A group of cybersecurity experts and scholars are calling on government officials to let private companies go on the offense in cyberspace, green-light active cybersecurity practices, and in some cases, launch retaliatory “hack back” attacks that intelligence and defense officials oppose.
That’s the subject of a new report by the George Washington University Center for Cyber and Homeland Security, where a task force including former secretary of Homeland Security Michael Chertoff, former Director of National Intelligence Dennis Blair, representatives from IBM, Microsoft, Northrop Grumman and others said it’s time to move beyond merely passive cybersecurity practices.
The report follows in the wake of increasingly frequent, aggressive and damaging cyberattacks like those uncovered against Yahoo this year, compromising the privacy and security of 500 million users, and Sony in 2014, which cost the company $35 million.
“Simply put, threats are expanding in persistence and consequence and we cannot solely rely on defensive measures and ‘firewall’ our way out of this problem,” the report reads.
While passive, perimeter-focused tools like firewalls, patch updates to fix holes, antivirus software, white or blacklisting safe and compromised sources of traffic, and limiting administrative authorities are all essential to cyber hygiene, they’re no longer enough to defend against advanced cyber-aggressors, according to the report.
Though the authors stop short of explicitly endorsing hack-back attacks aimed at disrupting or destroying external networks or information “except in limited circumstances in cooperation with or under the delegated authority of a national government,” they do advocate for the ability of private companies to cross the line outside their own networks and into the “gray zone” between purely passive and strictly offensive cyber behavior.
“These activities fall into two general categories, the first covering technical interactions between a defender and an attacker,” they wrote. “The second category of active defense includes those operations that enable defenders to collect intelligence on threat actors and indicators on the internet, as well as other policy tools (e.g. sanctions, indictments, trade remedies) that can modify the behavior of malicious actors. The term active defense is not synonymous with ‘hacking back’ and the two should not be used interchangeably.”
Though government agencies have already adopted some gray zone solutions like sharing data on threats between the private and public sector via DHS’s automated cyber threat sharing portal (a system with few participants so far), others are seldom discussed, including tarpits, sandboxes and honeypots (traps to slow or lure hackers where their attacks can be analyzed), false data distribution, hunts to “detect and surgically evict adversaries that are present in a defender’s network,” and beacons hidden in software that send out alerts when they’ve been accessed and location when moved outside their networks.
More aggressive strategies like going undercover on the dark web to gather information, taking down botnet-hijacked networks, infiltrating and encrypting files on a malicious actor’s computer holding stolen data (known as white-hat ransomware), hacking to recover stolen data, and sanctions, indictments and trade restrictions “require close government cooperation.”
The sum of the report could be expressed in one variation of an overused sports cliche — “the best defense is a good offense,” a philosophy some of the most influential tacticians in the cyber arena disagree with.
When it comes to hacking back, U.S. Cyber Command and National Security Agency Director Mike Rogers warned Congress that companies and government need to be “very careful about going down this road,” which could lead to retaliation and greater damage. While testifying at the same hearing, Deputy Secretary of Defense Robert Work said such actions could spawn a “second, third and fourth order of [unanticipated] effects.”
The debate is representative of a larger discussion between Congress, the administration, and military over the lack of a specific policy framework for responding to cyber aggression, most recently exemplified by the Obama administration accusing Russia of tampering with U.S. elections by hacking Democratic Party organizations, but declining to outline a specific, public retalitaroy response.
Lawmakers including Senate Armed Services Committee Chairman John McCain have pressed officials including Rogers, Work, and DNI James Clapper for such a framework. The officials agree on the need, but say the authority to establish a framework is outside the bounds of their authority.