The US Military Has A Free Rein For Offensive Hacking

A majority of digital security experts surveyed by The Washington Post say the Trump administration was right to make it easier for the military to conduct offensive cyber operations. But many cautioned that this new authority should be used very carefully.

The Network is a panel of more than 100 leaders from government, academia and the private sector who vote in our ongoing, informal survey on cybersecurity issues.

Sixty percent of those who participated in our latest survey applauded President Trump's order in August allowing the defense secretary to authorize offensive hacking operations without elevating the decision to the White House.

“Our adversaries need to know we will persistently engage them in this new domain, and I support entrusting Cyber Command with additional responsibilities,” Rep. Jim Langevin, co-founder of the Congressional Cybersecurity Caucus and chair of the House Armed Services Committee’s emerging threats panel, said in response to our survey.

Many experts agreed with the administration's goal for stepping up offensive operations: for US adversaries in cyberspace to think twice about continuing their own attacks.

“Integrating cyber into our broader warfighting strategy and doctrine is long overdue,” said Frank Cilluffo, a former White House cyber official and chair of Auburn University’s McCrary Institute for Cyber and Critical Infrastructure.

“Wielded in combination with other tools of national power, [cyber operations] can begin leveling the playing field and incur consequences on bad cyber behavior.”

The move is just "common sense" on an operational level, said David Brumley, a security and privacy professor at Carnegie Mellon University.

"The military should be able to use their judgment, within the confines of law, to determine where and how to conduct an offensive cyber operation. Allowing the men and women who are experts in cyber to make the call on how to use cyber is common sense.”

Yet even those who said they supported the president’s plan cautioned against giving the military free rein to launch hacking operations without consulting civilian government agencies.

“We need to be spending more time on this discussion and not just behind closed doors in the Pentagon,” said Mark Weatherford, a former Homeland Security Department cybersecurity official. Weatherford is now chief cybersecurity officer at the cloud security company vArmour.

Those among the 40 percent of respondents who said Trump's move was not a good idea raised similar concerns.

The military acting alone might be unaware of unintended consequences those operations might produce, they warned, such as hurting US businesses or undermining intelligence operations.

“Cyber operations are inherently unstable. They are hard to contain and constrain. Their use has implications beyond their immediate effects," said Bruce Schneier, fellow and lecturer at the Harvard Kennedy School. "For this reason, many more equities need to be involved in decisions to use cyber weapons than for ordinary military operations.”

Former State Department cyber coordinator Chris Painter said that the president’s streamlined process wouldn’t “adequately account for foreign policy, law enforcement and other national equities which can harm our long-term interests and our ability to form alliances against shared cyber threats.”

As Melanie Teplinsky, former technology and cybersecurity official in the White House and Commerce Department, put it: "Before cyber striking, it is important to properly vet any proposed strike to ensure it is a net ‘win’ for the nation." Teplinsky now teaches at American University College of Law.

More broadly, former White House cybersecurity coordinator Michael Daniel worried that US cyber strikes would allow adversary nations to claim their offensive hacking is acceptable behavior.

“We don't have a monopoly on these capabilities and any offensive action we take legitimizes such actions, meaning another nation could take the same action against us. We are especially vulnerable to disruption through cyberspace," said Daniel who is now president of the Cyber Threat Alliance, a cybersecurity information sharing group.

"Therefore, we need to use this tool carefully and judiciously."

More offensive hacking by the United States probably will prompt other nations to do more hacking of their own and lead to less stability in cyberspace, said Betsy Cooper, director of the Aspen Tech Policy Hub at the Aspen Institute.

“It’s Security Studies 101,” Cooper said. “When the US uses new weapons to increase its own security, other states are likely to respond in kind. And it's not clear we're well equipped to resist escalated efforts of other nations to conduct offensive operations against us.”

Some experts warned against any move by the United States to increase the use of cyber weapons. Among the dangers they cited was the specter of specialized hacking tools used by the US military leaking out and criminals using them against US citizens.

“Cyber weapons need to be treated akin to a chemical, biological and radiological weaponry,” said Sascha Meinrath, an Internet freedom activist who teaches at Penn State. “Normalising their use for short-term gain is a terribly myopic solution that guarantees long-term detrimental repercussions.”

Washington Post

You Might Also Read

The Pentagon Prepares A Cyber-Attack On Russia:

« Facebook Has Changed Computing
Edward Snowden Likes Zcash »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Indelible Data

Indelible Data

Indelible Data is an established information security and technology consultancy and a Cyber Essentials Certification Body.

King & Spalding

King & Spalding

King & Spalding is an international law firm with offices in the United States, Europe and the Middle East. Practice areas include Data, Privacy & Security.

National Cyber Security Centre Finland (NCSC-FI)

National Cyber Security Centre Finland (NCSC-FI)

The NCSC-FI develops and monitors the operational reliability and security of communications networks and services in Finland.

PortSwigger

PortSwigger

PortSwigger's Burp Suite is an integrated platform for performing security testing of web applications.

CloudLayar

CloudLayar

CloudLayar is a cloud-based website firewall for protecting your website against online threats.

Rohde & Schwarz Cybersecurity

Rohde & Schwarz Cybersecurity

Rohde & Schwarz Cybersecurity provide solutions for Secure Networks, Secure Communications, Network Analysis, and Endpoint Security.

National Defense Industry Association (NDIA)

National Defense Industry Association (NDIA)

The National Defense Industrial Association Cyber Division contributes to US national security by promoting interaction between the cyber defense industry, government and military.

Tukan IT

Tukan IT

Tukan IT provides a data classification and protection solution.

ReconaSense

ReconaSense

ReconaSense helps protect people, assets, buildings and cities with its next-gen access control and converged physical security intelligence platform.

Rigado

Rigado

Rigado's mission is to enable commercial IoT success by providing high-performance secure and scalable wireless edge connectivity and network infrastructure.

US Venture Partners (USVP)

US Venture Partners (USVP)

USVP is a leading Silicon Valley venture capital firm focusing on early-stage start-ups that transform cybersecurity, enterprise software, consumer mobile and e-commerce, and healthcare.

Bechtle

Bechtle

Bechtle is one of Europe’s leading IT service providers offering a blend of direct IT product sales and extensive systems integration services.

Vantage Point Security

Vantage Point Security

Vantage Point are specialists in penetration testing and application security with a focus on the industries undergoing rapid digital transformation.

Chartered Institute of Information Security (CIISec)

Chartered Institute of Information Security (CIISec)

CIISec is dedicated to helping individuals and organisations develop capability and competency in cyber security.

AArete

AArete

AArete is a global management and technology consulting firm specializing in strategic profitability improvement, digital transformation, and advisory services.

NoviFlow

NoviFlow

NoviFlow is a leading provider of terabit networking software solutions for Communication Service Providers (CSPs).