 My name is Michelle Mosey and I'm the Senior Advisor Cyber Security at the National Security College here at ANU. Today we've got Dr Irving Lachau from MITRE Corporation here to talk to us about active cyber defence. Now this is a really hot topic across government and industry at the moment and we're very privileged to have Dr Lachau here to talk to us about this really interesting subject. Welcome Irv, it's great to have you here. Thank you Michelle. Active cyber defence, what can you actually tell us about it? Well the first thing is active cyber defence is not hacking back which is often the way it's viewed. What's interesting about active cyber defence is it describes a set of capabilities that organizations can take to defend themselves that lie somewhere between passive defences and cyber hygiene which is important and necessary and hacking back or offensive cyber which really only government can do legally and in between those two extremes there are a range of actions that organizations can take to protect themselves but there's a lot of uncertainty about what they can do or what they should do from a legal and policy perspective and so that's why it's such a fascinating topic to discuss. Right so talking about active cyber defence could you give us you know some examples clearly the cyber hygiene piece we've done a lot of talking in in government around the ASD essential eight and that's really classified as the hygiene type of activities. Could you expand a little bit more about ACD? I know that that's you know a little acronym there. No no no that's your spot on that's exactly right so um yeah so let's say you know you're doing your your passive defences your essential eight that's important that's necessary perhaps you can start to do things like create synthetic environments in your enterprise that can pull adversaries in so you can gather intelligence on the kind of activities they're doing that's a little more active right so you're actually doing things to change their behavior you want them to go here you want to watch them maybe you take an additional step of feeding them false information right so now if they're if their goal is to try to steal your intellectual property maybe you're giving them false information which hopefully then requires them to spend a lot of time and effort to determine if what they've got is is real or not real and that's helping you confuse them and maybe deter them from coming at you again because they realize oh my gosh it's so much work and essentially raising the cost and and that's that's sort of one of the key outcomes that uh lots of defenders look for raising the cost and making making ourselves a non-attractive target exactly exactly you know another example might be to plant some uh code in documents that you're trying to protect so if they're stolen they can beacon uh and alert either you or the authorities that they've left your premises and are heading to some country you don't want them to go to right so that's another example of something that's a little more active and not part of the essential aid or the normal cyber hygiene that companies do sure um so there must be risks and trade-offs when you start to do this because when we look at um potentially planting incorrect information that we know may be stolen there's a risk that that potentially comes along with that if you you know can you expand a little bit on that absolutely again that's what makes this such a challenging issue is there are clearly benefits to a number of these techniques however as you point out there are there are a lot of risks so there's a risk of potential collateral damage if you're doing things outside of your network and you unintentionally harm someone while you're trying to interact with the adversary you can potentially escalate things so maybe you you do increase the work factor the cost of the adversary and maybe their response rather than saying oh gosh okay i'm just gonna leave you alone is i'm gonna ramp up and i'm gonna make you pay for making my life more difficult and they try to wipe your systems um and there's also international implications because a lot of this activity involves uh nation states and things that you do may actually affect another nation and so you can actually unintentionally have an impact on global norms on economic relationships and things that are completely unanticipated and perhaps not helpful yeah i think you raise a really interesting point there about the international dimensions of utilizing active cyber defense um there are challenges domestically let alone internationally um where do you think we kind of are in in that space in terms of some of the legal or compliance issues getting agreements uh we're not very far yeah uh so um especially internationally so at the national level different countries have different laws in place some do not allow any kind of active cyber defense at all others are more uh open-ended some countries don't have laws at all um but to your point about internationally we have a bit of a challenge there because international laws it currently stands generally does not address this kind of corporate level activity most international laws are focused on nation states so the laws of armed conflict and humanitarian law and that sort of thing even the cyber crime convention uh the budapest convention doesn't really address these kinds of issues yes and so there is no international legal framework so we really need to start by building maybe a set of norms uh that guide best practices or acceptable kinds of behaviors even that's going to prove challenging because if five countries agree on norms but you know 30 don't and there's activity emanating from those other 30 then you may be potentially constrained so it's it's quite a challenge absolutely and i mean even going forward and describing or actually setting out the norms there should be a range of stakeholders involved in doing that am i correct in saying it shouldn't just be a government-driven activity absolutely you're you're exactly right and that's what makes this even more complex is governments can take these kinds of actions they have the authority to do so the question is can companies or private sector organizations and again that that varies country by country but again they're potentially operating now internationally and so you have you have nations interacting you have companies interacting and it could get very complex right so you can have companies affecting companies and companies affecting other governments and governments effect right and it's this big brass of activity and it can't just be addressed to your point at the nation-state level because what makes this an interesting issue is that is that companies are taking these actions companies are doing things outside of their own networks it is happening yes and so how do we how do we get them to act in a way that yes allows them to protect themselves but is doing so in a way that's conducive to international security international economic concerns i think that's actually a really interesting point in terms of how how do we how do we bring it together what is okay and what is not okay especially when you start to look at an international level and there are countries and nation states and others that play by the rules and others who don't so it's it's the trick in getting that balance how do you you have any thoughts around how we might even just make baby steps towards doing some of that so one way to start is try to find areas where there might be some agreement so for example countries have agreed through the un through the gge process to not attack each other's computer security emergency response teams right so they're off limits it's kind of like the red cross you don't you don't go after the red cross kind of thing right and countries have signed up for that even russia right has signed up for that um are there things we could agree to in the active cyber defense area where everyone just says yeah okay so for example hacking like i mentioned hacking back like you can start there most everyone agrees that a company shouldn't be free anytime they want to hack anyone else in the world they want i mean that's that's actually cyber crime this we're trying to stop right um so you know but then as you start to draw lines uh in the in the sand or create norms it gets very very difficult um and to your point which i think is an excellent one which is interesting is on the one hand the more clarity there is around this issue the better companies will be able to make uh decisions about the the benefits and risks of an action they understand the potential consequences right yes but to your point which is a very interesting one is if there's a level of ambiguity about what can be done at some there are arguments that that might actually be helpful in the sense that if if bad guys don't know what you can and can't do back to them maybe that uncertainty actually deters them as opposed to they have a very clear understanding of what companies can do back to them and so they can play right up until that this is the the issue with red lines in the sand right yeah yes people then game it exactly exactly and i mean i've heard you speak before about you know do nothing option which is kind of somewhat where we are now and complete wild west um and i think that is the issue instead of maybe building up we look at it from winding back as you said there are a lot of companies out there now who are actually actively participating in active cyber defense um and they are supporting governments in order to do so or sharing that information so it's a really interesting topic in itself active cyber defense how do we do it how do we implement it in a way that keeps us safe and secure um yeah so yeah and let me and let me just build on that that last point just what the public private cooperation aspect is really critical and that actually goes both ways so for example in the uk right now there is a government led active cyber defense program out of their national cyber security center where the government is reaching out to industry uh so internet service providers email providers internet uh internet exchange point providers and enlisting them in steps that are absolutely active cyber defense types of techniques yes but they're coming from the government and industry is helping the government execute that strategy so that's one way to do it the other ways to think about industry wanting to move out and perhaps having government work with them so whether it's a botnet takedown or whether it's the government sanctioning certain private sector activities or the sharing of threat information um and so there is absolutely this public private partnership aspect that i think is very important and we're seeing examples of that obviously in the uk and i think there's probably no time more so than now that it's important for government and industry to work together and certainly face challenges like this and get academia involved in helping us answer some of the big questions around cyber cyber defense cyber security and how we utilize it in that global sense so on that i will finish up and thank you very much for spending some time with us this morning my pleasure thank you