A majority of digital security experts surveyed by The Cybersecurity 202 say the Trump administration was right to make it easier for the military to conduct offensive cyber operations. But many cautioned that this new authority should be used very carefully.
The Network is a panel of more than 100 leaders from government, academia and the private sector who vote in our ongoing, informal survey on cybersecurity issues. (You can see the full list of experts here. Some were granted anonymity in exchange for their participation.)
Sixty percent of those who participated in our latest survey applauded President Trump's order in August allowing the defense secretary to authorize offensive hacking operations without elevating the decision to the White House.
“Our adversaries need to know we will persistently engage them in this new domain, and I support entrusting Cyber Command with additional responsibilities,” Rep. Jim Langevin (D-R.I.), co-founder of the Congressional Cybersecurity Caucus and chair of the House Armed Services Committee’s emerging threats panel, said in response to our survey.
Many experts agreed with the administration's goal for stepping up offensive operations: for U.S. adversaries in cyberspace to think twice about continuing their own attacks.
“Integrating cyber into our broader warfighting strategy and doctrine is long overdue,” said Frank Cilluffo, a former White House cyber official and chair of Auburn University’s McCrary Institute for Cyber and Critical Infrastructure. “Wielded in combination with other tools of national power, [cyber operations] can begin leveling the playing field and incur consequences on bad cyber behavior.”
The move is just "common sense" on an operational level, said David Brumley, a security and privacy professor at Carnegie Mellon University. "The military should be able to use their judgment -- within the confines of law -- to determine where and how to conduct an offensive cyber operation. Allowing the men and women who are experts in cyber to make the call on how to use cyber is common sense.”
Yet even those who said they supported the president’s plan cautioned against giving the military free rein to launch hacking operations without consulting civilian government agencies. “We need to be spending more time on this discussion and not just behind closed doors in the Pentagon,” said Mark Weatherford, a former Homeland Security Department cybersecurity official. Weatherford is now chief cybersecurity officer at the cloud security company vArmour.
Those among the 40 percent of respondents who said Trump's move was not a good idea raised similar concerns.
The military acting alone might be unaware of unintended consequences those operations might produce, they warned, such as hurting U.S. businesses or undermining intelligence operations. “Cyberoperations are inherently unstable. They are hard to contain and constrain. Their use has implications beyond their immediate effects," said Bruce Schneier, fellow and lecturer at the Harvard Kennedy School. "For this reason, many more equities need to be involved in decisions to use cyberweapons than for ordinary military operations.”
Former State Department cyber coordinator Chris Painter said that the president’s streamlined process wouldn’t “adequately account for foreign policy, law enforcement and other national equities which can harm our long-term interests and our ability to form alliances against shared cyberthreats.”
As Melanie Teplinsky, former technology and cybersecurity official in the White House and Commerce Department, put it: "Before cyber striking, it is important to properly vet any proposed strike to ensure it is a net ‘win’ for the nation." Teplinsky now teaches at American University College of Law.
More broadly, former White House cybersecurity coordinator Michael Daniel worried that U.S. cyber strikes would allow adversary nations to claim their offensive hacking is acceptable behavior. “We don't have a monopoly on these capabilities and any offensive action we take legitimizes such actions -- meaning another nation could take the same action against us. We are especially vulnerable to disruption through cyberspace," said Daniel who is now president of the Cyber Threat Alliance, a cybersecurity information sharing group. "Therefore, we need to use this tool carefully and judiciously[.]"
More offensive hacking by the United States probably will prompt other nations to do more hacking of their own and lead to less stability in cyberspace, said Betsy Cooper, director of the Aspen Tech Policy Hub at the Aspen Institute.
“It’s Security Studies 101,” Cooper said. “When the U.S. uses new weapons to increase its own security, other states are likely to respond in kind. And it's not clear we're well equipped to resist escalated efforts of other nations to conduct offensive operations against us.”
And some experts warned against any move by the United States to increase the use of cyber weapons. Among the dangers they cited was the specter of specialized hacking tools used by the U.S. military leaking out and criminals using them against U.S. citizens.
“Cyberweapons need to be treated akin to chemical, biological and radiological weaponry,” said Sascha Meinrath, an Internet freedom activist who teaches at Penn State. “Normalizing their use for short-term gain is a terribly myopic solution that guarantees long-term detrimental repercussions.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
— More responses to The Network survey question on the Trump administration’s offensive hacking plan.
- YES: “If ‘easier’ means making decisions about principles that will guide use of offensive capabilities ahead of time so that decisions on specific deployment can be made quickly, that’s good. If ‘easier’ just means skip that process altogether, that’s not good.” – Suzanne Spaulding, former Homeland Security Department undersecretary in charge of cybersecurity
- YES: “Offensive cyber weapons when used responsibly have incredible precision and the ability to discriminate between legitimate targets and civilian infrastructure…If an offensive cyber operation can be effective, it will almost always place innocent non-combatants at less risk as compared to a kinetic attack on the target.” – Steve Grobman, McAfee chief technology officer
- YES: “Since this change was made via classified directive - arguably without the checks and balances that lead to confidence in these decisions - there is inadequate transparency into the categories of events that might result in action.” – Nuala O’Connor, president and CEO of the Center for Democracy and Technology
- YES: “The United States has been too timid and too lawyered-up to develop the kind of offensive capabilities we will need in cyberspace.” – Stewart Baker, former DHS assistant secretary for policy and former general counsel for the National Security Agency
- NO: “Any time we create a more efficient way to use offensive cyber capabilities, we risk our own and our allies' infrastructure as potential collateral damage, should these weapons leak or be stolen.” – Katie Moussouris, founder and CEO of Luta Security
- NO: "The ability (technical and administrative) to conduct offensive cyber operations is a natural evolution for military and law enforcement bodies and necessary to maintain national security. However, such operations must be conducted with strong oversight to avoid collateral damage to civilian systems, unnecessary escalation, and encroachment on sovereignty.” – Harley Geiger, director of public policy at Rapid7
PINGED: Sen. Amy Klobuchar's (D-Minn.) announcement on Sunday that she's running for president added another lawmaker with a hefty cybersecurity resume to the 2020 contest. Klobuchar was a main sponsor in the last Congress of the Secure Elections Act, the most prominent effort to improve state election systems against cyber intrusions — though the bill stalled amid skepticism from the White House and some state officials.
“Election security is national security and our intelligence officials have made clear that our election systems continue to be a target for foreign adversaries,” Klobuchar said in a statement last year about the legislation. “We must do everything in our power to protect our democracy from future attacks.” Sen. Kamala D. Harris (D-Calif.), who has also announced a presidential run, was also among the sponsors of the Secure Elections Act, which is expected to be reintroduced soon.
Klobuchar has also pushed cybersecurity legislation this year. Last week, she reintroduced a bipartisan bill with Sen. Dan Sullivan (R-Alaska) that would establish a program at the State Department to help share information with foreign allies about election security.
PATCHED: The United States' efforts to convince foreign allies to prevent Chinese telecommunications giant Huawei from building its 5G networks out of security concerns are hitting a roadblock in Eastern Europe, the Wall Street Journal's Drew Hinshaw and Stu Woo reported. Poland has told the United States it will restrict Huawei but has sought not to anger the Chinese company. Cybersecurity and defense officials in the Czech Republic have expressed security concerns about Huawei but the Czech president supports the company — though the position of president is rather ceremonial in the country. Slovakia and Hungary have not indicated that they plan to distance themselves from Huawei, according to the Journal.
A senior U.S. official said Secretary of State Mike Pompeo will tell officials during a trip this week to Hungary, Slovakia and Poland that Washington worries about Huawei's presence in this part of the European continent, Reuters's Lesley Wroughton reported. “In Hungary, the Secretary will give particular focus to the role of China in central Europe, and express our concerns about the growing presence of Huawei in Hungary,” said the official, who spoke on the condition of anonymity, according to Reuters. U.S. officials say Huawei could be used as a platform for Chinese spying.
PWNED: Federal cybersecurity employees are still working to clean up the effects of the partial federal government shutdown that ended more than two weeks ago as another shutdown could hit at the end of this week, Wired's Lily Hay Newman reported. It will take months for the picture of the damage that was caused by the shutdown to fully come into focus, Hay Newman reported.
“As an incident responder, you just found activity that took place three weeks ago, and now you have to quarantine and clean up and fix it when three weeks of damage has already been done,” Chris Kennedy, chief information security officer at the cybersecurity company RiskIQ and a former federal contractor, told Wired. “The work is harder and more chaotic and maybe your toolset doesn't work because a license is expired plus maybe people's security clearances have expired. All of those things are adding together.”
Another effect of the shutdown was to hamper federal agencies' ability to retain cybersecurity workers who can make more money in the private sector. “Security professionals say that the shutdown was a prime recruiting season for private firms, and that many government employees and contractors left or plan to leave for other positions,” Wired reported.
— The company Voatz, which makes an app to vote online using blockchain technology, said some states have expressed interest in its services after West Virginia last year allowed some voters abroad to cast ballots using the app, StateScoop's Benjamin Freed reported. Nimit Sawhney, the founder and chief executive of Voatz, “declined to say which states have contacted his company,” according to StateScoop. “The next state to dabble in blockchain voting could be right next door in Virginia, where two bills allowing ballots from deployed military voters to be cast electronically were recently introduced,” according to StateScoop. However, election security experts have warned about security risks associated with Internet voting.
— Privacy advocates and policymakers in California worry that lobbying groups for tech giants may seek to weaken a state online privacy law that is set to go into effect next year, The Washington Post's Tony Romm reported. The California Consumer Privacy Act would limit the data collection practices of major tech firms and could help set data privacy standards across the country. The tech sector has denied that it is trying to water down the California legislation. “To stop the spread of piecemeal state regulation, Facebook, Google and other tech companies have set their sights on the District of Columbia,” Tony wrote. “They have called for a federal privacy law, but with a price: They are urging Congress to effectively invalidate the privacy protections adopted in California and under consideration by its peers.”
— More cybersecurity news from the public sector:
— A security researcher said he found an unsecured database containing information on more than 14 million Instagram accounts that could be targeted by hackers, CyberScoop's Jeff Stone reported. “Data including users’ profile names, stored links to profile pictures and their Instagram ID is available in the database, which researcher Oliver Hough found on the Shodan web scanning service,” according to CyberScoop. “The database, physically located in the U.K., includes 14,526,602 entries, according to a screenshot Hough tweeted Friday.”
— More news about security incidents:
— The Swiss government will hold a public intrusion test on its future online voting system starting on Feb. 25 and offer cash rewards, ZDNet's Catalin Cimpanu reported. “Interested hackers from all over the world are welcome to attack the system,” the Swiss government said in a news release, according to ZDNet. “In doing so, they will contribute to improving the system's security.”
— More cybersecurity news from abroad:
- House Homeland Security Committee hearing on election security tomorrow.
- The Center for Strategic and International Studies holds an event on digital surveillance on Wednesday.
- Senate Homeland Security and Governmental Affairs Committee business meeting to consider several cybersecurity bills on Wednesday.
- The Bipartisan Policy Center and the Democracy Fund hold an event titled “The voting experience: 2018 and the future” on Thursday.
- Senate Commerce Committee hearing on “policy principles for a federal data privacy framework” on Feb. 27.
What you need to know about AMI, the company Jeff Bezos says tried to blackmail him:
Lawmakers still split on border wall talks:
Don't Marie Kondo your papers and photos into the trash. Save them in the cloud.