One Answer To Cyber Attacks Is To Hack Back

Uploaded on 2018-08-28 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW

Recently, the director of US national intelligence warned that US computer systems are so vulnerable that the nation may be facing a “cyber 9/11.” Then the US Department of Homeland Security revealed that Russian hackers could get inside the nation’s utilities and turn off the lights in much of the United States.

What next? How about some payback, targeting the attackers who target us?

Some cybersecurity experts and lawmakers argue that tougher passwords and thicker firewalls alone won’t protect America’s digital assets, because any defense can be breached. Instead, they want the US government, and even private companies and individuals, to go on the offensive by using the hackers’ own methods against them.

“You try to go about hacking the hackers,” said Michael Sulmeyer, a former Pentagon director of cyber policy who now runs the cyber security project at Harvard University’s Belfer Center.

Sulmeyer believes that US cyber warriors should launch counter-attacks against foreign spies and saboteurs. Others, like Stewart Baker, former general counsel of the US National Security Agency, would go even further. They say it should be legal for businesses and individuals to “hack back” against spies or criminal gangs that attack their networks.

“If you want to deter attacks,” said Baker, “you’ve got to be prepared to do something to the attackers that they fear.”

Some kinds of cyber-offense have already been tried. The United States is widely believed to have worked with Israel to create Stuxnet, a sophisticated malware program used to sabotage the Iranian nuclear weapons program, though neither country has ever confirmed this.

But Stuxnet was aimed at a single, precisely defined target. Hacking the hackers would mean taking on many different online adversaries, each of them skilled at covering their tracks.

It’s a strategy born from sheer frustration. For a quarter-century, brilliant people have developed countless clever defenses against cyber aggression, yet computer networks remain as insecure as ever. But that means the attackers’ own networks are vulnerable, too.

Yes, the bad guys will recover, just as the good guys do. But Sulmeyer said that every time a hacker network is shut down, “it becomes more expensive for them to hack us, and they make more mistakes.” Moreover, the kind of attacks aimed at us by Russia require advanced facilities that can’t be recreated overnight.

Bruce Schneier, a fellow at Harvard’s Berkman Klein Center for Internet & Society, is skeptical about the wisdom of counter-attacking hackers, but he concedes that it might do some good. “If you burn them, you set back their operations six months,” said Schneier. “Six months isn’t that long, but it’s an election cycle.”

The upcoming midterms will likely offer a chance to test this strategy. Microsoft Corp. recently said it identified Russian hacker attacks on the campaigns of three candidates running in November. Microsoft didn’t say which candidates, but recently, Senator Claire McCaskill, a Democrat from Missouri facing a tough reelection battle, said she was targeted.

And recently, New Hamshire Democrat Senator Jeanne Shaheen revealed her computers had also been attacked, and said she had heard of many similar efforts against politicians of both parties.

So why shouldn’t the United States try to take these hackers out? Microsoft has identified the target, a group called Fancy Bear that’s associated with Russian military intelligence and was also involved in the hack of the 2016 election.

If Sulmeyer and Schneier are correct, even a temporary takedown of these attackers could knock them off-stride until the election is over, and prevent them from tampering with other campaigns.

Sulmeyer said only the federal government should be able to carry out counter-hacks, and only against foreign targets. Baker, meanwhile, said US companies and individuals should be allowed as well, through hired professionals.
 
“I think we’re going to end up there,” Baker said, “because there’s no way the government is going to be able to keep up.”

Baker’s view has some support in Congress. Nine Republican and Democratic House members introduced a bill last year to make it legal for private parties to counter-attack when under digital fire.

For instance, if a utility such as National Grid spotted hackers trying to break in, the electric utility company could deploy its own people to shut down the opposition.

Gregory Nojeim, senior counsel at the Center for Democracy and Technology in Washington, believes this is a terrible idea. For one, it’s difficult to be absolutely certain the retaliation is hitting the right target.

Hackers often route their attacks through machines owned by innocent third parties; imagine going after a ransomware gang and taking down a hospital network by mistake.

Besides, even if hacking back became legal in the United States, it would remain a crime in other countries, a major problem for businesses with lots of overseas locations.

“Hacking back, if it’s done by any entity, should be a governmental function,” said Nojeim.

Even then, it’s risky. Open fire on a rival nation, with bullets or with bits, and they usually fire back. “If we do something, they’re going to do something back to us,” said Herb Lin, senior research scholar for cyber policy at Stanford University. “Be prepared for a big reaction.”

If the US government hits Fancy Bear, the Russians might target the Nasdaq stock exchange or turn off the lights in Sioux City, Iowa. Then we might empty Vladimir Putin’s bank accounts or shut down the Moscow subway. And so on. It’s not a thermos-nuclear exchange, but bad enough.

But while Lin frets over blowback, he still thinks the United States may have no choice but to counter-attack. “It’s certainly different from what we have now,” he said. “But what we have now hasn’t worked.”

Boston Globe:       Image; Nick Youngson

You Might Also Read: 

Cyber Criminals Have Access To Weapons Grade Hacking Tools:

US Steps Up Its Cyberwar Capability:

 

 

« The US Is Losing the Information War To Russia
How Silicon Valley Became A Den Of Spies »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Seclore

Seclore

Seclore is the most advanced, secure, and automated Enterprise Digital Rights Management (EDRM) solution available.

National Agency for the Security of Information Systems (ANSSI) - France

National Agency for the Security of Information Systems (ANSSI) - France

The role of Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI) is to foster a coordinated, ambitious, pro-active response to cybersecurity issues in France.

Secure Thingz

Secure Thingz

Secure Thingz focus on developing and delivering advanced security solutions into the emerging Industrial Internet of Things (IIoT) and Critical Infrastructure markets.

HyTrust

HyTrust

HyTrust specialises in security, compliance and control software for virtualization and cloud environments.

Consult Hyperion

Consult Hyperion

Consult Hyperion is an independent strategic and technical consultancy specialising in digital identity and secure electronic transactions.

CyberOwl

CyberOwl

CyberOwl builds on cutting-edge research and combines decades of experience in developing, securing and operating large distributed systems.

Iceberg

Iceberg

Iceberg has been established to provide companies with cyber security experts who will protect businesses from the unseen threat of cyber crime.

Sungard Availability Services (Sungard AS)

Sungard Availability Services (Sungard AS)

Sungard AS partners with customers around the globe to understand their unique business needs and provide production and recovery services tailored to their requirements.

Awake Security

Awake Security

Awake Security offer a security solution built on an AI platform that acts like the human brain to sense, detect, and respond to threats you may not even know exist.

International Cybersecurity Institute (ICSI)

International Cybersecurity Institute (ICSI)

ICSI is a UK company offering specialized and accredited professional qualifications in cybersecurity for young IT graduates as well as mature professionals.

Stellar Cyber

Stellar Cyber

Stellar Cyber makes Open XDR, the only comprehensive security platform providing maximum protection of applications and data wherever they reside.

Prima Cyber Solutions (PCS)

Prima Cyber Solutions (PCS)

Prima Cyber Solutions is focused on protecting your business from the massive and devastating impacts that cyber-attacks may cause.

Cyber Security Services

Cyber Security Services

Cyber Security Services is a cyber security consulting firm and security operations center (SOC).

Fortiedge

Fortiedge

Fortiedge is an IT Security solution provider specializing in Cyber Security practices and solutions for our clients.

Factmata

Factmata

Factmata is an social and news media monitoring and analytics product that uses AI to identify and track narratives online, highlighting those most likely to cause brand harm or misinform the public.

Ionize

Ionize

Ionize offers solutions to help you uplift your capability across the full-spectrum of cyber security - assessment, remediation, monitoring, governance and ongoing education.