Proactive Cybersecurity: A Comparative Industry and Regulatory Analysis

• Author: Amanda N. Craig,Janine S. Hiller,Scott J. Shackelford
• DOI: http://doi.org/10.1111/ablj.12055
• Published date: 01 December 2015
• Date: 01 December 2015

Proactive Cybersecurity: A

Comparative Industry and

Regulatory Analysis

Amanda N. Craig,* Scott J. Shackelford,**

and Janine S. Hiller***

INTRODUCTION

In January 2015, as Sony Pictures struggled to revive its computer net-

work after The Interview reportedly prompted a massive hack,

1

cybersecur-

ity f‌irm FireEye demonstrated that the sorts of breaches that Sony

experienced likely are not preventable with conventional network

defenses.

2

Indeed, while experts said that “Sony’s reputation is suffering”

due to the hack, they also agreed that Sony “is hardly the only company at

*Senior Cybersecurity Strategist, Microsoft Corporation.

**Assistant Professor of Business Law and Ethics, Indiana University; W. Glenn Campbell

and Rita Ricardo-Campbell National Fellow, Stanford University.

***Professor of Business Law, Richard E. Sorensen Professor in Finance, Pamplin College

of Business, Virginia Tech.

We wish to thank Professors Amy Zegart, Larry Kramer, and Tiny Cuellar for their invalu-

able comments on this article, as well as the research support of Scott Russell and Jonathan

Brown. Scott, in particular, took the lead in developing the U.K. and Singapore case stud-

ies, for which we are indebted to him. The views expressed in this article are solely those

of the authors and do not necessarily represent or reflect the position of Microsoft Corp.

1

Thomas Halleck, Sony Corporation: Network Is Still Down Following ‘The Interview’ Hack,INT’L

BUS.TIMES (Jan. 8, 2015), http://www.ibtimes.com/sony-corporation-network-still-down-follow-

ing-interview-hack-1778344; Dara Kerr & Roger Cheng, Sony CEO: We Were the Victim of a

Vicious and Malicious Hack, CNET (Jan. 5, 2015), http://www.cnet.com/news/sony-announces/.

2

FIREEYE,MAGINOT REVISITED:MORE REAL-WORLD RESULTS FROM REAL-WORLD TESTS 21

(2015), available at https://www2.f‌ireeye.com/rs/f‌ireye/images/rpt-maginot-revisited.pdf

[hereinafter MAGINOT REVISITED].

V

C2015 The Authors

American Business Law Journal V

C2015 Academy of Legal Studies in Business

721

American Business Law Journal

Volume 52, Issue 4, 721–787, Winter 2015

bs_bs_banner

risk.”

3

Rather, FireEye likens traditional network defense tools, on which

Fortune 500 companies spent much of their $71 billion information tech-

nology (IT) security budgets in 2014,

4

as something akin to France’s pre–

World War II “Maginot Line”—good in theory, but relatively easy to

bypass in practice.

5

Recent news headlines may seem evidence enough, as

Target, Home Depot, and J.P. Morgan Chase all announced major

breaches in 2014.

6

But FireEye’s January 2015 report goes much further,

noting that a whopping ninety-six percent of the 1600 computer networks

that it monitored—from behind traditional network defenses—were

breached in 2014.

7

As such, FireEye argues, “organizations must consider

a new approach to securing their IT assets.... [They] can’t afford to pas-

sively wait for attacks. Instead, they should take a lean-forward approach

that actively hunts for new and unseen threats.”

8

But what constitutes a lean-forward approach, and why are more

organizations not already taking one? The emerging f‌ield of proactive

cybersecurity is complex, encompassing a range of activities also

referred to as “active defense.” While “hacking back” is often a highly

visible point of contention when discussing the role of private sector

active defense,

9

it is just one facet of the larger proactive cybersecurity

3

John Guadiosi, Why Sony Didn’t Learn from Its 2011 Hack,FORTUNE (Dec. 24, 2014), http://

fortune.com/2014/12/24/why-sony-didnt-learn-from-its-2011-hack/.

4

Seth Rosenblatt, Modern Security Tactics Fail to Protect Against Malware, Study Finds, CNET

(Jan. 8, 2015), http://www.cnet.com/news/modern-security-tactics-fail-to-protect-against-mal-

ware-new-study-f‌inds/.

5

Cybersecurity’s Maginot Line: A Real-World Assessment of the Defense-in-Depth Model,FIREEYE 5–

6 (2014), http://www2.f‌ireeye.com/rs/f‌ireye/images/f‌ireeye-real-world-assessment.pdf; MAGI-

NOT REVISITED,supra note 2, at 2. France created the Maginot Line during World War II to

impede Nazi Germany’s invasion, but German forces bypassed the Maginot Line and

invaded France from Belgium. See MARC ROMANYCH ET AL., MAGINOT LINE 1940: BATTLES ON

THE FRENCH FRONTIER 8–11 (2012).

6

SharoneTobias,2014: The Year in Cyberattacks,NEWSWEEK (Dec. 31, 2014),http://www.newsweek.

com/2014-year-cyber-attacks-295876.

7

MAGINOT REVISITED,supra note 2, at 3.

8

Id. at 21.

9

See, e.g., Carl Franzen, Should US Companies Be Allowed to Hack China in Revenge? New Report

Says Yes,V

ERGE (May 22, 2013), http://www.theverge.com/2013/5/22/4356196/report-tells-con-

gress-companies-should-hack-back; see also Eric Chabrow, The Case Against Hack-Back,B

ANK

INFO.SEC. (Jan. 6, 2015), http://www.bankinfosecurity.com/case-against-hack-back-a-7759; Tom

Field, To ‘Hack Back’ or Not?,B

ANK INFO.SEC. (Feb. 27, 2013), http://www.bankinfosecurity.

722 Vol. 52 / American Business Law Journal

movement, which includes technological best practices ranging from

real-time analytics to cybersecurity audits promoting built-in resilience.

10

Along with confusion about the range of activities that could be consid-

ered forward-leaning proactive cybersecurity, there remains ambiguity

regarding the legality of some active defense techniques, including not

only “hack back” but also “honeypots” and information sharing, two

methods that have even been acknowledged by some governments as

best practices for industry.

11

This article traces the evolution of the proactive cybersecurity industry

in a global legal environment. We argue that, while hard law exists in

this space both within the United States and globally, such laws were

largely enacted at a time when proactive cybersecurity remained nascent;

as a result, the private sector has taken the lead in developing industry

norms. More recently, we contend that proactive cybersecurity f‌irms have

thrived in part because of the conf‌luence of three forces: (1) the general

trend toward private security and growing awareness of cyber insecurity;

(2) the unique nature of cybersecurity (with infrastructure that is often

privately owned and for which private sector expertise dominates); and

(3) the move toward bottom-up regulatory frameworks—in the vein of

the 2014 National Institute for Standards and Technology (NIST) Cyber-

security Framework, which aims to improve private sector cybersecurity

through voluntary standards and which was developed in coordination

com/to-hack-back-or-not-a-5545 (discussing, among other things, the likelihood of prosecu-

tion in the United States for engaging in hacking back).

10

See, e.g., Orla Cox, Proactive Cybersecurity—Taking Control Away from Attackers,SYMANTEC

(Apr. 2, 2014), http://www.symantec.com/connect/blogs/proactive-cybersecurity-taking-con-

trol-away-attackers; Michael A. Davis, 4 Steps for Proactive Cybersecurity,I

NFO.WK. (Jan. 18,

2013), http://www.informationweek.com/government/cybersecurity/4-steps-for-proactive-

cybersecurity/d/d-id/1108270; Hackback? Claptrap!—An Active Defense Continuum for the Pri-

vate Sector, RSA CONF. (Feb. 27, 2014), http://www.rsaconference.com/events/us14/agenda/

sessions/1146/hackback-claptrap-an-active-defense-continuum-for (“[A]ctive defense should

be viewed as a diverse set of techniques along a spectrum of varying risk and legality.”).

11

See, e.g., EUR.NETWORK &INFO.SEC.AGENCY,PROACTIVE DETECTION OF SECURITY INCIDENTS II:

HONEYPOTS 17 (2012), available at h ttps://www.enisa.europa.eu/activities/cer t/support/

proactive-detectio n/proactive-detection-of-security -incidents-II-honeypots (def‌ining a

“honeypot” as a “computing resou rce, whose sole task is to be probed, attacked, compro-

mised, used or accessed in any other unau thorised way”); Sean Lyngaas, NIST Spells Out

Information-Sharin g Best Practices, FCW (Oct. 30, 2014), http://fcw.com/articles/2014/10/30/

nist-sharing-best -practices.aspx.

2015 / Proactive Cybersecurity 723