• Research
  • Emissary
  • About
  • Experts
Carnegie Global logoCarnegie lettermark logo
DemocracyIran
  • Donate
{
  "authors": [
    "Wyatt Hoffman",
    "Ariel (Eli) Levite"
  ],
  "type": "other",
  "centerAffiliationAll": "dc",
  "centers": [
    "Carnegie Endowment for International Peace"
  ],
  "collections": [],
  "englishNewsletterAll": "ctw",
  "nonEnglishNewsletterAll": "",
  "primaryCenter": "Carnegie Endowment for International Peace",
  "programAffiliation": "NPP",
  "programs": [
    "Nuclear Policy"
  ],
  "projects": [],
  "regions": [],
  "topics": [
    "Security",
    "Nuclear Policy",
    "Technology"
  ]
}

Source: Getty

Other

Rethinking Corporate Active Cyber Defense

The practice of active cyber defense moves the debate over the role of and limits on corporate self-defense in cyberspace beyond the theoretical and into reality.

Link Copied
By Wyatt Hoffman and Ariel (Eli) Levite
Published on Jul 17, 2017
Program mobile hero image

Program

Nuclear Policy

The Nuclear Policy Program aims to reduce the risk of nuclear war. Our experts diagnose acute risks stemming from technical and geopolitical developments, generate pragmatic solutions, and use our global network to advance risk-reduction policies. Our work covers deterrence, disarmament, arms control, nonproliferation, and nuclear energy.

Learn More

Source: Lawfare

The recent WannaCry and NotPetya global cyber incidents have fueled the debate already raging over the role of and limits on corporate self-defense in cyberspace. The emerging international practice of “active cyber defense” (ACD) moves this debate beyond the merely theoretical realm. Private sector active defense potentially shifts the balance in favor of defenders and would improve companies’ ability to complicate and disrupt attacks and mitigate damages. Enhancing private sector defense might also deter future attacks by denying gains and imposing costs to attackers, including by making it easier for law enforcement to identify and punish attackers. Cumulatively, the impact could significantly alter the calculus of malicious actors.

However, aggressive active defense measures—including, most controversially, “hacking back” into attackers’ networks—carry significant risks to the defender and innocent third parties. The risk is especially pronounced if the defender is ill-equipped to attribute the attack and control its effects. The potentially systemically destabilizing effects of unrestrained conduct of active defense internationally lead opponents to warn that it is akin to unleashing the “wild west” in cyberspace.

Self-Restraint among Private Security Contractors: What Can ACD Learn from Somali Piracy?

In reality, much of this debate is academic. A nascent international “gray” market for active cyber defense services (including hacking back) already exists. The growth of private sector ACD mirrors a similar development in maritime security: the shipping industry’s adoption of private armed guards in response to the escalating threat from Somali piracy. By the late 2000s, even huge naval deployments were unable to provide sufficient defense to shipping vessels. Private maritime security contractors left many governments struggling to belatedly impose order where little prevented or discouraged the private sector from turning to its own means of defense. But through the combined efforts of ship-owners, maritime insurers, and private maritime security providers, the private sector was to implement a credible and responsible solution that defused the threat.

The same factors that catalyzed the rise of private maritime security contractors are pervading the cyber domain. Rather than continuing to debate whether to allow the practice of ACD, it is time to consider how to responsibly and credibly place ACD in the corporate tool kit. Wherever possible, this approach should draw on established private sector self-regulation mechanisms, including insurance-based solutions.

Elements of a Strategy for Managing ACD

In a recently released report by the Carnegie Endowment’s Cyber Policy Initiative, we acknowledge that ACD is not a panacea, but submit that it would be a valuable addition to both international and corporate security. Its value is contingent on the creation of principles and requirements to manage the practice of active cyber defense. Consider the follow few examples.

First, the private sector should be allowed to employ only a limited spectrum of active cyber defenses. Measures carrying unacceptable risk, such as destructive hack backs, should be impermissible. The acceptable purposes of ACD activity should be similarly circumscribed to defense and mitigating damage, instead of retribution.

Second, only competent and qualified defenders should undertake active cyber defense.  Legitimate ACD could be gauged to an organizations’ maturity level through a variety of means including a professional accreditation system.

Third, flexible mechanisms are needed to incentivize principled ACD conduct by the private sector. Cyber insurance is well-suited to play a role in an industry-driven approach to regulating private sector ACD based on the maturity level of the practitioners.

Fourth, whatever balance is struck, principles must work toward international harmonization. Uneven approaches between countries may disadvantage those attempting to promote norms of restraint and reward those who disregard them (while raising serious extradition issues).

The U.S. Should Not Ignore the Global Context

Finally, our report underscores the risks inherent in the U.S. going it alone. Continuing to prohibit private sector active cyber defense entirely leaves law-abiding corporations vulnerable while rewarding those that circumvent restrictions or outsource active defense services. On the other hand, creating an overly permissive environment without international norms could increase tensions with other countries, including by opening the door to criticism that the U.S. is promoting vigilantism. We should not forget the striking lessons from several traumatic centuries of privateering before the maritime domain was pacified. The U.S. would be well-advised to adopt a cautious, evolutionary approach to the ACD domain – harmonized internationally and tailored to experience and evolving technology.

This article was originally published in Lawfare

About the Authors

Wyatt Hoffman

Former Senior Research Analyst, Cyber Policy Initiative

Wyatt Hoffman was a senior research analyst with the Nuclear Policy Program and the Cyber Policy Initiative at the Carnegie Endowment for International Peace.

Ariel (Eli) Levite

Senior Fellow, Nuclear Policy Program, Technology and International Affairs Program

Levite was the principal deputy director general for policy at the Israeli Atomic Energy Commission from 2002 to 2007.

Authors

Wyatt Hoffman
Former Senior Research Analyst, Cyber Policy Initiative
Ariel (Eli) Levite
Senior Fellow, Nuclear Policy Program, Technology and International Affairs Program
Ariel (Eli) Levite
SecurityNuclear PolicyTechnology

Carnegie does not take institutional positions on public policy issues; the views represented herein are those of the author(s) and do not necessarily reflect the views of Carnegie, its staff, or its trustees.

More Work from Carnegie Endowment for International Peace

  • Agentic AI Anthropic bot
    Paper
    When AI Agents Attack: Autonomous Cyber Operations and Europe’s Governance Gap

    Autonomous AI agents are increasingly prevalent in cyberspace. The EU needs a real-time monitoring strategy, to invest in AI defenses, and to reduce its strategic dependence on U.S. frontier models.

      Raluca Csernatoni, Patryk Pawlak

  • 1990s USS Pennsylvania United States Navy Nuclear Powered Ohio-Class Ballistic Missile Submarine Cruising On Ocean Surface
    Paper
    Nuclear Weapons and the Future of American Power

    It seems likely that, no matter what, the power of the U.S. nuclear arsenal will face erosion, not least in the credibility of its commitments to defend allies and the political durability of those alliances.

      James M. Acton, Ankit Panda

  • Police enter an immigration detention centre in Bangkok on January 22, 2025.
    Article
    Inside the Swap Mart: How Thailand’s Domestic Digital Repression Enables Transnational Repression

    Thailand is no longer safe for regional activists; neither are Cambodia, Laos, or Vietnam for Thai dissidents who had typically sought refuge in those countries.

      Janjira Sombatpoonsiri

  • Commentary
    Carnegie Politika
    Lukashenko’s Concessions to Kyiv Reflect Russia’s Weakness

    The recent damage inflicted by Ukrainian drones and missiles on Russia has made Belarus aware of its own vulnerabilities—and surprisingly amenable to Kyiv’s demands.

      Artyom Shraibman

  • Paper
    Threading the Needle: India’s Path Forward with China

    After the chill in ties between 2020 and 2024 that brought India–China relations to their lowest point in several decades, the two countries have engaged each other afresh. This paper argues that there are predominantly four imperatives guiding India’s approach to China, and they exist in an order of priority.

      Saheb Singh Chadha

Get more news and analysis from
Carnegie Endowment for International Peace
Carnegie global logo, stacked
1779 Massachusetts Avenue NWWashington, DC, 20036-2103Phone: 202 483 7600
  • Research
  • Emissary
  • About
  • Experts
  • Donate
  • Programs
  • Events
  • Blogs
  • Podcasts
  • Contact
  • Annual Reports
  • Careers
  • Privacy
  • For Media
  • Government Resources
Get more news and analysis from
Carnegie Endowment for International Peace
© 2026 Carnegie Endowment for International Peace. All rights reserved.