The US Military Has A Free Rein For Offensive Hacking

A majority of digital security experts surveyed by The Washington Post say the Trump administration was right to make it easier for the military to conduct offensive cyber operations. But many cautioned that this new authority should be used very carefully.

The Network is a panel of more than 100 leaders from government, academia and the private sector who vote in our ongoing, informal survey on cybersecurity issues.

Sixty percent of those who participated in our latest survey applauded President Trump's order in August allowing the defense secretary to authorize offensive hacking operations without elevating the decision to the White House.

“Our adversaries need to know we will persistently engage them in this new domain, and I support entrusting Cyber Command with additional responsibilities,” Rep. Jim Langevin, co-founder of the Congressional Cybersecurity Caucus and chair of the House Armed Services Committee’s emerging threats panel, said in response to our survey.

Many experts agreed with the administration's goal for stepping up offensive operations: for US adversaries in cyberspace to think twice about continuing their own attacks.

“Integrating cyber into our broader warfighting strategy and doctrine is long overdue,” said Frank Cilluffo, a former White House cyber official and chair of Auburn University’s McCrary Institute for Cyber and Critical Infrastructure.

“Wielded in combination with other tools of national power, [cyber operations] can begin leveling the playing field and incur consequences on bad cyber behavior.”

The move is just "common sense" on an operational level, said David Brumley, a security and privacy professor at Carnegie Mellon University.

"The military should be able to use their judgment, within the confines of law, to determine where and how to conduct an offensive cyber operation. Allowing the men and women who are experts in cyber to make the call on how to use cyber is common sense.”

Yet even those who said they supported the president’s plan cautioned against giving the military free rein to launch hacking operations without consulting civilian government agencies.

“We need to be spending more time on this discussion and not just behind closed doors in the Pentagon,” said Mark Weatherford, a former Homeland Security Department cybersecurity official. Weatherford is now chief cybersecurity officer at the cloud security company vArmour.

Those among the 40 percent of respondents who said Trump's move was not a good idea raised similar concerns.

The military acting alone might be unaware of unintended consequences those operations might produce, they warned, such as hurting US businesses or undermining intelligence operations.

“Cyber operations are inherently unstable. They are hard to contain and constrain. Their use has implications beyond their immediate effects," said Bruce Schneier, fellow and lecturer at the Harvard Kennedy School. "For this reason, many more equities need to be involved in decisions to use cyber weapons than for ordinary military operations.”

Former State Department cyber coordinator Chris Painter said that the president’s streamlined process wouldn’t “adequately account for foreign policy, law enforcement and other national equities which can harm our long-term interests and our ability to form alliances against shared cyber threats.”

As Melanie Teplinsky, former technology and cybersecurity official in the White House and Commerce Department, put it: "Before cyber striking, it is important to properly vet any proposed strike to ensure it is a net ‘win’ for the nation." Teplinsky now teaches at American University College of Law.

More broadly, former White House cybersecurity coordinator Michael Daniel worried that US cyber strikes would allow adversary nations to claim their offensive hacking is acceptable behavior.

“We don't have a monopoly on these capabilities and any offensive action we take legitimizes such actions, meaning another nation could take the same action against us. We are especially vulnerable to disruption through cyberspace," said Daniel who is now president of the Cyber Threat Alliance, a cybersecurity information sharing group.

"Therefore, we need to use this tool carefully and judiciously."

More offensive hacking by the United States probably will prompt other nations to do more hacking of their own and lead to less stability in cyberspace, said Betsy Cooper, director of the Aspen Tech Policy Hub at the Aspen Institute.

“It’s Security Studies 101,” Cooper said. “When the US uses new weapons to increase its own security, other states are likely to respond in kind. And it's not clear we're well equipped to resist escalated efforts of other nations to conduct offensive operations against us.”

Some experts warned against any move by the United States to increase the use of cyber weapons. Among the dangers they cited was the specter of specialized hacking tools used by the US military leaking out and criminals using them against US citizens.

“Cyber weapons need to be treated akin to a chemical, biological and radiological weaponry,” said Sascha Meinrath, an Internet freedom activist who teaches at Penn State. “Normalising their use for short-term gain is a terribly myopic solution that guarantees long-term detrimental repercussions.”

Washington Post

You Might Also Read

The Pentagon Prepares A Cyber-Attack On Russia:

« Facebook Has Changed Computing
Edward Snowden Likes Zcash »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Global Secure Solutions (GSS)

Global Secure Solutions (GSS)

Global Secure Solutions is an IT security and risk consulting firm and authorised ISO training partner for the PECB.

AVR International

AVR International

AVR educate, advise, analyse and provide professional, technical consultancy and support to ensure your business is safe, compliant and protected.

Fortress Group

Fortress Group

Fortress is specialized in confidential and discrete recruitment solutions and temporary staffing in the field of security and risk management.

Cybrary

Cybrary

Cybrary is an open-source cyber security and IT learning and certification preparation platform.

Omada

Omada

Omada is a leading provider of IT security solutions and services for identity management and access governance.

Sternum

Sternum

Sternum provides reliable and effective endpoint security for any IoT device, using robust technology and seamless integration.

Malleum

Malleum

MALLEUM are specialists in penetration testing and security assessments. We think like hackers – and act like them – to disclose discreet dangers to your organization.

Cybersecurity Innovation Hub

Cybersecurity Innovation Hub

Cybersecurity Innovation Hub is a non-profit network organization focused on cooperation, information sharing, research and implementation of cutting-edge technologies in cybersecurity.

CyberRisk Alliance (CRA)

CyberRisk Alliance (CRA)

CyberRisk Alliance is a business intelligence company created to serve the rapidly evolving cybersecurity and information risk management marketplace.

Maritime Transportation System Information Sharing and Analysis Center (MTS-ISAC)

Maritime Transportation System Information Sharing and Analysis Center (MTS-ISAC)

MTS-ISAC promotes and facilitates maritime cybersecurity information sharing, awareness, training, and collaboration efforts between private and public sector stakeholders.

Unlimited Technology

Unlimited Technology

Unlimited Technology offers a wide range of talent and experience, from assessing your requirements to implementing technologically advanced security solutions to best fit your needs.

Cyber Lockout

Cyber Lockout

Comprehensive ransomware insurance and preventative cybersecurity technology solution, working together to help protect businesses 24/7/365.

US Coast Guard Cyber Command

US Coast Guard Cyber Command

US Coast Guard Cyber Command’s focus is to ensure the security of our cyberspace, maintain superiority over our adversaries,and safeguard our Nation’s critical maritime infrastructure.

Ibento Global

Ibento Global

Ibento organises the CyberX series of cybersecurity conferences.

Securin

Securin

Securin offers a comprehensive portfolio of solutions including Attack Surface Management, Vulnerability Intelligence, Penetration Testing, and Vulnerability Management.

SecZone

SecZone

SecZone is a Chinese enterprise with a mission to "Make It Secure." We are dedicated to driving software security innovation globally.