Wired is out with a major cover story this morning featuring former NSA contractor Edward Snowden clutching a giant American flag. In it, Snowden uncovers knowledge about an NSA program known as MonsterMind, which, if true, could signal a big step in how the U.S. government traces cyberattacks back to their source.
MonsterMind can reportedly analyze incoming malware and block it, according to Wired. But the real power lies in MonsterMind's other capability: It's reportedly capable of hacking back at targets automatically:
Instead of simply detecting and killing the malware at the point of entry, MonsterMind would automatically fire back, with no human involvement.
The idea of a computer program that can fight back may sound like "Terminator"-level stuff. In reality, information security scholars say, it's rarely so simple.
The biggest problem for governments waging fights on the Internet is the one of attribution — determining who's to blame for an attack. In the physical world, the laws of war require armies to wear insignia that mark them as a legitimate target. In cyberspace, there are no such rules, making it both logistically and technically difficult to find out who hit you. An attack that at first appears to come from China may actually have originated in, say, Russia, with the attackers taking steps to confuse the victim as to where they really are.
Hitting back, therefore, raises the risk of retaliating against the wrong target, though it hasn't stopped intelligence leaders from reserving the right. Although international law demands that any retaliation be "proportional" to the original attack and "discriminate" in its choice of targets — no hitting civilians, for instance — they don't prevent governments from responding.
"Neither proportionality nor discrimination requires that we know who is responsible before we take defensive action," said Gen. Keith Alexander, in his confirmation hearing as NSA chief in 2010.
The problem in the case of MonsterMind is that it's unclear what "defensive action" means, said Allan Friedman, a cybersecurity scholar at George Washington University.
"'Firing back' is a fairly meaningless concept," said Friedman. "Does it mean I take over the system? Or I take over the system and manipulate it so I get to the next hop? Or I could block all traffic coming in from this particular point source."
Keeping a range of possible responses open is partly the point of such vague language. But to add on top of that the idea that MonsterMind can select the appropriate response and execute it independently is perhaps a sign that the United States is growing less concerned about the attribution problem — that it's growing more confident that it won't hit the wrong target in shooting back.
That's consistent with recent efforts by the Defense Advanced Research Projects Agency (DARPA) to develop defensive systems for cyberspace that can analyze threats automatically.
In 2012, Defense Secretary Leon Panetta said the government had made "significant investments" into the attribution problem and that they were paying off.
"Potential aggressors should be aware that the United States has the capacity to locate them and to hold them accountable for their actions that may try to harm America," Panetta told an audience of business executives in New York.