One Answer To Cyber Attacks Is To Hack Back

Recently, the director of US national intelligence warned that US computer systems are so vulnerable that the nation may be facing a “cyber 9/11.” Then the US Department of Homeland Security revealed that Russian hackers could get inside the nation’s utilities and turn off the lights in much of the United States.

What next? How about some payback, targeting the attackers who target us?

Some cybersecurity experts and lawmakers argue that tougher passwords and thicker firewalls alone won’t protect America’s digital assets, because any defense can be breached. Instead, they want the US government, and even private companies and individuals, to go on the offensive by using the hackers’ own methods against them.

“You try to go about hacking the hackers,” said Michael Sulmeyer, a former Pentagon director of cyber policy who now runs the cyber security project at Harvard University’s Belfer Center.

Sulmeyer believes that US cyber warriors should launch counter-attacks against foreign spies and saboteurs. Others, like Stewart Baker, former general counsel of the US National Security Agency, would go even further. They say it should be legal for businesses and individuals to “hack back” against spies or criminal gangs that attack their networks.

“If you want to deter attacks,” said Baker, “you’ve got to be prepared to do something to the attackers that they fear.”

Some kinds of cyber-offense have already been tried. The United States is widely believed to have worked with Israel to create Stuxnet, a sophisticated malware program used to sabotage the Iranian nuclear weapons program, though neither country has ever confirmed this.

But Stuxnet was aimed at a single, precisely defined target. Hacking the hackers would mean taking on many different online adversaries, each of them skilled at covering their tracks.

It’s a strategy born from sheer frustration. For a quarter-century, brilliant people have developed countless clever defenses against cyber aggression, yet computer networks remain as insecure as ever. But that means the attackers’ own networks are vulnerable, too.

Yes, the bad guys will recover, just as the good guys do. But Sulmeyer said that every time a hacker network is shut down, “it becomes more expensive for them to hack us, and they make more mistakes.” Moreover, the kind of attacks aimed at us by Russia require advanced facilities that can’t be recreated overnight.

Bruce Schneier, a fellow at Harvard’s Berkman Klein Center for Internet & Society, is skeptical about the wisdom of counter-attacking hackers, but he concedes that it might do some good. “If you burn them, you set back their operations six months,” said Schneier. “Six months isn’t that long, but it’s an election cycle.”

The upcoming midterms will likely offer a chance to test this strategy. Microsoft Corp. recently said it identified Russian hacker attacks on the campaigns of three candidates running in November. Microsoft didn’t say which candidates, but recently, Senator Claire McCaskill, a Democrat from Missouri facing a tough reelection battle, said she was targeted.

And recently, New Hamshire Democrat Senator Jeanne Shaheen revealed her computers had also been attacked, and said she had heard of many similar efforts against politicians of both parties.

So why shouldn’t the United States try to take these hackers out? Microsoft has identified the target, a group called Fancy Bear that’s associated with Russian military intelligence and was also involved in the hack of the 2016 election.

If Sulmeyer and Schneier are correct, even a temporary takedown of these attackers could knock them off-stride until the election is over, and prevent them from tampering with other campaigns.

Sulmeyer said only the federal government should be able to carry out counter-hacks, and only against foreign targets. Baker, meanwhile, said US companies and individuals should be allowed as well, through hired professionals.
 
“I think we’re going to end up there,” Baker said, “because there’s no way the government is going to be able to keep up.”

Baker’s view has some support in Congress. Nine Republican and Democratic House members introduced a bill last year to make it legal for private parties to counter-attack when under digital fire.

For instance, if a utility such as National Grid spotted hackers trying to break in, the electric utility company could deploy its own people to shut down the opposition.

Gregory Nojeim, senior counsel at the Center for Democracy and Technology in Washington, believes this is a terrible idea. For one, it’s difficult to be absolutely certain the retaliation is hitting the right target.

Hackers often route their attacks through machines owned by innocent third parties; imagine going after a ransomware gang and taking down a hospital network by mistake.

Besides, even if hacking back became legal in the United States, it would remain a crime in other countries, a major problem for businesses with lots of overseas locations.

“Hacking back, if it’s done by any entity, should be a governmental function,” said Nojeim.

Even then, it’s risky. Open fire on a rival nation, with bullets or with bits, and they usually fire back. “If we do something, they’re going to do something back to us,” said Herb Lin, senior research scholar for cyber policy at Stanford University. “Be prepared for a big reaction.”

If the US government hits Fancy Bear, the Russians might target the Nasdaq stock exchange or turn off the lights in Sioux City, Iowa. Then we might empty Vladimir Putin’s bank accounts or shut down the Moscow subway. And so on. It’s not a thermos-nuclear exchange, but bad enough.

But while Lin frets over blowback, he still thinks the United States may have no choice but to counter-attack. “It’s certainly different from what we have now,” he said. “But what we have now hasn’t worked.”

Boston Globe:       Image; Nick Youngson

You Might Also Read: 

Cyber Criminals Have Access To Weapons Grade Hacking Tools:

US Steps Up Its Cyberwar Capability:

 

 

« The US Is Losing the Information War To Russia
How Silicon Valley Became A Den Of Spies »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

IEEE Computer Society

IEEE Computer Society

The IEEE Computer Society is the world's leading membership organization dedicated to computer science and technology.

Bottomline Technologies

Bottomline Technologies

Bottomline Technologies is an innovator in business payment automation technology, helping companies make complex business payments simple, smart and secure.

SANS CyberStart

SANS CyberStart

SANS CyberStart is a unique and innovative suite of tools and games designed to introduce children and young adults to the field of cyber security.

Innovation Cybersecurity Ecosystem at BLOCK71 (ICE71)

Innovation Cybersecurity Ecosystem at BLOCK71 (ICE71)

Innovation Cybersecurity Ecosystem at BLOCK71 (ICE71) is Singapore's first cybersecurity entrepreneur hub.

Paladin Capital Group

Paladin Capital Group

Paladin is a leading global investor that supports and grows the world’s most innovative cyber companies.

Cybil

Cybil

Cybil is a publicly-available portal where members of the international cyber capacity building community can find and share information to support the design and delivery of programs and projects.

AwareGO

AwareGO

AwareGO is a global provider of security awareness training content and solutions that help enterprises improve cybersecurity awareness in the workplace.

Sydeco

Sydeco

Sydeco offer a complete range of products that secure computer and industrial networks, servers, programs and data against any type of computer attack.

Sentra

Sentra

Sentra is focused on improving data security practices within the cloud, mitigating the risks of damaging data leaks by providing comprehensive visibility into critical data assets.

Advent One

Advent One

Advent One are recognised for solving intricate dilemmas, not only making technology work but building foundations that customers can grow upon in an effective and secure way.

Cisco Systems

Cisco Systems

Cisco helps seize the opportunities of tomorrow by proving that amazing things can happen when you connect the unconnected.

Verisign

Verisign

Verisign is a Global Leader in Domain Names & Internet Security, providing protection for websites and enterprises around the world.

Hawk AI

Hawk AI

Hawk AI’s mission is to help financial institutions detect financial crime more effectively and efficiently using AI to enhance rules and find anomalies.

RIoT Secure

RIoT Secure

RIoT Secure AB is a technology enabler within the IoT industry - created with a vision to ensure security technology exists in the foundations of software development for IoT solutions.

5S Technologies

5S Technologies

5S Technologies is a regional IT solutions and services provider based in Cary, NC and serving the Carolinas.

Yondu

Yondu

Yondu empowers businesses across various industries through a wide array of innovative technology solutions to help them scale in the new digital economy.