The US Military Has A Free Rein For Offensive Hacking

A majority of digital security experts surveyed by The Washington Post say the Trump administration was right to make it easier for the military to conduct offensive cyber operations. But many cautioned that this new authority should be used very carefully.

The Network is a panel of more than 100 leaders from government, academia and the private sector who vote in our ongoing, informal survey on cybersecurity issues.

Sixty percent of those who participated in our latest survey applauded President Trump's order in August allowing the defense secretary to authorize offensive hacking operations without elevating the decision to the White House.

“Our adversaries need to know we will persistently engage them in this new domain, and I support entrusting Cyber Command with additional responsibilities,” Rep. Jim Langevin, co-founder of the Congressional Cybersecurity Caucus and chair of the House Armed Services Committee’s emerging threats panel, said in response to our survey.

Many experts agreed with the administration's goal for stepping up offensive operations: for US adversaries in cyberspace to think twice about continuing their own attacks.

“Integrating cyber into our broader warfighting strategy and doctrine is long overdue,” said Frank Cilluffo, a former White House cyber official and chair of Auburn University’s McCrary Institute for Cyber and Critical Infrastructure.

“Wielded in combination with other tools of national power, [cyber operations] can begin leveling the playing field and incur consequences on bad cyber behavior.”

The move is just "common sense" on an operational level, said David Brumley, a security and privacy professor at Carnegie Mellon University.

"The military should be able to use their judgment, within the confines of law, to determine where and how to conduct an offensive cyber operation. Allowing the men and women who are experts in cyber to make the call on how to use cyber is common sense.”

Yet even those who said they supported the president’s plan cautioned against giving the military free rein to launch hacking operations without consulting civilian government agencies.

“We need to be spending more time on this discussion and not just behind closed doors in the Pentagon,” said Mark Weatherford, a former Homeland Security Department cybersecurity official. Weatherford is now chief cybersecurity officer at the cloud security company vArmour.

Those among the 40 percent of respondents who said Trump's move was not a good idea raised similar concerns.

The military acting alone might be unaware of unintended consequences those operations might produce, they warned, such as hurting US businesses or undermining intelligence operations.

“Cyber operations are inherently unstable. They are hard to contain and constrain. Their use has implications beyond their immediate effects," said Bruce Schneier, fellow and lecturer at the Harvard Kennedy School. "For this reason, many more equities need to be involved in decisions to use cyber weapons than for ordinary military operations.”

Former State Department cyber coordinator Chris Painter said that the president’s streamlined process wouldn’t “adequately account for foreign policy, law enforcement and other national equities which can harm our long-term interests and our ability to form alliances against shared cyber threats.”

As Melanie Teplinsky, former technology and cybersecurity official in the White House and Commerce Department, put it: "Before cyber striking, it is important to properly vet any proposed strike to ensure it is a net ‘win’ for the nation." Teplinsky now teaches at American University College of Law.

More broadly, former White House cybersecurity coordinator Michael Daniel worried that US cyber strikes would allow adversary nations to claim their offensive hacking is acceptable behavior.

“We don't have a monopoly on these capabilities and any offensive action we take legitimizes such actions, meaning another nation could take the same action against us. We are especially vulnerable to disruption through cyberspace," said Daniel who is now president of the Cyber Threat Alliance, a cybersecurity information sharing group.

"Therefore, we need to use this tool carefully and judiciously."

More offensive hacking by the United States probably will prompt other nations to do more hacking of their own and lead to less stability in cyberspace, said Betsy Cooper, director of the Aspen Tech Policy Hub at the Aspen Institute.

“It’s Security Studies 101,” Cooper said. “When the US uses new weapons to increase its own security, other states are likely to respond in kind. And it's not clear we're well equipped to resist escalated efforts of other nations to conduct offensive operations against us.”

Some experts warned against any move by the United States to increase the use of cyber weapons. Among the dangers they cited was the specter of specialized hacking tools used by the US military leaking out and criminals using them against US citizens.

“Cyber weapons need to be treated akin to a chemical, biological and radiological weaponry,” said Sascha Meinrath, an Internet freedom activist who teaches at Penn State. “Normalising their use for short-term gain is a terribly myopic solution that guarantees long-term detrimental repercussions.”

Washington Post

You Might Also Read

The Pentagon Prepares A Cyber-Attack On Russia:

« Facebook Has Changed Computing
Edward Snowden Likes Zcash »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Perimeter 81

Perimeter 81

Perimeter 81 is a Zero Trust Network as a Service designed to simplify secure network, cloud and application access for the modern and distributed workforce.

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Clayden Law

Clayden Law

Clayden Law are experts in information technology, data privacy and cybersecurity law.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Free Access: Cyber Security Supplier Directory listing 5,000+ specialist service providers.

Cylance Smart Antivirus

Cylance Smart Antivirus

An antivirus that works smarter, not harder, from BlackBerry. Lightweight, non-intrusive protection powered by artificial intelligence. BUY NOW - LIMITED DISCOUNT OFFER.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Corero Network Security

Corero Network Security

Corero Network Security is dedicated to improving the security of the Internet through the deployment of its innovative DDoS & Network Security Solutions.

IABG

IABG

Activities include consulting services in the development of software systems in the area of secure information and data communication.

NESECO

NESECO

NESECO is an IT security integration and consulting firm providing security products, solutions, support, consulting, and training services.

HumanFirewall

HumanFirewall

Your secuirty is dorectly proportional to the awareness of your employees. Use Phishing simulation across your organization to train & profile user behavior.

SBD Automotive

SBD Automotive

SBD Automotive are specialists in automotive technology providing independent research and consultancy to help create smarter, more secure, better connected, and increasingly autonomous cars.

Templar Shield

Templar Shield

Templar Shield is a premier information security, risk and compliance technology professional services firm serving North America.

Kintent

Kintent

With Kintent, compliance becomes a habit, is simple to understand and achieve, and is continuously testable so that your customers can see that you are adhering to all your trust obligations.

Aegis Security

Aegis Security

Aegis Security helps clients to secure their systems against potential threats through pre-emptive measures, such as security assessments, and cutting-edge solutions to security challenges.