The term "active cyber defense" is confusing due to its use as a politically appealing and marketable phrase, which varies in meaning across different professional communities like military, cybersecurity, and law, as well as among different nations. This blog series aims to clarify these diverse interpretations and examine the specific actions encompassed by "active defense" to understand its role in enhancing security.
Part 1: The different meanings of active cyber defense
One of the more confusing terms in cyber-security is “active cyber defense”. The confusion with it stems from at least four reasons: 1) it is a political term, a framing to be more precise, to frame certain cyber-activity under a palatable term. Active sounds nice. There is action, activity and not just pure reactivity. For some it means not just taking punches but actually doing something, getting the initiative back. These are all positive connotations. 2) the term has been used in industry as a marketing term for similar reasons: It just sounds better than plain old information security or cyber-security, and thus all kinds of different products can be sold under the term. 3) The terminology lies at the intersection of various epistemic communities (communities of practitioners that have a different background and interpretation of the term) such as military, technical cybersecurity, politics, law, and intelligence. That means for a military General, active defense means something entirely different compared to the cyber-security practitioner or a lawyer who knows about international law. 4) To make matters worse, there are different national definitions as well, so the People’s Republic of China means something entirely different with the term than the UK or France or Germany.
Part 2: Doing active cyber defense
In the last blog post, we deciphered various elements of active cyber defense. We looked at technical definitions, analyzed the spectrum between defense and offense, and talked about deception. We concluded that active cyber defense might entail offense (i.e. engaging with the network of an adversary), but it does not necessarily need to. Active cyber defense might aim to preempt an imminent attack from occurring, rather than to prevent more abstract, future threats. What also became apparent is that active defense seems to entail “more” than passive defense: it employs additional tools and measures like honeypots and deceptive techniques with the aim to gather intelligence on adversary behavior. In this section of the blog post, we will look at what doing active cyber defense actually might entail.
As in Ukraine, the current war in the Middle East is once again being accompanied by a digital conflict. After two months of war, it is now possible to draw some preliminary conclusions about cyber capabilities in the context of conventional ground wars. Including other conflicts such as in Ukraine 2022, Georgia 2008 or Kosovo 1998, an interesting continuity of the nature of digital conflict becomes apparent.
WebTalk "Strategies and Attribution in Cyberspace"
Companies and institutions are increasingly exposed to complex cyberattacks. In order to counter these threats effectively, a deep understanding of the current threat situation and available technologies is crucial. But how can we analyse current attack strategies and improve the attribution of cyber attacks from a security policy perspective? What technical options are available to detect and defend against cyber threats and what role does technological sovereignty play in this? Experts from academia, business and computer science will dsicuss this in the online WebTalk on 4th September 2024.
Workshop on Government Vulnerabilities Disclosure
ICS conducted a workshop in cooperation with the Federal Foreign Office on the cyber security aspect of the German National Security Strategy as part of the dialogue processes.
The hybrid event centred on four thematic blocks: security trends and constellations; tasks, goals, and instruments; civil society and business partnerships; as well as regional and international cooperation.
The newsletter is usually released at the beginning of each week with a summary of noteworthy cyber-security, -science and -policy news.