Is offense really your best defense?
In June, the House Appropriations Committee approved a spending bill that, among other things, included a reintroduction of Rep. Tom Graves Active Cyber Defense Certainty Act (ACDC). According to Rep. Graves’ website, the ACDC “makes targeted changes to the Computer Fraud and Abuse Act (CFAA) to allow use of limited defensive measures that exceed the boundaries of one’s network in order to monitor, identify and stop attackers.” Specifically, the bill gives authorized individuals and companies the legal authority to leave their network to:
- establish attribution of an attack
- disrupt cyberattacks without damaging other computers
- retrieve and destroy stolen files
- monitor the behavior of an attacker
- and utilize beaconing technology
Cybersecurity is a challenging issue for those who don’t have the luxury of spending every waking minute keeping up with the latest exploits, vulnerabilities and innovations. It is not a partisan issue, but an opportunity for us to show a united front against criminals and nation states determined to steal state secrets, personally identifiable information and intellectual property.
The ACDC’s “authorized … to leave their network” provision raises a host of technical and international relations issues which I respectfully encourage legislators to consider as they move forward with any similar legislative efforts. Attribution, for instance, is one of the greatest challenges to any investigation – there’s a reason most threat researchers preface their analysis with “likely.” Proper attribution requires more than an IP address: Hackers use a number of spoofing tools and techniques to impersonate other machines. Despite these hurdles, it’s important to know that attribution can be investigated without the need for hacking back.
Unfortunately, that’s not the case for the remainder of ACDC’s approved “defensive measures” list.
Disruption, retrieval and destruction, monitoring and beaconing are akin to the Department of Defense’s “5 Ds.” The 5 D’s — deceive, degrade, deny, disrupt, destroy — refer to offensive cyber operations against enemy networks. Activities such as these often require a persistent presence on host computers or network packet sniffing. The latter sounds innocuous but make no mistake, it’s the physical equivalent of reading individual pages of someone’s personal snail mail correspondence.
Internet-based industrial espionage relies on network persistence to obtain intellectual property from competitors. Could U.S. companies be accused of industrial espionage when conducting these offensive operations? Would unscrupulous companies use this legislation as a cover to conduct industrial espionage?
Ultimately, this legislation provides computer network defenders the permission to conduct offensive operations. Once a “defender” goes on the offensive, it opens Pandora’s Box. What happens when defenders go on the offensive and pursue non-U.S. companies? What if a foreign government attributes the offensive computer network effort to the U.S. government? How would the Department of Commerce or the Department of State handle such incursions? Countries will not respond well to attacks against their infrastructure, particularly if no “cease and desist” notification was provided in advance via legal or diplomatic channels.
I’m the first to stand up and applaud congressional efforts to bolster our nation’s cybersecurity. I agree that the CFAA must be updated to reflect modern technology. However, well-intentioned legislation often underestimates the complexities of international cyber operations. Legislation should focus on the fundamentals of improving government and the private sector’s security posture by promoting workforce training, supply chain transparency, and the “defense in depth” security model.
Our legislative efforts, like the ACDC, should not be about enforcing needless and cumbersome standards upon industry, but rather to make a criminal’s job infinitely more difficult. However, without a nudge from the government to do so, many companies are not willing to make the strategic investments in talent and technology needed to secure their infrastructure. We must make government and private sector networks a harder target by ensuring foundational security practices are met. Until this happens, we’ll continue to fall victim to hackers and intelligence services alike.
Rosa L. Smothers is the Senior Vice President of Cyber Operations at KnowBe4. She served in the Central Intelligence Agency for over a decade as a Technical Intelligence Officer and Cyber Threat Analyst/Targeter. Prior to that, as a Cyber Threat Analyst at the Defense Intelligence Agency. You can find her on LinkedIn and Twitter @RosaLSmothers.