The drumbeats of war are growing louder in cyberspace. After the Donald J. Trump administration’s decision to pull out of the Iran nuclear agreement, Iran has already re-started its campaign of probing U.S. companies in what many believe is preparation for retaliatory attacks.
The Trump administration seems likely inclined to meet fire with fire. National Security Advisor John Bolton has said he wants to use America’s “muscular cyber capabilities” to impose costs “so high that they will simply consign all their cyber warfare plans to their computer memories to gather electronic dust.” And while the Obama administration was inclined to turn the other cheek on Iranian provocations in order to get the nuclear deal done, the Trump administration will not be so inhibited.
Nicholas Schmidle’s excellent piece in the New Yorker details the long (and somewhat sordid) history of hacking back, capturing the heated desire of some cyber warriors in the private sector to take the gloves off against their attackers. Georgia’s governor wisely just vetoed a bill at the state level that would have authorized “active defense” but HR 4036 will probably get a new look this spring. A rumored re-write of the Obama-era presidential policy directive 20 on offensive cyber operations is already underway.
Proponents of hack back have a legitimate gripe. There are certainty circumstances in which companies would want to follow the trail of a cyber adversary to see what data was taken and who took it. In the event of destructive or disruptive attacks, there may be circumstances in which counter offensive operations are the only reasonable means to stop the attacks.
Yet, under current U.S. law, companies cannot engage in the kind of intelligence operations that spy agencies are authorized to carry out. Nor can they engage in disruptive activity off their own networks.
Private companies hacking back scares many people in the cybersecurity policy community because, particularly in the current context, it could have companies starting wars that U.S. military will need to finish. We should all want to avoid an outcome where a company that under-invests in its own cybersecurity starts a conflict that will cost far more in blood and treasure than upgrading its firewalls.
That’s not to say there is no place for offense in the United States' national cyber strategy. Indeed, there are many circumstances in which the U.S. government might want use its offensive capability to collect intelligence in order to help protect critical infrastructure or take offensive action on their behalf.
The problem is that, currently, there is no way for the U.S. government and critical infrastructure companies to carry out the real-time coordination that would be necessary for a private company to work with the U.S. intelligence community or Cyber Command.
If the U.S. government wishes to maintain a semblance of its monopoly on offensive cyber activity, then it will need to institute a process for determining when to provide this form of assistance and for coordinating that response. That will require critical infrastructure companies be brought into the intelligence loop.
In order for that to happen in a systematic and rigorous way, these companies will need to have access to classified communications channels and sufficient cleared personnel. In a new Council on Foreign Relations report, I call for the creation of a classified network for critical infrastructure and for instituting new policies that will make it possible for the companies that own and operate this infrastructure to hold clearances.
The federal government already runs a program from for the U.S. defense industrial base, DIBnet, a classified network for defense contractors to receive intelligence on threats to their companies. Under the program, the Defense Cyber Crime Center (DC3) acts as a hub for sharing intelligence and provides forensic and other support to companies participating in the program. Creating a similar program for other critical infrastructure sectors, run by the Department of Homeland Security but connecting to the intelligence community and U.S. Cyber Command, would provide what the private sector wants, intelligence on threats and a counter offensive capability, while maintaining government responsibility for these activities.