Are we entering the age of 'hack back'?
WASHINGTON -- When the debris settles after special counsel Robert Mueller completes his investigation into Russian hacking of the 2016 presidential election, America will still be left with the underlying problem that triggered the probe in the first place -- the threat of malicious cyberattacks against political parties, corporations, and anybody else who uses the internet.
Here's a disturbing fact: Even after all the uproar that has surrounded Mueller's inquiry, the U.S. government can't do much to protect most private citizens or organizations against attacks. There's better security now for election systems and critical infrastructure, but that doesn't help the banks, hedge funds, law firms and other companies with sensitive data -- which are basically on their own.
Mueller's findings about President Trump will have their own fiery afterlife on Capitol Hill, which nobody can predict. But Congress should also be thinking about the less-sexy fallout from the investigation, which highlighted the vulnerability of all data to foreign spies, meddlers and information pirates.
U.S. Cyber Command and the National Security Agency have already gone on the offensive against Moscow. Last fall, their joint "Russia Small Group" secretly "hacked back," in effect, against Russia's Internet Research Agency, briefly shutting down some of its computers. The aim was to deter the Russians from meddling in the 2018 midterm elections, and it seems to have worked.
Private companies are going on the offensive in cyberspace, too -- even though the legal terrain is murky and there's a big risk of triggering a tit-for-tat melee.
"Some organizations are conducting active cyber-defense 'hacking back,' but in my experience this will amplify the global cyber-arms race," warns Milan Patel, a prominent former FBI cyber expert who's now with BlueVoyant, a cyber-consulting firm. "Rather than hacking back, which will only bring a short-term sense of relief, companies need to do a better job at education and training." Patel estimates that 92 percent of attacks originate from spear-phishing, where employees unwittingly click on malicious malware.
American history offers an unlikely lesson in how cyber-offense might be enhanced and also regulated, as explained by Michael Chertoff, former secretary of homeland security, in his recent book "Exploding Data."
At the very beginning of our nation, when America and France were fighting an undeclared war, the U.S. Navy was too weak to protect American vessels from attack. The high seas were an 18th-century version of cyberspace, with attackers lurking everywhere. So, as Chertoff notes, the U.S. Constitution mandated that: "Congress shall have Power ... To declare War, grant Letters of Marque and Reprisal, and make Rules concerning Captures on Land and Water."
Today, argues Chertoff, the government could grant the equivalent of letters of marque to private cyber-defense companies. "To bolster its capacity to defend and deter cyberattacks, the government should train and license 'privateers' for certain specific operations ... to assist in deterring attacks against U.S. companies and infrastructure," he writes.
But Chertoff cautions in an interview: "Don't try this at home!" Meaning, companies should avoid any retaliatory action that might be illegal under U.S. or foreign law, or that would trigger counter-reprisals that would make the problem even worse.