There are plenty of bad ideas out there about cybersecurity, but to create a really, really bad idea we need Congressional involvement.
Rep Tom Graves (R-Ga.) has reopened an old discussion of letting companies facing a cyber attack “shoot back” at hackers by mounting counter-attacks of their own. Right now, that’s illegal and I think it should stay that way. (To his credit, Rep. Graves has modified his draft legislation to limit the type of attacks and the destructive measures which U.S. companies can launch.)
{mosads}To start with, when shooting back, there’s the fundamental question of who to shoot. Notice that after any major cyber attack, it usually takes weeks to determine who’s responsible for it, and even those determinations are hedged with uncertainty. That’s because no single point of origination is apparent.
Graves wants to empower U.S. companies to get inside attacking computers in an effort to track down the bad guys who originated an attack.
Cyber attackers hit us from multiple computers in multiple countries. These computers belong to private companies, governments (including those friendly to the U.S.) and innocent individuals who don’t know their devices have been co-opted and who aren’t in league with the attackers. If we shoot back, the machines and data belonging to these people could be damaged. And the real attackers, hiding behind them, would be untouched.
Then there’s the matter of time. There is none. Attacks come so quickly that even well-trained humans can’t respond effectively. The most advanced companies defend themselves by using artificial intelligence, which has the smarts to react fast enough to deal with advanced threats such as the recent ransomware attacks. There is absolutely no way that we could mount a counter-offensive, get past the multiple co-opted computers that have attacked us, find the point of origin and hit—in whatever manner—the true bad guys who launched the attack.
We might be able to retaliate, weeks or months after being attacked, but we certainly could not shoot back in time to stop an attack in progress. Attacks don’t happen that way. If your devices are attacked today, it’s likely that the attackers planted their malware in your network months ago. You just haven’t been able to find it because your protective measures are not as advanced as the tools used by your adversaries.
Furthermore, we don’t have enough cybersecurity experts to strike back. It’s estimated that today there are more than one million unfilled cybersecurity jobs, even with high pay and good benefits. Right now, we can’t meet current corporate and government hiring requirement for defenders. There are no spare cyber soldiers to staff an offensive army.
Then there’s the matter of weaponry. What tools would we use to shoot back? Who would design them? (Remember that huge shortage of cybersecurity experts?) How can we be sure that these new weapons won’t be stolen and misused? Who can guarantee that they won’t be turned against us by our corporate competitors? Would we become victims of our own cyber-arms race?
Shooting back seems like an excellent opportunity to shoot ourselves in the foot, multiple times. You can’t legislate your way into a cyber strategy. Here’s a better idea: Drop the whole thing.
Hitesh Sheth is CEO of Vectra Networks, a cyber security company in San Jose, Calif.
The views expressed by this author are their own and are not the views of The Hill.