Lost amidst all of the headlines and controversies of the presidential race, the Republican Party is proposing a bold new approach to cybersecurity—one that could have an enormous impact on our national security.
“We must stop playing defense and go on offense to avoid the cyber-equivalent of Pearl Harbor,” declares the Republican Platform 2016. “We will explore the possibility of a free market for Cyber-Insurance and make clear that users have a self-defense right to deal with hackers as they see fit.”
In the backdrop of an FBI investigation into the high-profile breach of the Democratic National Convention computer networks, which is widely believed to have been the work of the Russian government, the concept of a right to self-defense for cyberattacks is gaining traction. A survey carried out by security firm TripWire at the recent BlackHat 2016 security conference found that 88 percent of the respondents believed state-sponsored attacks against elections should be considered an act of cyberwar—and more than half suggested that cyberattacks should be responded to in kind.
Cyber-attack retaliation is a very complicated feat, a multifaceted endeavor that involves many intricacies and can have unwanted repercussions. The question is, how feasible is it and what could be the possible implications?
Attribution of cybercrime is not an exact science
The first step to justifying any retaliatory cyberattack would be able to determine and expose the culprits. This is an extremely difficult task, however, especially when it comes from the outside.
“Attribution of attacks is one of the most difficult parts of incident forensics,” says Dwayne Melancon, CTO of TripWire. “When an attack is an ‘insider attack,’ you often have more information to come up with the specific identity of the perpetrator, but with external attacks, it is a different situation. Attackers, particularly skilled and experienced ones, are very good at hiding their tracks and obfuscating where the attacks truly originate.”
State-sponsored hackers are trained to hide their tracks, and they use deception techniques to throw off investigators and make it look like a different group or foreign government carried out the strike. In some instances, they will use proxy servers or compromised endpoints to falsify their location. More sophisticated hacking groups will try to impersonate other organizations by employing the tools and techniques attributed to them. That makes it incredibly difficult to specify with certainty the source and location of a cyberattack.
“Claims of attribution aren’t testable or repeatable because the hypothesis is never proven right or wrong.”
Jeffrey Carr, a cybersecurity analyst and expert, calls attribution “more art than science.”
“It’s important to know that the process of attributing an attack by a cybersecurity company has nothing to do with the scientific method,” he writes in a recent Medium post. “Claims of attribution aren’t testable or repeatable because the hypothesis is never proven right or wrong.”
That’s why you seldom hear officials making direct claims about the perpetrators of nation-level attacks; instead, they’ll usually allusions and indirect references to the suspects. Even in cases where hard evidence about the perpetrators does exist, state officials are reluctant to make them public because doing so could reveal sensitive information about their own cyber operations and capabilities.
Is it even legal to stage retaliatory cyberattacks?
As far as the law is concerned, hacking is illegal, regardless of whether it’s in self-defense or not. “What the Republican platform proposed is only legal when conducted by the U.S. government or its contracted agents against other nation states,” says Carr. “It is illegal to ‘hack back’ against corporations or individuals.”
The 30-year-old Computer Fraud and Abuse Act (CFAA) explicitly prohibits individuals and companies from striking back against hackers who are attacking them. The CFAA has placed restrictions on gaining unauthorized access to computers, even if it would allow corporations or people to retrieve stolen data or stop an attack.
Law enforcement agencies are exempted from the law, but not totally. “When a government does respond, the response is highly regulated,” Carr adds. “It must be ‘in-kind’ or proportionate to the attack. Its goal is only to stop the aggressive action, not to punish or retaliate against the attacker.”
International regulations that govern state-level cyberattacks are considerably more lax on what justifies retaliation. “The rule of evidence for nation states is one of reasonableness,” Carr explains. “In other words, sufficient evidence should exist for a reasonable person to believe that A is responsible for the attack against B.”
Things get considerably more complicated after that. “However, if A wasn’t responsible, they can take B before the UN Security Council or the ICJ and ask for damages,” Carr adds.
“From a government perspective, if you accuse an organization or respond with an attack of your own, you run the risk of reputational damage if you’re wrong, or the other entity has plausible deniability,” TripWire’s Melancon says. “It could even go as far as being perceived as an act of cyberwar, if you’re not careful.”
That’s partly why governments are less eager to claim responsibility for their cyberattacks, whether they’re justified under the “reasonableness” principle or not.
What are the possible implications?
Openly engaging in cyberwarfare would have serious global implications. On the state level, it would lead to a rapid escalation of cyberattacks and counterattacks, triggering an arms’ race in the digital space. And governments have much more at stake in terms of international relations than just cybersecurity, which drives them to keep their clashes secret or under other pretexts.
“Mount a stronger defense. Build in resiliency. Make your potential attacker have to burn expensive tools if he wants to attack you.”
Irreparable mishaps will always be a concern as well. “Improper attribution happens all the time, and usually results in innocent entities being inconvenienced, wrongfully accused, and sometimes disparaged,” says Melancon. “Most of these incidents are not high profile, but they still leave a mark for the wrongfully accused. Another challenge is that the original accusation often receives a lot of attention, but the ‘clearing of the person’s name’ is barely noticed—that can tarnish a person or an entity’s relationship for a very long time.”
For example, Sherry Chen, a naturalized American citizen born in China, was wrongfully arrested on charges of exfiltrating classified information to China in 2014 as part of the U.S. government’s efforts to fight back against Beijing’s cyber espionage campaigns. Though the charges were dropped in March 2015, a week before her scheduled trial, the wounds remain.
There is also the issue of collateral damage that might result from cyber clashes between governments. For instance, last December’s multi-staged hacking of Ukraine’s power grid, which is widely attributed to the Russian government, left more than 230,000 civilians in the dark. The attacks were known to be the Kremlin’s response to Ukraine’s alleged constant sabotage of the power grid of Crimea, the disputed territory that the two states have been sparring over since last March.
Another interesting study is the 2014 breach of Sony Entertainment computers by North Korean hackers, which spilled confidential information, embarrassing emails, and full movie scripts across the internet. Though the U.S. allegedly did retaliate by shutting down North Korea’s internet, it would be interesting to see what would be the scale of an attack “in kind and in greater magnitude,” as the Republican Platform suggests, and who exactly the damage would be inflicted upon.
What are the alternatives?
The retaliation game would only trigger more strife, chaos, and possibly lead to all-out warfare. But what should be done to keep hackers away from sensitive infrastructure and corporate data?
“A much better model is to engage in what are often referred to as “offensive countermeasures,” which are designed to confuse, mislead, and frustrate attackers,” Melancon suggests. “These approaches make the attacks last longer, which increases the amount of data you have to profile and [makes it easier to] attribute the attack. This also impacts the economics of the attack—if it takes too long and the results are not lucrative, the attacker may move on to the next target. These often involve creating false targets within your network that look attractive but yield no meaningful information.”
Carr is of a like mind. “Mount a stronger defense. Build in resiliency. Make your potential attacker have to burn expensive tools if he wants to attack you. Nine times out of 10, he’ll find a weaker target, instead.” In an op-ed he wrote after the OPM breach, he proposed “the complete overhaul of how the government employs security measures and uses encryption technology across out all of its networks” as the correct alternative to retaliation.
In other words, our best offensive move might be to drastically improve our defense.