Law enforcement agencies and private companies don't always get along, but one occasion where they frequently come together is to complain that their networks are being penetrated by a seemingly continuous stream of cyber attacks. Whether it's the relative nuisance of DDoS attacks from hacktivist groups like Anonymous, or more serious threats of data theft and espionage from criminal gangs and foreign governments, the general rule has been that private entities maintain a defensive posture while the government hunts down the culprits.
But since CISPA's second death, it seems both groups have been itching to take a more aggressive stance. With "cybersecurity" hype still echoing through the halls of Congress, public- and private-sector witnesses attending a Senate Judiciary Committee hearing on Wednesday promoted the idea of taking the fight to the intruders.
"We are not likely going to defend our way out of this problem."
"It is all well and good to complain about [intellectual property] thefts through diplomatic channels, but at some point you need to stop complaining and start indicting," urged committee chair Sen. Sheldon Whitehouse (D-RI), repeating a claim from NSA director general Keith Alexander that cybercrime has caused "the greatest transfer of wealth in history." That statement was referencing a pair of figures that estimated the amount of economic damage cybercrime has caused, numbers that have since been debunked as either fabricated or generously extrapolated from the original report.
"We are not likely going to defend our way out of this problem," said Stewart Baker, a partner at the law firm Steptoe & Johnson, comparing this approach to detering street crime by "asking pedestrians to buy better body armor" every year. "I’m not calling for vigilantism, I’m not calling for lynch mobs. But we need to find a way to give the firms doing these investigations authority to go beyond their network."
"If we don't do that we will never get to the bottom of most of these attacks," he said.
This kind of "offensive" cyber defense is an area where US law enforcement has already made plenty of headway, and it doesn’t always align well with civil liberties and privacy concerns. On Tuesday, White House sources told the New York Times it was closing a deal that would levy steep fines against any website or internet service — including those based in foreign countries — that failed to accommodate the FBI with built-in wiretapping access within 30 days of receiving a court order.
Other countermeasures go much further. In one recent case, a Texas judge denied an FBI request to install spyware on a suspect's computer, citing concerns that the agency couldn't offer anything beyond a vague assurance that privacy and security safeguards were in place.
"It's hard to imagine a bigger breach of privacy."
"It's perfectly understandable why law enforcement wants to use malware," says Mikko Hypponen, the chief research officer at F-Secure. "It's an extension to what they've been doing with phone taps, internet taps, and using cell phone carriers to track your location — all with a court order."
Even without those orders, outdated privacy laws currently allow law enforcement agents to use cell tower-spoofing devices like the Stingray to obtain massive amounts of data. Any email that has been opened or left in cloud servers for longer than 180 days is also fair game, according to FBI documents recently unsealed by the ACLU. "However, nothing is as intrusive as having government officials monitoring you through your own computer or smartphone," says Hypponen. "They see your files. They see where you surf. They can collect your passwords. They can watch what you do via your webcam."
All of this is fine if the target turns out to be guilty, he says. But if the Feds make a mistake, as they sometimes do, "it's hard to imagine a bigger breach of privacy."
At the hearing, though, much of the discussion was focused on foreign threats. Joseph Demarest, Jr., the assistant director of the FBI's Cyber Division said, "There's been a lot of discussion and coordination," within law enforcement agencies over whether there are clear rules of engagement for responding to a foreign cyber attack.
He was attempting to respond to a question from Sen. Lindsey Graham (R-SC), who seemed to confuse the witness panel after repeatedly asking about the theoretical threat of a "Cyber 9/11," implying the need for an overtly offensive course of action that would mimic current US counterterrorism policy.
The Shanghai office building which Mandiant claims is the source of Chinese cyber attacks.
Several of the witnesses, including Kevin Mandia of the security firm Mandiant, pointed to China as the top perpetrator of attacks against the US. In February, Mandiant claimed to have traced an "overwhelming percentage" of Chinese cyber espionage to a building in Shanghai where Peoples Liberation Army hackers supposedly gather. The accusations have since drawn criticism, due in no small part to the fact that Stuxnet, the largest and most complex cyber attack to date, was conceived and executed in large part by the United States.
"Our Chinese friends seem to be hell-bent on stealing anything they can get their hands on here in America," said Graham. "We're going to put nation-states on notice that if you continue to do this, you'll pay a price."
Meanwhile, some companies like security startup Crowdstrike have been advocating a more aggressive approach toward computer security in the private sector. But striking out beyond their own networks also places companies in a decidedly shady legal area.
"I get very, very concerned about an unleashed private sector."
One of the many worrisome aspects of CISPA, the controversial cybersecurity bill which died yet again last month due to privacy concerns, was that it would have given broad immunity to private companies taking these "offensive" cybersecurity actions. That could include anything from passive tactics, like "honeypot" files that allow stolen assets to be traced back to their source, to more malicious "spear-phishing" attacks that install remote access tools on attackers’ computers to search for evidence.
But even Rep. Mike Rodgers, CISPA’s top cheerleader in the House, has advised restraint when it comes to the private sector's hacking powers.
"I will guarantee you there will be lots of mistakes made, given the sophistication of nation-states in hiding their hand in activities," he said at a cybersecurity conference back in February. "I get very, very concerned about an unleashed private sector doing active defense, because a lot of things are gonna go wrong, I think."
Congress has only just begun to pick up the pieces of its twice-failed cybersecurity bill. But members of the private sector seem to be getting antsy, and it’s unclear whether a new, hopefully more balanced approach will sate those wanting to strike out on their own.