The federal government has taken a “failed approach” to cybersecurity, with efforts that focus on reducing vulnerabilities rather than actively deterring attackers, according to one of the FBI’s top former cyber officials.
Steven Chabinsky, a 17-year bureau veteran who stepped down this month as the FBI’s top cyber lawyer, argued that the movement to set security standards for companies — which has been a goal for the Obama administration and the focus of congressional debate — is useful only “in the margins.”
More important is to enable companies whose computer networks are targeted by criminals and foreign intelligence services to detect who’s penetrating their systems and to take more aggressive action to defend themselves, Chabinsky said in his first interview since leaving office.
“The FBI needs stronger partners in the private sector who can figure out who the bad guys are, and there needs to be much stronger relationships between the private sector, law enforcement and the courts to ensure that all the legal authorities that exist can be brought to bear against cyberattackers,” he said.
The remarks by Chabinsky are the latest warning from former top cyber officials.
Earlier this year, Shawn Henry, who recently retired as the FBI’s top cyber-sleuth, said that the government and the private sector, which controls the country’s critical computer networks, should work together to take more assertive action against sophisticated foreign adversaries.
The role of the private sector in aggressively defending itself has become a hot issue in cyber circles.
Former CIA director Michael V. Hayden has said that given the limits of the government in protecting companies in cyberspace, he expects to see the emergence of a “digital Blackwater,” or firms that hire themselves out to strike back at online intruders.
Chabinsky, who was the FBI Cyber Division’s deputy assistant director and who has joined the security firm Crowdstrike, said he is “not advocating vigilantism” or striking back at an attacker for retaliation’s sake.
Rather, he said, from his FBI experience, he thinks that there needs to be much more debate and clarity about what companies can and cannot do to protect themselves.
For instance, he said, say a company detects a breach and finds its proprietary data on an external server. Should the company have the legal right to delete or encrypt the data? The company could then report the theft to law enforcement so the government can pursue the hacker, he said.
The issue, said Stewart A. Baker, a former senior Homeland Security Department official who now advises clients on cybersecurity, is that entering another party’s server and deleting or encrypting data could, under some circumstances, violate a number of state and federal laws — including those against computer fraud or trespassing.
But, he said, there is a legal argument to be made that such an action is a reasonable defense of one’s property. Though common in other contexts, that defense has yet to be tested in the cyber area in court.
“This is an area that would seem ripe for congressional debate and resolution,” Chabinsky said.
Baker, a partner at Steptoe & Johnson, agreed. “We all know from watching Westerns the difference between a lynch mob and a posse that’s been deputized,” he said. “Finding ways to provide appropriate oversight and yet use the substantial resources that the private sector can bring to bear is something we need to do.”
A key issue here, as in policy debates over how far the military can go to defend networks, is collateral damage.
Chabinsky acknowledged that there would need to be protections against unintended consequences and against actions that caused damage to innocent parties.
“What victims are talking about is getting onto a server” and deleting or encrypting their own data before it’s stolen, he said. “They’re not talking about taking vengeance and frying a system.”
The bottom line, he said, is “the defense has to be done in a judicious way.”