Credits: The Hill
For three decades after the Cold War ended, Americans lived with confidence that their lives and assets were protected by the unchallenged U.S. military and the deeply established rule of law. That era is over.
We’re now engaged in asymmetrical warfare, fighting super-empowered individuals and groups that are wreaking havoc on American society from abroad.
Relentless cyberattacks over the past year have exposed the confidential personal information of at least half of all Americans; undermined faith in fundamental pillars of our democracy; and penetrated the electronic fortresses protecting some of our most highly-classified secrets.
Just as the U.S. military has overhauled its defense strategy to boost cybersecurity’s role, we need a new strategy for protecting American individuals, businesses and other organizations from cyberthreats.
Our decades-old cybersecurity model, focused almost entirely on passively blocking malicious software and spam, is broken and beyond repair. It is time to embrace a new approach: turning the tables on the attackers and making them pay. It’s called active defense.
Cybercrime’s lure of huge potential profits and relatively little risk attracts people who would rob banks if they could do it without a gun and a getaway car. Cybercriminals are rarely apprehended and brought to justice. We must increase the cost and risk to criminals by empowering businesses and other civilian organizations to fight back.
The recent Senate confirmation of Kirstjen Nielsen as secretary of Homeland Security may put a sympathetic ear at the top of our nation’s security establishment. Ms. Nielsen was a senior fellow at the Center for Cyber and Homeland Security (CCHS), which last year published an extensive report detailing how federal agencies and Congress can open a space for active defense.
“The long-term strategic response must include a cyber deterrence strategy that actually denies benefits and imposes costs,” the CCHS report said. “Imposing real costs on these criminals is crucial to removing critical talent from cybercrime circles and to deterring individuals from engaging in such crime.”
It’s an area mired in controversy, but it needn’t be. We aren’t advocating vigilantism. We need to draw a distinction between cyber-offense (often called “hacking back”) and active defense. Here’s where to draw the line: Private actors shouldn’t be allowed to destroy or disrupt the external networks, equipment or data of people they believe to be criminals.
But defenders should be able to follow their investigations wherever they lead, including onto attackers’ equipment. Law enforcement authorities can use the information gathered to prosecute criminals, recover stolen funds and warn other victims, while financial and technology firms can freeze or close the attackers’ accounts.
Outdated laws and the lack of clear guidelines dividing legal measures from illegal ones have left many organizations wary of active defense techniques. The primary law governing this area, the Computer Fraud and Abuse Act, was passed in 1984, when typewriters vastly outnumbered PCs in offices and homes.
Federal agencies should issue guidelines specifying legal measures and carving out a safe harbor for their use, and they should enable qualified private sector entities to deploy even more aggressive measures in collaboration with authorities. Congress should update the laws where needed.
Congress is starting to pay attention. Rep. Tom Graves (R-Ga.) in October introduced the Active Cyber Defense Certainty Act (ACDC), which would allow cybercrime victims to access an attacker’s computer, without authorization, to gather information.
The ACDC drafts were met with a barrage of media criticism, but most critics focused on hacking back, not on active defense. They assumed the worst — that the law would encourage vigilantism, inviting collateral damage to innocent victims or unleashing cyberwar between business competitors.
The ACDC bill states that a defender isn’t allowed to financially damage a hacker. We agree that giving private-sector actors the right to directly inflict damage would be dangerous. But ultimately, the attackers need to suffer financial damage and other penalties. We want to ensure their attacks on our clients fail, and we want to help authorities throw them into jail.
If a security company can establish beyond reasonable doubt an attacker’s identity, it should be allowed to collect data about the attacker, including his attacks on others; his physical location and social network; and his bank accounts, mules, email addresses and phone numbers.
This information can be used to limit the damage the attacker can cause, improve defenses against other attackers and help law enforcement prosecute criminals and recover stolen funds.
It’s time pick up our swords, band together, both public and private defenders, and start fighting back.
Markus Jakobsson, Ph.D., is the chief scientist of cybersecurity company Agari. He published the first textbook on phishing in 2006 and holds more than 100 patents.