One Answer To Cyber Attacks Is To Hack Back

Recently, the director of US national intelligence warned that US computer systems are so vulnerable that the nation may be facing a “cyber 9/11.” Then the US Department of Homeland Security revealed that Russian hackers could get inside the nation’s utilities and turn off the lights in much of the United States.

What next? How about some payback, targeting the attackers who target us?

Some cybersecurity experts and lawmakers argue that tougher passwords and thicker firewalls alone won’t protect America’s digital assets, because any defense can be breached. Instead, they want the US government, and even private companies and individuals, to go on the offensive by using the hackers’ own methods against them.

“You try to go about hacking the hackers,” said Michael Sulmeyer, a former Pentagon director of cyber policy who now runs the cyber security project at Harvard University’s Belfer Center.

Sulmeyer believes that US cyber warriors should launch counter-attacks against foreign spies and saboteurs. Others, like Stewart Baker, former general counsel of the US National Security Agency, would go even further. They say it should be legal for businesses and individuals to “hack back” against spies or criminal gangs that attack their networks.

“If you want to deter attacks,” said Baker, “you’ve got to be prepared to do something to the attackers that they fear.”

Some kinds of cyber-offense have already been tried. The United States is widely believed to have worked with Israel to create Stuxnet, a sophisticated malware program used to sabotage the Iranian nuclear weapons program, though neither country has ever confirmed this.

But Stuxnet was aimed at a single, precisely defined target. Hacking the hackers would mean taking on many different online adversaries, each of them skilled at covering their tracks.

It’s a strategy born from sheer frustration. For a quarter-century, brilliant people have developed countless clever defenses against cyber aggression, yet computer networks remain as insecure as ever. But that means the attackers’ own networks are vulnerable, too.

Yes, the bad guys will recover, just as the good guys do. But Sulmeyer said that every time a hacker network is shut down, “it becomes more expensive for them to hack us, and they make more mistakes.” Moreover, the kind of attacks aimed at us by Russia require advanced facilities that can’t be recreated overnight.

Bruce Schneier, a fellow at Harvard’s Berkman Klein Center for Internet & Society, is skeptical about the wisdom of counter-attacking hackers, but he concedes that it might do some good. “If you burn them, you set back their operations six months,” said Schneier. “Six months isn’t that long, but it’s an election cycle.”

The upcoming midterms will likely offer a chance to test this strategy. Microsoft Corp. recently said it identified Russian hacker attacks on the campaigns of three candidates running in November. Microsoft didn’t say which candidates, but recently, Senator Claire McCaskill, a Democrat from Missouri facing a tough reelection battle, said she was targeted.

And recently, New Hamshire Democrat Senator Jeanne Shaheen revealed her computers had also been attacked, and said she had heard of many similar efforts against politicians of both parties.

So why shouldn’t the United States try to take these hackers out? Microsoft has identified the target, a group called Fancy Bear that’s associated with Russian military intelligence and was also involved in the hack of the 2016 election.

If Sulmeyer and Schneier are correct, even a temporary takedown of these attackers could knock them off-stride until the election is over, and prevent them from tampering with other campaigns.

Sulmeyer said only the federal government should be able to carry out counter-hacks, and only against foreign targets. Baker, meanwhile, said US companies and individuals should be allowed as well, through hired professionals.
 
“I think we’re going to end up there,” Baker said, “because there’s no way the government is going to be able to keep up.”

Baker’s view has some support in Congress. Nine Republican and Democratic House members introduced a bill last year to make it legal for private parties to counter-attack when under digital fire.

For instance, if a utility such as National Grid spotted hackers trying to break in, the electric utility company could deploy its own people to shut down the opposition.

Gregory Nojeim, senior counsel at the Center for Democracy and Technology in Washington, believes this is a terrible idea. For one, it’s difficult to be absolutely certain the retaliation is hitting the right target.

Hackers often route their attacks through machines owned by innocent third parties; imagine going after a ransomware gang and taking down a hospital network by mistake.

Besides, even if hacking back became legal in the United States, it would remain a crime in other countries, a major problem for businesses with lots of overseas locations.

“Hacking back, if it’s done by any entity, should be a governmental function,” said Nojeim.

Even then, it’s risky. Open fire on a rival nation, with bullets or with bits, and they usually fire back. “If we do something, they’re going to do something back to us,” said Herb Lin, senior research scholar for cyber policy at Stanford University. “Be prepared for a big reaction.”

If the US government hits Fancy Bear, the Russians might target the Nasdaq stock exchange or turn off the lights in Sioux City, Iowa. Then we might empty Vladimir Putin’s bank accounts or shut down the Moscow subway. And so on. It’s not a thermos-nuclear exchange, but bad enough.

But while Lin frets over blowback, he still thinks the United States may have no choice but to counter-attack. “It’s certainly different from what we have now,” he said. “But what we have now hasn’t worked.”

Boston Globe:       Image; Nick Youngson

You Might Also Read: 

Cyber Criminals Have Access To Weapons Grade Hacking Tools:

US Steps Up Its Cyberwar Capability:

 

 

« The US Is Losing the Information War To Russia
How Silicon Valley Became A Den Of Spies »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Hotlava Systems

Hotlava Systems

HotLava network adapters enable today's powerful servers and workstations to deliver more productivity by reducing congestion at the network interface.

Lookout

Lookout

Lookout is the data-centric cloud security company that uses a defense-in-depth strategy to address the different stages of a modern cybersecurity attack.

UL Solutions

UL Solutions

UL Solutions is a safety, security and compliance consulting and certification company. Areas covered include cyber security.

Adlink Technology

Adlink Technology

ADLINK is a leading provider of embedded computing products and services for applications including IoT and industrial automation.

High Sec Labs (HSL)

High Sec Labs (HSL)

High Sec Labs develops high-quality, cyber-defense solutions in the field of network and peripheral isolation.

Philippine National Police Anti-Cybercrime Group (PNP-ACG)

Philippine National Police Anti-Cybercrime Group (PNP-ACG)

The mission of the PNP Anti-Cybercrime Group is to implement and enforce pertinent laws on cybercrime and other cyber related crimes and pursue an effective anti-cybercrime campaign.

Seekurity

Seekurity

Seekurity is an information security consulting firm specialized in all areas of Cyber Security including Penetration Testing, Vulnerability Assessments and Risk Management.

CSIRT Italia

CSIRT Italia

CSIRT Italia is the national Computer Security Incident Response Team for Italy.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CryptoCurrency Certification Consortium (C4)

CryptoCurrency Certification Consortium (C4)

The CryptoCurrency Certification Consortium is a non-profit organization that provides certifications to professionals who perform cryptocurrency-related services.

Recon InfoSec

Recon InfoSec

The Recon InfoSec team includes analysts, architects, engineers, intrusion specialists, penetration testers, and operations experts.

CertiProf

CertiProf

CertiProf has been enhancing professional lives since 2015, offering a wide range of IT certifications and agile framework training.

Dope Security

Dope Security

Dope Security is a fly-direct Secure Web Gateway that eliminates the data center stopover architecture required by legacy providers, instead performing security directly on the endpoint.

Fraud.net

Fraud.net

Fraud.net operates the first end-to-end fraud management and revenue enhancement ecosystem specifically built for digital enterprises and fintechs globally.

CliffGuard Cybersecurity

CliffGuard Cybersecurity

CliffGuard Cybersecurity deliver comprehensive services designed to protect your organization from the ever-evolving landscape of cyber threats.

Applaudo

Applaudo

Applaudo specializes in helping the world’s most admired brands optimize their IT solutions, reduce delivery costs, and accelerate their digital transformation.