Sen. Sheldon Whitehouse (D-R.I.) will use a congressional hearing on cybersecurity today to float an idea that's controversial among security experts: “hacking back” against digital adversaries after a cyberattack.
“We ought to think hard about how and when to license hack-back authority so capable, responsible private-sector actors can deter foreign aggression,” Whitehouse, the ranking Democrat on the Judiciary Committee's subcommittee on crime and terrorism, plans to say in opening remarks.
Allowing victims of cyberattacks to go on the offense may be an appealing option for some private companies. And there’s legislation in the House that would permit it when a victim notifies law enforcement first.
But the idea of hacking back presents serious risks at a time when nation-state hackers and other sophisticated actors are increasingly targeting U.S. businesses — and it will be interesting to see if national security officials would support such a proposal. For one thing, attributing a cyberattack isn’t easy — and there’s a greater than zero chance that a private company seeking to go on the offense could get its target wrong. And security experts have long warned that retaliation in cyberspace could escalate quickly — especially if the original attacker is, say, backed by a foreign government. This could end up drawing the government into a conflict it hadn’t bargained for.
Hacking back is one of several cybersecurity issues Whitehouse plans to touch on in the hearing, which is designed to give lawmakers a better idea of how Congress can help improve the government’s responses to digital attacks on critical infrastructure.
Whitehouse will also use his opening remarks to call for a new cybersecurity official tasked with keeping the public informed about digital threats. The government needs to “do a better job of helping the public understand our vulnerability to the wide range of cyber threats, from hacking and the theft of private data to cyberattacks on critical infrastructure,” he plans to say. “The president should designate for someone the role of cybersecurity ‘storyteller-in-chief,’ empowered to declassify information, and charged with clearly, constantly and concisely reporting known threats and attempted attacks.”
Additionally, Whitehouse plans to call for a “stress test” to find out whether the federal government’s cybersecurity guidelines for power plants and other critical infrastructure operators are up to par. If the National Institute of Standards and Technology Cybersecurity framework, as the guidelines are known, aren't “producing real security, we need to get to work on something that will,” his opening remarks say. And he’ll renew his proposal for a “roving inspector general for cybersecurity” to conduct oversight of the dozens of agencies that have cybersecurity authorities.
The wide-ranging hearing will feature testimony from Associate Deputy Attorney General Sujit Raman; Michael J. Moss, deputy director of the Cyber Threat Intelligence Integration Center in the Office of the Director of National Intelligence; and Robert Kolasky, director of the Department of Homeland Security’s new National Risk Management Center. Also testifying before the subcommitee are Sens. James Lankford (R-Okla.) and Richard Blumenthal (D-Conn.), who are sponsoring bills aimed at improving election security and deterring cybercrime, respectively.
It’s just one of the cybersecurity-focused hearings the Senate is holding this week featuring testimony from national security officials on critical infrastructure threats and Russian election interference.
Elsewhere on Capitol Hill on Tuesday, the Senate Banking, Housing and Urban Affairs Committee will question Sigal P. Mandelker, undersecretary of terrorism and financial crimes, about whether the administration’s sanctions against Moscow, which were ordered by Congress, have helped curb Russian cyberaggression. Also testifying are Christopher Krebs, DHS’s top cybersecurity official, and Christopher Ashley Ford, assistant secretary of the State Department’s Bureau of International Security and Nonproliferation. Additionally, the Senate Energy and Natural Resources Committee will hear from energy researchers on new ways to improve cybersecurity computer networks used to supply electricity to the grid. And on Wednesday, the Senate Rules Committee will mark up the Secure Elections Act, a bipartisan bill that would streamline the way state and federal officials exchange threat information against election systems.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: “A group affiliated with the Russian government created phony versions of six websites — including some related to public policy and to the U.S. Senate — with the apparent goal of hacking into the computers of people who were tricked into visiting, according to Microsoft, which said Monday night that it discovered and disabled the fake sites,” The Washington Post's Elizabeth Dwoskin and Craig Timberg reported. “The effort by the notorious APT28 hacking group, which has been publicly linked to a Russian intelligence agency and actively interfered in the 2016 presidential election, underscores the aggressive role Russian operatives are playing ahead of the midterm congressional elections in the United States.”
My colleagues report that Microsoft didn't explicitly attribute the creation of the inauthentic websites revealed yesterday to the Russian military intelligence agency GRU, but the company mentioned the Russian government as well as APT28, Strontium and Fancy Bear. “After discovering the sites recently, Microsoft said, it sought to obtain a court order to transfer the domain names to its own servers, a legal tactic that the company’s security division has used a dozen times since 2016 to disable 84 websites created by APT28, which also is sometimes called Strontium or Fancy Bear,” Elizabeth and Craig wrote. “APT28, a unit under the Russian military intelligence agency GRU, specializes in information warfare or hacking and disinformation operations.” The fake websites sought to appear as if they were related to the Hudson Institute and the International Republican Institute; three other sites were made to look as if they were related to the Senate, and one site was an imitation of Microsoft online products.
PATCHED: “The leading effort in Congress to deter Russia from meddling in the U.S. midterm elections is likely to be rewritten to minimize unintended effects on global economies from stiff automatic sanctions on sovereign debt and energy,” Bloomberg News's Steven T. Dennis reported Monday. “‘We want to make sure that the economic harm is confined as much as possible to the Russian economy and the spillover effects are limited,’ said Senator Chris Van Hollen, a Maryland Democrat.”
Senate Foreign Relations Committee Chairman Bob Corker (R-Tenn.) said to Van Hollen and Sen. Marco Rubio (R-Fla.), who introduced the bill together, that they ought to ensure “that we don’t hurt our European friends, that we don’t hurt our own companies,” Dennis reported. Rubio and Van Hollen's bill outlines new sanctions and lists activities -- for instance, hacking election infrastructure -- that would result in retaliation from the United States.
Earlier this month, Rubio said in an interview on Fox News that he would consider tweaking another portion of the bill that would require the director of national intelligence — and not the president — to determine whether a foreign government interfered in a federal election. Rubio said this provision has received “a little bit of pushback.” “We're willing to do whatever it takes to pass a law that has real sanctions that will deter, but at the same time can pass the House, pass the Senate and will be signed into law by the White House,” Rubio said.
PWNED: Maryland's two U.S. senators, Benjamin L. Cardin (D) and Van Hollen, want to require election infrastructure vendors to disclose whether they are owned or controlled by foreigners. In a letter on Monday, Van Hollen and Cardin asked Senate Rules and Administration Committee Chairman Roy Blunt (R-Mo.) and Sen. Amy Klobuchar (Minn.), the panel's ranking Democrat, to include such a provision in the Secure Elections Act, an election security bill that the committee is scheduled to examine on Wednesday.
“American elections are a hallmark of our democratic system and a cornerstone of the rule of law,” Cardin and Van Hollen said in the letter. “Access to these systems by a foreign government could provide information for intelligence or other purposes adverse to U.S. national security interests.” Under the two senators' proposal, election infrastructure vendors would have to identify “any foreign national that directly or indirectly owns or controls the vendor, as well as any material change in ownership resulting in ownership or control by a foreign national.”
Van Hollen and Cardin's letter comes after the FBI informed Maryland state officials last month that ByteGrid LLC, a vendor that hosts several election systems in the state, is linked to a Russian-backed firm. “In 2015, ByteGrid LLC was financed by AltPoint Capital Partners, whose fund manager is a Russian and its largest investor is a Russian oligarch named Vladimir Potanin,” my colleague Ovetta Wiggins reported last month.
—“County election officials across Georgia say it’s too late to switch to paper ballots in the upcoming elections, despite warnings that hackers could easily penetrate the state’s antiquated electronic voting system and that Russia could unleash a new wave of disruptive cyberattacks,” Christine Condon of McClatchy DC Bureau reported on Monday. “U.S. District Judge Amy Totenberg is expected to rule any day on whether the state must switch to old-fashioned paper ballots. Her ruling would come in response to a year-old lawsuit by citizen activists. They argue that the state’s current system of relying on electronic voting machines that lack a paper backup is ‘hopelessly compromised’ and paper ballots are necessary to ensure public confidence in the results.”
However, state and county officials said adopting paper ballots with the midterm elections just a few months away would be too costly and impractical. “In a sworn court statement, Georgia elections director Chris Harvey said switching to paper this late in the process could have ‘drastic consequences,’” Condon wrote. “The state’s 159 counties already use paper ballots and optical scanners for provisional and absentee voting, but the existing scanners are designed to handle only a small volume, Harvey said.”
— “The up to $95 million price tag estimated by the company chosen for Louisiana’s lucrative voting machine replacement contract may have caused a bit of sticker shock, but the projection remains tens of millions of dollars cheaper than plans pitched by the two losing bidders,” the Associated Press's Melinda Deslatte reported Monday. “Financial proposals by vendors who weren’t chosen ranged from $115 million to nearly $160 million for the work, according to bid evaluation documents obtained by the Associated Press.”
— The Election Assistance Commission is set to reveal later this morning how states intend to spend the election security money Congress sent them in March. The commission says it will release the plans submitted by 48 out 55 states and territories earlier this year outlining what they’re doing with their shares of the $380 million infusion. (I reported last month on the plans submitted by California and Hawaii, which were among the first to turn their budgets into the EAC.)
— More cybersecurity news from the public sector:
— Booz Allen Hamilton has won a $1.03 billion cybersecurity contract as part of the federal government’s Continuous Diagnostics and Mitigation program, which aims to strengthen the cyberdefenses of government networks and systems. The Department of Homeland Security and the Federal Systems Integration and Management Center chose Booz Allen as prime contractor for a six-year task order to strengthen cybersecurity for the General Services Administration, the Department of Health and Human Services, NASA, the Social Security Administration, the Treasury Department and the U.S. Postal Service, according to a news release from Booz Allen.
— More cybersecurity news from the private sector:
- Senate Foreign Relations Committee hearing on the relationship between the United States and Russia.
- Senate Banking Committee hearing on Russia sanctions.
- Senate Judiciary subcommittee hearing on cyberthreats to U.S. critical infrastructure.
- Senate Energy Committee hearing on the “energy efficiency of blockchain and similar technologies.”
- Senate Rules and Administration Committee business meeting about the Secure Elections Act tomorrow.
Nuclear Knowledge: The modern nuclear arsenal
The definition of “truth” keeps changing under Trump:
Nun throws “perfect pitch” before Chicago White Sox game: