The US Military Has A Free Rein For Offensive Hacking
A majority of digital security experts surveyed by The Washington Post say the Trump administration was right to make it easier for the military to conduct offensive cyber operations. But many cautioned that this new authority should be used very carefully.
The Network is a panel of more than 100 leaders from government, academia and the private sector who vote in our ongoing, informal survey on cybersecurity issues.
Sixty percent of those who participated in our latest survey applauded President Trump's order in August allowing the defense secretary to authorize offensive hacking operations without elevating the decision to the White House.
“Our adversaries need to know we will persistently engage them in this new domain, and I support entrusting Cyber Command with additional responsibilities,” Rep. Jim Langevin, co-founder of the Congressional Cybersecurity Caucus and chair of the House Armed Services Committee’s emerging threats panel, said in response to our survey.
Many experts agreed with the administration's goal for stepping up offensive operations: for US adversaries in cyberspace to think twice about continuing their own attacks.
“Integrating cyber into our broader warfighting strategy and doctrine is long overdue,” said Frank Cilluffo, a former White House cyber official and chair of Auburn University’s McCrary Institute for Cyber and Critical Infrastructure.
“Wielded in combination with other tools of national power, [cyber operations] can begin leveling the playing field and incur consequences on bad cyber behavior.”
The move is just "common sense" on an operational level, said David Brumley, a security and privacy professor at Carnegie Mellon University.
"The military should be able to use their judgment, within the confines of law, to determine where and how to conduct an offensive cyber operation. Allowing the men and women who are experts in cyber to make the call on how to use cyber is common sense.”
Yet even those who said they supported the president’s plan cautioned against giving the military free rein to launch hacking operations without consulting civilian government agencies.
“We need to be spending more time on this discussion and not just behind closed doors in the Pentagon,” said Mark Weatherford, a former Homeland Security Department cybersecurity official. Weatherford is now chief cybersecurity officer at the cloud security company vArmour.
Those among the 40 percent of respondents who said Trump's move was not a good idea raised similar concerns.
The military acting alone might be unaware of unintended consequences those operations might produce, they warned, such as hurting US businesses or undermining intelligence operations.
“Cyber operations are inherently unstable. They are hard to contain and constrain. Their use has implications beyond their immediate effects," said Bruce Schneier, fellow and lecturer at the Harvard Kennedy School. "For this reason, many more equities need to be involved in decisions to use cyber weapons than for ordinary military operations.”
Former State Department cyber coordinator Chris Painter said that the president’s streamlined process wouldn’t “adequately account for foreign policy, law enforcement and other national equities which can harm our long-term interests and our ability to form alliances against shared cyber threats.”
As Melanie Teplinsky, former technology and cybersecurity official in the White House and Commerce Department, put it: "Before cyber striking, it is important to properly vet any proposed strike to ensure it is a net ‘win’ for the nation." Teplinsky now teaches at American University College of Law.
More broadly, former White House cybersecurity coordinator Michael Daniel worried that US cyber strikes would allow adversary nations to claim their offensive hacking is acceptable behavior.
“We don't have a monopoly on these capabilities and any offensive action we take legitimizes such actions, meaning another nation could take the same action against us. We are especially vulnerable to disruption through cyberspace," said Daniel who is now president of the Cyber Threat Alliance, a cybersecurity information sharing group.
"Therefore, we need to use this tool carefully and judiciously."
More offensive hacking by the United States probably will prompt other nations to do more hacking of their own and lead to less stability in cyberspace, said Betsy Cooper, director of the Aspen Tech Policy Hub at the Aspen Institute.
“It’s Security Studies 101,” Cooper said. “When the US uses new weapons to increase its own security, other states are likely to respond in kind. And it's not clear we're well equipped to resist escalated efforts of other nations to conduct offensive operations against us.”
Some experts warned against any move by the United States to increase the use of cyber weapons. Among the dangers they cited was the specter of specialized hacking tools used by the US military leaking out and criminals using them against US citizens.
“Cyber weapons need to be treated akin to a chemical, biological and radiological weaponry,” said Sascha Meinrath, an Internet freedom activist who teaches at Penn State. “Normalising their use for short-term gain is a terribly myopic solution that guarantees long-term detrimental repercussions.”
You Might Also Read: