Hitting back at hackers: Debate swirls on how far to go
After a seemingly endless barrage of cyberattacks, debate is heating up on hitting back at hackers where it hurts. Amid calls for ways to punish and deter hackers without sparking a so-called “cyber war,” a panel of experts assembled by the George Washington University Center for Cyber and Homeland Security said in a report Monday that US policies should be eased to allow “active defense” measures by both the government and private sector. However, it stopped short of endorsing the idea of “hacking back” to disable systems used by attackers. The panel envisioned measures such as taking down “botnets” that disrupt cyberspace, freeing data from “ransomware” hackers and “rescue missions” to recover stolen data.
The report follows a wave of high-profile attacks against US companies and government databases, and after Washington accused Russia of using cyberattacks to attempt to disrupt next week’s presidential election. It comes after President Barack Obama called for a “proportional” response to Russia, while leaving unanswered whether this would mean a cyberattack or measures such as diplomatic or economic sanctions.
‘Shooting behind the rabbit’
Former national intelligence director and GWU task force co-chair Dennis Blair said the US has been moving too slowly in its response to cyberattacks. “We are shooting so far behind the rabbit that we will only hit it if the rabbit makes another lap and comes back to where it was,” he told a conference presenting the report.
Some analysts argue that hackers and states responsible for attacks should get a taste of their own medicine, and that US laws should be amended to allow for hacking back at the cyber criminals. Some proposals call for private security firms to be “deputized” to carry out legally sanctioned hack-back operations when private firms are victimized. “Department stores hire private investigators to catch shoplifters rather than relying only on the police. So too private companies should be able to hire their own security services,” said a Hoover Institution paper written by scholars Jeremy Rabkin and Ariel Rabkin. “There should be a list of approved hack-back vendors from which victims are free to choose.”
Juan Zarate, a former White House national security advisor who now works with the Foundation for Defense of Democracies, said such a model for action could be based on the early days of the republic when Congress issued “letters of marque and reprisal” for private merchant ships to bring in maritime pirates.
In an essay last year, Zarate called for a “cyber-privateering regime that rewards, enables, and empowers the private sector to help defend itself in concert with government.” Others warn of the dangers of empowering private actors to engage in reprisals. Nuala O’Connor, president of the Center for Democracy and Technology and co-chair of the GWU panel, argued of unintended consequences of authorizing companies to break into outside computer networks. “I believe these types of measures should remain unlawful,” she wrote, adding that it remains difficult to be sure of cyberattacks’ sources. “The risks of collateral damage to innocent internet users, to data security, and to national security that can result from overly aggressive defensive efforts needs to be better accounted for.” — AFP