be a cornerstone of EU ACDO policy in general, this may cause severe operational problems. This example further underlines why it is urgent that the EU address ACDO as part of its broader cybersecurity policy deliberation, both among member states and with external partners.
Finally, safeguards need to be an integral part of a policy framework to mitigate ACDO risks. Safeguards may include, but are not limited to, requiring ex-post evaluation and oversight linked to a high (technical) degree of transparency and auditability of measures. Another safeguard, which should be popular for its alignment with EU values, is the setup of guidelines for procuring tools and services leveraged in ACDO. Providers should, for example, be transparently vetted so that the EU does not conduct any business with governments or other entities that have been reported to conduct unlawful activities and violate human rights with their tools and services.
The Way Forward: Active Cyber Defence Policy in the EU
If the EU decides to incorporate ACDO to diversify its capabilities to respond to cyber incidents, it should form a working group of government representatives from interested member states and EU institutions, and be advised by experts from the private sector, academia and civil society. As its first goal, this group should agree on a working definition for active cyber defence. The narrower the definition, the more likely it is to find agreement.
As a second step, the EU should operationalise its values and strategies and translate them into an ACDO assessment framework and strict legal and operational safeguards, preferably informed by existing work. These principles will be a way to shape future global norms for ACDO decisively. The EU must, from the start, consider the external consequences of its actions that go far beyond the EU jurisdiction. Third, as a first step towards norm setting, the EU should externally communicate its definition and framework in bilateral and multilateral fora.
In the event that the EU decides against incorporating ACDO in its cyber policy, it may be well advised to clearly signal its stand to other states and companies operating under its jurisdiction. The EU must set strict norms and requirements – including for companies processing the data of EU citizens – to protect against ACDO operations carried out by governments that infringe upon European rights, principles and values. Lastly, even if the EU as a whole does not embrace active cyber defence, some member states will or already have deployed and incorporated ACDO in their technical and policy cyber security and defence tools, therefore inaction is not an option left for the EU.
Setting aside the question of whether the EU should adopt ACDO as part of its cyber security and defence toolset, at a minimum, the EU must anticipate these developments. Once states, EU members as well as others, implement ACDO in the manner they deem appropriate, the genie is out of the bottle. The time for the EU to act is now, to set global norms for active cyber defence that reflect European views and values on this contested issue.
About the Author
Dr Andreas Kuehn is a Senior Fellow at Observer Research Foundation America where he leads research on international cybersecurity cooperation within the ORF America’s Cyberspace Cooperation Initiative. His work focuses on the new risks and challenges in international security at the intersection of emerging technology, cybersecurity, and technology governance.