A few weeks ago, the director of national intelligence warned that US computer systems are so vulnerable that the nation may be facing a “cyber 9/11.” Then the US Department of Homeland Security revealed that Russian hackers could get inside the nation’s utilities and turn off the lights in much of the United States.
What next? How about some payback, targeting the attackers who target us?
Some cyber security experts and lawmakers argue that tougher passwords and thicker firewalls alone won’t protect America’s digital assets, because any defense can be breached. Instead, they want the US government, and even private companies and individuals, to go on the offensive by using the hackers’ own methods against them.
“You try to go about hacking the hackers,” said Michael Sulmeyer, a former Pentagon director of cyber policy who now runs the cyber security project at Harvard University’s Belfer Center.
Sulmeyer believes that US cyber warriors should launch counter-attacks against foreign spies and saboteurs. Others, like Stewart Baker, former general counsel of the US National Security Agency, would go even further. They say it should be legal for businesses and individuals to “hack back” against spies or criminal gangs that attack their networks.
“If you want to deter attacks,” said Baker, “you’ve got to be prepared to do something to the attackers that they fear.”
Some kinds of cyber-offense have already been tried. The United States is widely believed to have worked with Israel to create Stuxnet, a sophisticated malware program used to sabotage the Iranian nuclear weapons program, though neither country has ever confirmed this.
But Stuxnet was aimed at a single, precisely defined target. Hacking the hackers would mean taking on many different online adversaries, each of them skilled at covering their tracks.
It’s a strategy born from sheer frustration. For a quarter-century, brilliant people have developed countless clever defenses against cyber aggression, yet computer networks remain as insecure as ever. But that means the attackers’ own networks are vulnerable, too.
Yes, the bad guys will recover, just as the good guys do. But Sulmeyer said that every time a hacker network is shut down, “it becomes more expensive for them to hack us, and they make more mistakes.” Moreover, the kind of attacks aimed at us by Russia require advanced facilities that can’t be recreated overnight.
Bruce Schneier, a fellow at Harvard’s Berkman Klein Center for Internet & Society, is skeptical about the wisdom of counter-attacking hackers, but he concedes that it might do some good. “If you burn them, you set back their operations six months,” said Schneier. “Six months isn’t that long, but it’s an election cycle.”
The upcoming midterms will likely offer a chance to test this strategy. Microsoft Corp. recently said it identified Russian hacker attacks on the campaigns of three candidates running in November. Microsoft didn’t say which candidates, but on Thursday, Senator Claire McCaskill, a Democrat from Missouri facing a tough reelection battle, said she was targeted. And on Sunday, New Hamshire Democrat Senator Jeanne Shaheen revealed her computers had also been attacked, and said she had heard of many similar efforts against politicians of both parties.
So why shouldn’t the United States try to take these hackers out? Microsoft has identified the target — a group called Fancy Bear that’s associated with Russian military intelligence and was also involved in the hack of the 2016 election. If Sulmeyer and Schneier are correct, even a temporary takedown of these attackers could knock them off-stride until the election is over, and prevent them from tampering with other campaigns.
Sulmeyer said only the federal government should be able to carry out counter-hacks — and only against foreign targets. Baker, meanwhile, said US companies and individuals should be allowed as well, through hired professionals.
“I think we’re going to end up there,” Baker said, “because there’s no way the government is going to be able to keep up.”
Baker’s view has some support in Congress. Nine Republican and Democratic House members introduced a bill last year to make it legal for private parties to counter-attack when under digital fire. For instance, if a utility such as National Grid spotted hackers trying to break in, the electric utility company could deploy its own people to shut down the opposition.
Gregory Nojeim, senior counsel at the Center for Democracy and Technology in Washington, believes this is a terrible idea. For one, it’s difficult to be absolutely certain the retaliation is hitting the right target. Hackers often route their attacks through machines owned by innocent third parties; imagine going after a ransomware gang and taking down a hospital network by mistake. Besides, even if hacking back became legal in the United States, it would remain a crime in other countries — a major problem for businesses with lots of overseas locations.
“Hacking back, if it’s done by any entity, should be a governmental function,” said Nojeim.
Even then, it’s risky. Open fire on a rival nation, with bullets or with bits, and they usually fire back. “If we do something, they’re going to do something back to us,” said Herb Lin, senior research scholar for cyber policy at Stanford University. “Be prepared for a big reaction.”
If the US government hits Fancy Bear, the Russians might target the Nasdaq stock exchange or turn off the lights in Sioux City, Iowa. Then we might empty Vladimir Putin’s bank accounts or shut down the Moscow subway. And so on. It’s not a thermonuclear exchange, but bad enough.
But while Lin frets over blowback, he still thinks the United States may have no choice but to counter-attack. “It’s certainly different from what we have now,” he said. “But what we have now hasn’t worked.”