In upcoming testimony before the House Homeland Security Committee, I’ll be assessing the Department of Homeland Security, with particular focus on cybersecurity. Probably the most important point I’ll be making is a simple one:
We will never defend our way out of the current cybersecurity crisis.
That’s because putting all the burden of preventing crime on the victim rarely succeeds.
The obvious alternative is to identify the attackers and punish them. Many information security experts have given up on this approach. As they point out, retribution depends on attribution, and attribution is difficult; attackers can hop from country to country and from server to server to protect their identities.
I think this skepticism is outmoded, however.
Our intelligence on cyberattacks has gotten a lot better.
Investigators no longer need to trace each hop the hackers take. Instead, they can find other ways to compromise and then identify the attackers, either by penetrating hacker networks directly or by observing their behavior on compromised systems and finding behavioral patterns that uniquely identify the attackers.
No one can function in cyberspace without dropping bits of identifying data here and there. If the good guys’ security is inherently flawed, so is the bad guys’. If we exploit their bad security systematically, we should be able to put attribution — and retribution — back at the center of our response to cyberattacks.
Since nothing else is likely to work, we need to pursue this possibility with vigor. We should take the offense, surrounding and breaking into hacker networks to gather information about what they’re stealing and who they’re giving it to. That kind of information will help us prosecute criminals and embarrass state-sponsored attackers. It will also allow us to tell the victim of an intrusion with some precision who is in his network, what they want, and how to stop them. DHS’s intelligence analysis arm should be issuing more such reports and fewer bland generalities about terrorism risks for local law enforcement agencies.
If we’re going to do this, though, we can’t rely exclusively on government. Sure, governments have resources and authorities beyond those of any single company. But in aggregate, it’s the private sector that is losing the most and that has the most resources to put into locating and punishing the attackers. In my private practice, I advise a fair number of companies who are fighting ongoing intrusions, often at a cost of $50 or $100 thousand a week. The money they are spending is going almost entirely to defensive measures. At the end of the process, they may succeed in getting the intruder out of their system.
But the next week the same intruder may get another employee to click on a poisoned link and the whole process will begin again.
It’s a treadmill. Like me, these companies see only one way off the treadmill: to track the attackers, figure out who they are and who’s buying the stolen information, and then to sanction the attackers and their customers. This view is starting to emerge into the light. When private companies’ cybersecurity executives were surveyed recently, “more than half thought their companies would be well served by the ability to ‘strike back’ against their attackers.” W. Fallon, Winning Cyber Battles Without Fighting, Time (Aug. 27, 2012).
And the FBI’s top cybersecurity lawyer just this week called our current strategy a “failed approach” and urged that the government enable hacking victims “to detect who’s penetrating their systems and to take more aggressive action to defend themselves.” Washington Post (Sep. 17, 2012).
He’s right. But under the Computer Fraud and Abuse Act — especially as it’s been administered by the Justice Department’s Computer Crime and Intellectual Property Section, or CCIPS — there are doubts about how far a company can go in hacking the hackers. I happen to think that some of those doubts are not well-founded, but only a very brave company would ignore them.
Now there’s no doubt that US intelligence and law enforcement agencies have the authority to respond to hacks of US companies by breaking into the networks of suspected hackers and gathering information there. But by and large they don’t.
Why not? Because complaining to the FBI and CCIPS about even a state-sponsored intrusion is like complaining to the DC police that someone stole your bicycle. You might get a visit from the local office; you might get their sympathy; you might even get advice on how to protect your next bicycle. What you won’t get is a serious investigation. There are just too many crimes that have a higher priority.
In my view, that’s a mistake. The Department, drawing on the resources of the entire government, should do some full-bore criminal and intelligence investigations of private sector intrusions, especially those that appear to be state-sponsored. We need to show that we can identify the attackers, and that we can make them pay.
But that solution won’t scale, at least not when most of the Fortune 500 are probably under attack right now. If we want to use retribution and attribution broadly, we have to let the victims participate in, and pay for, many of these investigations.
Until recently, too many government officials have viewed such private countermeasures as the equivalent of vigilante justice. In my view, that just shows their lack of imagination. In the real world, if someone stops making payments on a car loan but keeps the car, the lender doesn’t call the police. He hires a repo man. In the real world, if your child is kidnapped and the police aren’t making the investigation a priority, you hire a private investigator. And, if I remember correctly the westerns I watched growing up, if a gang robs the town bank and the sheriff finds himself outnumbered, he deputizes a posse of citizens to help him track the robbers down.
Not one of those solutions is the equivalent of a lynch mob or of vigilante justice. Every one allows the victim to supplement law enforcement while preserving social control and oversight.
We need a corps of digital repo men and investigators that the private sector can deploy in a battle that the US government alone is losing. Of course we need to make sure this corps is regulated and can be sanctioned for excesses, as we do with repo men and investigators. But that’s not hard to achieve. In fact, DHS could probably experiment with such a solution tomorrow if it chose, as could the FBI. Law enforcement agencies often have probable cause for a search warrant or even a wiretap order aimed at cyberintruders. Sometimes they use contractors to help them carry out a particularly technical search. So why don’t they simply obtain a lawful intercept or search warrant aimed at a sophisticated hacker and turn the execution of the warrant over to a private contractor paid for by the victim and supervised by the agency? As long as it happens under government supervision, I can’t think of any legal barrier to doing that tomorrow. (I recognize that the Antideficiency Act arguably prohibits the government from accepting free services, but it has more holes in it than my last pair of hiking socks, including exceptions for protection of property in emergencies and for gifts that also benefit the donor, so I doubt it will be a serious limitation.)
If systematic looting of America’s commercial secrets truly is a crisis, and I believe that it is, why have we not already unleashed the creativity and resources of the private sector that is suffering the most direct harm?