Private sector cyber defence mechanisms are emerging despite existing legislation outlawing use of active defence by individuals and non-state entities. Thus, a key window exists for policy-makers in the possibility of establishing a framework for existing APCD practices that would enable optimal utilisation of private sector capabilities for securing cyber-space at an organizational and national level. This must happen in consonance with circumscribing their operations within the boundaries of the rule of law, both in terms of domestic legislation and international law. This paper seeks to unpack the complexities that underscore each of these challenges and identify avenues towards resolving some of them.
The first section of this paper reviews the spectrum of active private defence and demarcates the various kinds of offensive and defensive capabilities that would fit along various rungs in this spectrum. It also maps existing policy initiatives enabling APCD from key jurisdictions. The second section outlines relevant standards of international law and analyzes the extent to which they might help circumscribe the legal limits of APCD and resolve any geopolitical tensions that might arise. The final section projects the potential ramifications of APCD and articulates the drivers that could determine how a robust norm on active cyber defence might shape responsible behaviour in cyberspace by both state and non-state actors alike. The paper concludes with a set of points and questions with the aim of articulating a baseline from which municipal legislators and global policy-makers can take this debate forward.