The U.S. government should decide how to retaliate against the worst attacks on the country’s private sector, and when appropriate, the military’s hacking unit should hit back, three experts said Monday.
The controversial idea entails taking the fight to nefarious actors by attacking their computer network in-kind, probing for exfiltrated data and employing measures to retrieve or destroy stolen information.
The three individuals, with experience in the private sector, intelligence community and military, spoke at a panel organized by APCO. They concurred that if companies feel compelled to hack back, they should delegate any potential response to the government. If retaliation is warranted, U.S. Cyber Command should carry it out.
“I think if it’s going to happen, it’s best in the hands of the government,” said Sean Weppner, chief strategy officer at NISOS Group and a former DOD cyber officer. No company has the intelligence, offensive tools and contextual understanding of the U.S. government, he said.
Alex Bolling, the former chief of operations at the CIA’s Information Operations Center, said that attacks on U.S. critical infrastructure, 85 percent of which is privately owned, would warrant a response. CYBERCOM is the “agency that is best resourced to respond to threats to [U.S.] national interests…[and] critical infrastructure in the energy, finance and wider commercial space,” Bolling said.
By allowing companies to hack back, U.S. lawmakers would be enabling a kind of cyber vigilantism, the panelists said. That behavior would come with profound and potentially dangerous consequences. For one, companies venturing out into foreign networks would run the risk of disrupting existing U.S. intelligence or military operations.
Edward Amoroso, CEO of Tag Cyber, said that Cyber Command should decide what target to hit, when to strike and whether an offensive operation is in the nation’s best interest.
“I’d like to think there’s a lot of human intelligence and spy-craft that provides a really good view” to the government, said Amoroso.
Even if companies wanted to hack back, they aren’t legally authorized to do so. At present, companies are not authorized to access computers outside of their own network without expressed permission, all but precluding any sort of retaliatory actions.
This may soon change, as lawmakers on Capitol Hill mull modernizing the Computer Fraud and Abuse Act (CFAA), a piece of legacy legislation that governs computer crimes and hacking. It seems unlikely that the bill will be amended to allow companies to strike back against digital assailants.
Last year, Rep. Tom Graves, R-Ga., introduced the ACDC Act, which would have dramatically opened up options for companies to strike back. Though the bill gained some momentum in Congress, it was widely panned by the technology community.
Hacking back is a risky proposition. Attribution is difficult, and striking a non-responsible party carries huge risks. Even if the retaliatory blow hits the right group, it could trigger further escalatory measures. Given the asymmetrical threat posed to the United States in cyberspace – it has the strongest weapons, but also the most vulnerability – any sort of offensive cyber operation should be tailored and well-deliberated, the three said.
All three agreed that there is no silver bullet for the digital threats facing the U.S. private sector, but that hyper-vigilance, risk management and robust cyber hygiene offer the best path forward.