One Answer To Cyber Attacks Is To Hack Back

Uploaded on 2018-08-28 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW

Recently, the director of US national intelligence warned that US computer systems are so vulnerable that the nation may be facing a “cyber 9/11.” Then the US Department of Homeland Security revealed that Russian hackers could get inside the nation’s utilities and turn off the lights in much of the United States.

What next? How about some payback, targeting the attackers who target us?

Some cybersecurity experts and lawmakers argue that tougher passwords and thicker firewalls alone won’t protect America’s digital assets, because any defense can be breached. Instead, they want the US government, and even private companies and individuals, to go on the offensive by using the hackers’ own methods against them.

“You try to go about hacking the hackers,” said Michael Sulmeyer, a former Pentagon director of cyber policy who now runs the cyber security project at Harvard University’s Belfer Center.

Sulmeyer believes that US cyber warriors should launch counter-attacks against foreign spies and saboteurs. Others, like Stewart Baker, former general counsel of the US National Security Agency, would go even further. They say it should be legal for businesses and individuals to “hack back” against spies or criminal gangs that attack their networks.

“If you want to deter attacks,” said Baker, “you’ve got to be prepared to do something to the attackers that they fear.”

Some kinds of cyber-offense have already been tried. The United States is widely believed to have worked with Israel to create Stuxnet, a sophisticated malware program used to sabotage the Iranian nuclear weapons program, though neither country has ever confirmed this.

But Stuxnet was aimed at a single, precisely defined target. Hacking the hackers would mean taking on many different online adversaries, each of them skilled at covering their tracks.

It’s a strategy born from sheer frustration. For a quarter-century, brilliant people have developed countless clever defenses against cyber aggression, yet computer networks remain as insecure as ever. But that means the attackers’ own networks are vulnerable, too.

Yes, the bad guys will recover, just as the good guys do. But Sulmeyer said that every time a hacker network is shut down, “it becomes more expensive for them to hack us, and they make more mistakes.” Moreover, the kind of attacks aimed at us by Russia require advanced facilities that can’t be recreated overnight.

Bruce Schneier, a fellow at Harvard’s Berkman Klein Center for Internet & Society, is skeptical about the wisdom of counter-attacking hackers, but he concedes that it might do some good. “If you burn them, you set back their operations six months,” said Schneier. “Six months isn’t that long, but it’s an election cycle.”

The upcoming midterms will likely offer a chance to test this strategy. Microsoft Corp. recently said it identified Russian hacker attacks on the campaigns of three candidates running in November. Microsoft didn’t say which candidates, but recently, Senator Claire McCaskill, a Democrat from Missouri facing a tough reelection battle, said she was targeted.

And recently, New Hamshire Democrat Senator Jeanne Shaheen revealed her computers had also been attacked, and said she had heard of many similar efforts against politicians of both parties.

So why shouldn’t the United States try to take these hackers out? Microsoft has identified the target, a group called Fancy Bear that’s associated with Russian military intelligence and was also involved in the hack of the 2016 election.

If Sulmeyer and Schneier are correct, even a temporary takedown of these attackers could knock them off-stride until the election is over, and prevent them from tampering with other campaigns.

Sulmeyer said only the federal government should be able to carry out counter-hacks, and only against foreign targets. Baker, meanwhile, said US companies and individuals should be allowed as well, through hired professionals.
 
“I think we’re going to end up there,” Baker said, “because there’s no way the government is going to be able to keep up.”

Baker’s view has some support in Congress. Nine Republican and Democratic House members introduced a bill last year to make it legal for private parties to counter-attack when under digital fire.

For instance, if a utility such as National Grid spotted hackers trying to break in, the electric utility company could deploy its own people to shut down the opposition.

Gregory Nojeim, senior counsel at the Center for Democracy and Technology in Washington, believes this is a terrible idea. For one, it’s difficult to be absolutely certain the retaliation is hitting the right target.

Hackers often route their attacks through machines owned by innocent third parties; imagine going after a ransomware gang and taking down a hospital network by mistake.

Besides, even if hacking back became legal in the United States, it would remain a crime in other countries, a major problem for businesses with lots of overseas locations.

“Hacking back, if it’s done by any entity, should be a governmental function,” said Nojeim.

Even then, it’s risky. Open fire on a rival nation, with bullets or with bits, and they usually fire back. “If we do something, they’re going to do something back to us,” said Herb Lin, senior research scholar for cyber policy at Stanford University. “Be prepared for a big reaction.”

If the US government hits Fancy Bear, the Russians might target the Nasdaq stock exchange or turn off the lights in Sioux City, Iowa. Then we might empty Vladimir Putin’s bank accounts or shut down the Moscow subway. And so on. It’s not a thermos-nuclear exchange, but bad enough.

But while Lin frets over blowback, he still thinks the United States may have no choice but to counter-attack. “It’s certainly different from what we have now,” he said. “But what we have now hasn’t worked.”

Boston Globe:       Image; Nick Youngson

You Might Also Read: 

Cyber Criminals Have Access To Weapons Grade Hacking Tools:

US Steps Up Its Cyberwar Capability:

 

 

« The US Is Losing the Information War To Russia
How Silicon Valley Became A Den Of Spies »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Kaseya

Kaseya

Kaseya is a premier provider of unified IT management and security software for managed service providers (MSPs) and small to medium-sized businesses (SMBS).

TWNCERT

TWNCERT

TWNCERT is the National Computer Emergency Response Team of Taiwan.

Original Software

Original Software

Original Software offers a test automation solution focused completely on the goal of effective software quality management.

HID Global

HID Global

HID Global is a trusted leader in products, services and solutions related to the creation, management, and use of secure identities.

ZM CIRT

ZM CIRT

ZM CIRT is the national Computer Incident Response Team for Zambia.

Maverick Technologies

Maverick Technologies

Maverick is an industrial automation, enterprise integration and operational consulting company. Services include industrial cyber security.

ComCode

ComCode

ComCode provides consulting services and solutions in the area of digitization and cyber security for mid-sized and big businesses.

Sqreen

Sqreen

Sqreen is a web application security monitoring and protection solution helping companies protect their apps and users from attacks.

X4 Technology

X4 Technology

X4 Technology is a leader in finding the very best technology talent for some of the world’s most innovative start-ups and globally recognised brands.

EUROCONTROL

EUROCONTROL

EUROCONTROL is a pan-European, civil-military organisation dedicated to supporting European aviation. We help our stakeholders protect themselves against cyber threats.

World Congress on Industrial Control Systems Security (WCICSS)

World Congress on Industrial Control Systems Security (WCICSS)

The World Congress on Industrial Control Systems Security (WCICSS) is focused on emerging trends in protection of industrial control systems.

Blockchain Firm

Blockchain Firm

Blockchain Firm is a leading Blockchain based software solutions and service provider with our roots of expertise running deep into the technology.

Octane OC

Octane OC

OCTANe is building the SoCal of tomorrow. We drive innovation and growth by connecting people, resources and capital. Our Incubator focus is FinTech, Data Analytics and Cybersecurity.

Verificient Technologies

Verificient Technologies

Verificient Technologies specializes in biometrics, computer vision, and machine learning to deliver world-class solutions in continuous identity verification and remote monitoring.

MetaWeb Ventures

MetaWeb Ventures

MetaWeb Ventures is a global venture capital firm focused on pre-seed and seed investments in crypto start-ups.

Rezonate

Rezonate

Rezonate discovers, profiles, and protects Identities and their entire access journey to cloud infrastructure and critical SaaS applications. Preventing and stopping cyberattacks.

Redinent Innovations

Redinent Innovations

Redinent is a cutting-edge IoT Security platform that offers precise security posture analysis and delivers actionable intelligence, empowering businesses to operate with unrivaled resilience.

FSP

FSP

FSP is a leading consultancy specialising in Digital, Security and AI solutions. We navigate the complexities of data sensitivity, confidentiality, governance and compliance.