When the debris settles after special counsel Robert S. Mueller III completes his investigation into Russian hacking of the 2016 presidential election, the United States will still be left with the underlying problem that triggered the probe in the first place: the threat of malicious cyberattacks against political parties, corporations and anybody else who uses the Internet.
Here’s a disturbing fact: Even after all the uproar that has surrounded Mueller’s inquiry, the U.S. government can’t do much to protect most private citizens or organizations against attacks. There’s better security now for election systems and critical infrastructure, but that doesn’t help the banks, hedge funds, law firms and other companies with sensitive data — which are basically on their own.
Mueller’s findings about President Trump will have their own fiery afterlife on Capitol Hill, which nobody can predict. But Congress should also be thinking about the less-sexy fallout from the investigation, which highlighted the vulnerability of all data to foreign spies, meddlers and information pirates.
U.S. Cyber Command and the National Security Agency have already gone on the offensive against Moscow. Last fall, their joint Russia Small Group secretly “hacked back,” in effect, against Russia’s Internet Research Agency, briefly shutting down some of its computers. The aim was to deter the Russians from meddling in the 2018 midterm elections, and it seems to have worked.
Private companies are going on the offensive in cyberspace, too — although the legal terrain is murky, and there’s a big risk of triggering a tit-for-tat melee.
“Some organizations are conducting active cyberdefense ‘hacking back,’ but in my experience this will amplify the global cyberarms race,” said Milan Patel, a prominent former FBI cyber expert who’s now with BlueVoyant, a cybersecurity firm. “Rather than hacking back, which will only bring a short-term sense of relief, companies need to do a better job at education and training.” He said the latest industry reports estimate that 92 percent of attacks originate from spear-phishing, where employees unwittingly click on malware.
U.S. history offers an unlikely lesson in how cyberoffense might be enhanced and also regulated, as explained by Michael Chertoff, former secretary of homeland security, in his recent book “Exploding Data.”
At the very beginning of our nation, when the United States and France were fighting an undeclared war, the U.S. Navy was too weak to protect American vessels from attack. The high seas were an 18th-century version of cyberspace, with attackers lurking everywhere. So, as Chertoff notes, the U.S. Constitution mandated that “Congress shall have power . . . To declare War, grant Letters of Marque and Reprisal, and make Rules concerning Captures on Land and Water.”
Today, Chertoff said, the government could grant the equivalent of letters of marque to private cyberdefense companies. “To bolster its capacity to defend and deter cyberattacks, the government should train and license ‘privateers’ for certain specific operations . . . to assist in deterring attacks against U.S. companies and infrastructure,” he writes.
But, Chertoff cautioned in an interview, “Don’t try this at home!” Meaning, companies should avoid any retaliatory action that might be illegal under U.S. or foreign law, or that would trigger counterreprisals that would make the problem even worse.
In the real-world marketplace, cybersecurity consultants are already selling “active defense” tools that push the envelope. Illusive Networks specializes in what its website calls “deception-based cybersecurity.” The idea is to create what intelligence organizations call “honeypots” that lure attackers and allow defenders to observe and manipulate them. “To catch an attacker, you must think like one,” says the company’s website.
Another cyberdeception specialist is Attivo Networks. Its website explains: “Deception changes the asymmetry against attackers with attractive traps and lures designed to deceive and detect attackers.” A third prominent player in the active-defense market is Endgame, which promises on its website that its software can hunt and stop exploits, phishing, malware, ransomware and other attacks. Social media platforms such as Facebook have become increasingly active, too, in defending their networks.
Cyber experts warn that active defense is a slippery slope. A honeypot can identify invaders. But it can also lure them to gobble malicious software that disables the attackers’ network or to steal false documents that deliberately mislead the attackers. And because attackers hide in servers that aren’t their own, a reprisal meant to target malicious hackers could take down a hospital or university.
The Mueller investigation has galvanized efforts to protect U.S. elections from future meddling. But the larger U.S. vulnerability to cyberattack remains, and it deserves more attention.
As U.S. companies move to protect their secrets, sometimes using tools once reserved for intelligence agencies, they need better guidance from Washington.