The US Military Has A Free Rein For Offensive Hacking

Uploaded on 2019-03-04 in GOVERNMENT-Defence, FREE TO VIEW, GOVERNMENT-National, INTELLIGENCE--USA, TECHNOLOGY--Hackers

A majority of digital security experts surveyed by The Washington Post say the Trump administration was right to make it easier for the military to conduct offensive cyber operations. But many cautioned that this new authority should be used very carefully.

The Network is a panel of more than 100 leaders from government, academia and the private sector who vote in our ongoing, informal survey on cybersecurity issues.

Sixty percent of those who participated in our latest survey applauded President Trump's order in August allowing the defense secretary to authorize offensive hacking operations without elevating the decision to the White House.

“Our adversaries need to know we will persistently engage them in this new domain, and I support entrusting Cyber Command with additional responsibilities,” Rep. Jim Langevin, co-founder of the Congressional Cybersecurity Caucus and chair of the House Armed Services Committee’s emerging threats panel, said in response to our survey.

Many experts agreed with the administration's goal for stepping up offensive operations: for US adversaries in cyberspace to think twice about continuing their own attacks.

“Integrating cyber into our broader warfighting strategy and doctrine is long overdue,” said Frank Cilluffo, a former White House cyber official and chair of Auburn University’s McCrary Institute for Cyber and Critical Infrastructure.

“Wielded in combination with other tools of national power, [cyber operations] can begin leveling the playing field and incur consequences on bad cyber behavior.”

The move is just "common sense" on an operational level, said David Brumley, a security and privacy professor at Carnegie Mellon University.

"The military should be able to use their judgment, within the confines of law, to determine where and how to conduct an offensive cyber operation. Allowing the men and women who are experts in cyber to make the call on how to use cyber is common sense.”

Yet even those who said they supported the president’s plan cautioned against giving the military free rein to launch hacking operations without consulting civilian government agencies.

“We need to be spending more time on this discussion and not just behind closed doors in the Pentagon,” said Mark Weatherford, a former Homeland Security Department cybersecurity official. Weatherford is now chief cybersecurity officer at the cloud security company vArmour.

Those among the 40 percent of respondents who said Trump's move was not a good idea raised similar concerns.

The military acting alone might be unaware of unintended consequences those operations might produce, they warned, such as hurting US businesses or undermining intelligence operations.

“Cyber operations are inherently unstable. They are hard to contain and constrain. Their use has implications beyond their immediate effects," said Bruce Schneier, fellow and lecturer at the Harvard Kennedy School. "For this reason, many more equities need to be involved in decisions to use cyber weapons than for ordinary military operations.”

Former State Department cyber coordinator Chris Painter said that the president’s streamlined process wouldn’t “adequately account for foreign policy, law enforcement and other national equities which can harm our long-term interests and our ability to form alliances against shared cyber threats.”

As Melanie Teplinsky, former technology and cybersecurity official in the White House and Commerce Department, put it: "Before cyber striking, it is important to properly vet any proposed strike to ensure it is a net ‘win’ for the nation." Teplinsky now teaches at American University College of Law.

More broadly, former White House cybersecurity coordinator Michael Daniel worried that US cyber strikes would allow adversary nations to claim their offensive hacking is acceptable behavior.

“We don't have a monopoly on these capabilities and any offensive action we take legitimizes such actions, meaning another nation could take the same action against us. We are especially vulnerable to disruption through cyberspace," said Daniel who is now president of the Cyber Threat Alliance, a cybersecurity information sharing group.

"Therefore, we need to use this tool carefully and judiciously."

More offensive hacking by the United States probably will prompt other nations to do more hacking of their own and lead to less stability in cyberspace, said Betsy Cooper, director of the Aspen Tech Policy Hub at the Aspen Institute.

“It’s Security Studies 101,” Cooper said. “When the US uses new weapons to increase its own security, other states are likely to respond in kind. And it's not clear we're well equipped to resist escalated efforts of other nations to conduct offensive operations against us.”

Some experts warned against any move by the United States to increase the use of cyber weapons. Among the dangers they cited was the specter of specialized hacking tools used by the US military leaking out and criminals using them against US citizens.

“Cyber weapons need to be treated akin to a chemical, biological and radiological weaponry,” said Sascha Meinrath, an Internet freedom activist who teaches at Penn State. “Normalising their use for short-term gain is a terribly myopic solution that guarantees long-term detrimental repercussions.”

Washington Post

You Might Also Read

The Pentagon Prepares A Cyber-Attack On Russia:

« Facebook Has Changed Computing
Edward Snowden Likes Zcash »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Willis Towers Watson

Willis Towers Watson

Willis Towers Watson is a global risk management, insurance brokerage and advisory company. Services offered include Cyber Risks insurance.

Wireless Logic

Wireless Logic

Wireless Logic delivers a range of secure and resilient value-added M2M/IoT managed services that empower remote devices to communicate cost-effectively, two ways.

National Authority for Electronic Certification and Cyber Security (AKCESK)

National Authority for Electronic Certification and Cyber Security (AKCESK)

AKCESK ensures security for trusted services, in particular reliability and security in electronic transactions between citizens, businesses and public authorities.

972VC

972VC

972VC was created to help entrepreneurs find potential funding for their startups. Your guide to the Israeli startup funding ecosystem.

Dcode

Dcode

Dcode connects the tech industry and government to drive commercial innovation in the federal market.

CYBER.ORG

CYBER.ORG

CYBER.ORG's goal is to empower educators as they prepare the next generation to succeed in the cyber workforce of tomorrow.

Mindsight

Mindsight

Mindsight is a technology consulting firm with expertise from cybersecurity to cloud, disaster recovery to infrastructure, and collaboration to contact center.

VCG Group

VCG Group

VCG provides everything you need for the design, implementation and management of data centres, cyber-secure enterprise networks, cloud and connectivity services.

WhiteJar

WhiteJar

WhiteJar offers an innovative approach to modern cybersecurity needs, empowering Ethical Hackers within its unique crowd platform.

Regtank Technology

Regtank Technology

Regtank is a one-stop compliance solution for fintechs, navigating compliance, security and risk management.

Binalyze

Binalyze

Binalyze is the world's fastest and most comprehensive enterprise forensics solution. Our software helps you to collaborate and complete incident response investigations quickly.

Accenture

Accenture

Accenture is a leading global professional services company providing a range of strategy, consulting, digital, technology & operations services and solutions including cybersecurity.

Censinet

Censinet

Censinet provides the first and only third-party risk management platform for healthcare organizations to manage the threats to patient care that exist within an expanding ecosystem.

Secfix

Secfix

Secfix helps companies get secure and compliant in weeks instead of months. We are on a mission to automate security and compliance for small and medium-sized businesses.

Mitigo Group

Mitigo Group

Mitigo offers a well considered and effective approach to keeping businesses completely secure from any digital attacks.

Zama

Zama

Zama - pioneering homomorphic encryption. We believe people shouldn't care about privacy. Not because it doesn't matter, but because it shouldn't be an issue!