The Democratic National Committee hacks may have helped influence a presidential election, but their real legacy could end up being a dramatic change of course in US cyber defense policy.
A new bill called the Active Cyber Defense Certainty Act takes aim at a key problem in U.S. cyber policy. For the first time, it would legally authorize private companies and organizations to “hack back” against criminal attackers in order to obtain identifying information that can be used to attribute the attack.
In order to understand why this is so important, and what could be changed to make it workable, let’s back up for a minute and look at what’s wrong with our current defensive approach.
{mosads}While the U.S. has a relatively aggressive offensive cyber program, this program is aimed towards our strategic national security and intelligence needs. Protecting a U.S. steel company whose secret intellectual property has been stolen does not rise to the level where our SIGINT system would leap into action to protect them.
In addition, without information directly from the companies in China or elsewhere that have stolen this information (often using state-sponsored hackers to do so), it is often impossible to demonstrate harm has been done, especially when legal sanctions are on the line.
But there is a commonly used process that has been developed over the last few decades into a half-billion dollar a year business segment that could fill the gap: penetration testing.
The key to penetration testing is scoping, constant customer communication and rapid application of mostly open source techniques. While the proposed ACDC Act is a simple exception to the Computer Fraud and Abuse Act (CFAA), it doesn’t go far enough in creating a tenable framework for active defense, beyond limited one-off engagements. A more involved bill that sets up what is essentially a penetration testing-derived management structure hosted in the Department of Homeland Security would be far more scalable, solve the problem of our U.S. steel companies and avoid escalation issues.
Under this type of measure, a specialized security firm could be funded by U.S. Steel to investigate a scope defined by DHS, with the results of that penetration test going only to DHS for a decision on sanctions or other legal measures. These investigatory processes could operate under international transparency measures, using mostly open-source tooling and methodology completely distinct from our intelligence community tooling. In fact, once we have this system set up, it is very likely that other countries would use our agency process instead of building their own, as these things are complicated to manage.
This, more involved but more workable, proposal has already been outlined by many policy arms – most recently by the Heritage Foundation, but also by the Center for Cyber and Homeland Security at George Washington University and CyberSecPolitics, a popular blog for cyber security policy.
A cyber investigatory setup funded by private industry but run by the government would have a massive deterrent effect on cyber economic espionage. If a higher percentage of breaches result in criminal indictments by the FBI, economic sanction threats by the State Department or even public denunciations by the U.S. government, we can create real deterrence against many of these adversaries. No Chinese or Russian company would receive stolen American R&D intellectual property or sales plans if it knew that accepting that information could lead to heavy personal and corporate legal sanctions.
As an example, if the cyber investigatory team sees a billion dollar U.S. Steel formula appear suddenly in a partner of China Steel without any R&D effort from the Chinese company, this indicates that stolen information was used for China Steel’s benefit. Even though China Steel may have outsourced the stealing of the information itself, they should be held liable for the results, which should be severe.
Policy makers in the cyber realm have long complained about the lack of U.S. deterrent effect. It is true that many of the traditional tools for policy do not have a strong impact when applied to this new domain of action, but we do have years of research from the information security industry that points us in the right direction.
Dave Aitel is the CEO of Immunity Inc.
The views expressed by contributors are their own and are not the views of The Hill.