Are We Entering the Age of 'Hack Back'?
WASHINGTON -- When the debris settles after special counsel Robert Mueller completes his investigation into Russian hacking of the 2016 presidential election, America will still be left with the underlying problem that triggered the probe in the first place -- the threat of malicious cyberattacks against political parties, corporations, and anybody else who uses the internet.
Here's a disturbing fact: Even after all the uproar that has surrounded Mueller's inquiry, the U.S. government can't do much to protect most private citizens or organizations against attacks. There's better security now for election systems and critical infrastructure, but that doesn't help the banks, hedge funds, law firms and other companies with sensitive data -- which are basically on their own.
Mueller's findings about President Trump will have their own fiery afterlife on Capitol Hill, which nobody can predict. But Congress should also be thinking about the less-sexy fallout from the investigation, which highlighted the vulnerability of all data to foreign spies, meddlers and information pirates.
U.S. Cyber Command and the National Security Agency have already gone on the offensive against Moscow. Last fall, their joint "Russia Small Group" secretly "hacked back," in effect, against Russia's Internet Research Agency, briefly shutting down some of its computers. The aim was to deter the Russians from meddling in the 2018 midterm elections, and it seems to have worked.
Private companies are going on the offensive in cyberspace, too -- even though the legal terrain is murky and there's a big risk of triggering a tit-for-tat melee.
"Some organizations are conducting active cyber-defense 'hacking back,' but in my experience this will amplify the global cyber-arms race," warns Milan Patel, a prominent former FBI cyber expert who's now with BlueVoyant, a cyber-security firm. "Rather than hacking back, which will only bring a short-term sense of relief, companies need to do a better job at education and training." He says the latest industry reports estimate that 92 percent of attacks originate from spear-phishing, where employees unwittingly click on malicious malware.
American history offers an unlikely lesson in how cyber-offense might be enhanced and also regulated, as explained by Michael Chertoff, former secretary of homeland security, in his recent book "Exploding Data."
At the very beginning of our nation, when America and France were fighting an undeclared war, the U.S. Navy was too weak to protect American vessels from attack. The high seas were an 18th-century version of cyberspace, with attackers lurking everywhere. So, as Chertoff notes, the U.S. Constitution mandated that: "Congress shall have Power ... To declare War, grant Letters of Marque and Reprisal, and make Rules concerning Captures on Land and Water."
Today, argues Chertoff, the government could grant the equivalent of letters of marque to private cyber-defense companies. "To bolster its capacity to defend and deter cyberattacks, the government should train and license 'privateers' for certain specific operations ... to assist in deterring attacks against U.S. companies and infrastructure," he writes.
But Chertoff cautions in an interview: "Don't try this at home!" Meaning, companies should avoid any retaliatory action that might be illegal under U.S. or foreign law, or that would trigger counter-reprisals that would make the problem even worse.
In the real-world marketplace, cyber consultants are already selling "active defense" tools that push the envelope. Illusive Networks specializes in what its website calls "deception-based cybersecurity." The idea is to create what intelligence organizations call "honeypots" that lure attackers and allow defenders to observe and manipulate them. "To catch an attacker, you must think like one," says the company's website.
Another cyber-deception specialist is Attivo Networks. Its website explains: "Deception changes the asymmetry against attackers with attractive traps and lures designed to deceive and detect attackers." A third prominent player in the active-defense market is Endgame, which promises on its website that its software can hunt and stop exploits, phishing, malware, ransomware and other attacks. Social-media platforms such as Facebook have become increasingly active, too, in defending their networks.
Cyber experts warn that active defense is a slippery slope. A honeypot can identify invaders. But it can also lure them to gobble malicious software that disables the attackers' network, or to steal false documents that deliberately mislead the attackers. And because attackers hide in servers that aren't their own, a reprisal meant to target malicious hackers could take down a hospital or university.
The Mueller investigation has galvanized efforts to protect U.S. elections from future meddling. But the larger American vulnerability to cyberattack remains, and it deserves more attention.
As U.S. companies move to protect their secrets, sometimes using tools once reserved for intelligence agencies, they need better guidance from Washington.
(c) 2019, Washington Post Writers Group