The U.S. government should do more to help the private sector and even state and local governments protect themselves from cyber attacks and even hack back against perpetrators of these attacks, two cyber security experts told a House panel on Tuesday.
"I'm all in favor of Cyber Command taking a more active role in defense of private industry and state and local government," Robert Knake, senior research scientist at Northeastern University's Global Research Institute, told a House Homeland Security Committee panel. "I think that the idea of other entities than Cyber Command carrying out that offensive operation is scary and can put us into situations that we don't want to be in, but I do think if we had the kind of capability where, for instance, a critical infrastructure company that was involved in a threat from an overseas actor was able to communicate that in real-time, high assurance, with trust among the parties over classified network, and then Cyber Command could essentially be tipped off to that activity and target to shut it down."
The key to the success of this model for combating cyber attacks from various actors is "tighter collaboration" between the U.S. government and private sector, said Knake, who co-authored the book Cyber War 10 years ago with former White House adviser Richard Clarke. He said private companies should not be the ones hacking back.
Knake responded to a question from Rep. Van Taylor (R-Texas), a member of the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation, who asked about offensive operations against "cyber predators" conducting a range of potential attacks such as ransomware and denial of service. He described it as "thorny legal ground."
Niloofar Razi Howe, senior fellow for the Cybersecurity Initiative at the think tank New America, agreed with Knake, pointing out that Cyber Command has already done this, highlighting the stand-up and successful outcome of the Russia Small Group protecting the 2018 mid-term congressional elections.
"I often tell my children I have escalation dominance so they should never take me on," Howe said in reply to Taylor's question. "I think when it comes to offensive cyber operations you have to make sure you have escalation dominance, which means it's only the purview of the U.S. government to conduct offensive cyber activity."
In her written testimony, Howe said the U.S. needs a "bold new cyber agenda" that includes faster and more transparent collaboration between different stakeholders in the private and public sectors.
"The U.S. government must remove any barriers that prevent government agencies that have threat and adversary information from sharing that information real-time and with context with the entities that are most effective," she wrote. "Sustained and real-time cooperation and collaboration between all relevant government agencies and the private sector is the only way to rebuild trust and have a real impact on our adversaries."
Howe said various components of the federal government have "unique capabilities to help the private sector" and must work more collaboratively to "change the landscape of cybersecurity for the country."
One expert offered a more cautious approach to the panel.
Ken Durbin, a senior strategist for Global Government Affairs and Cybersecurity with the information security company Symantec Corp. [SYMC], said without being able to attribute a cyber-attack, it's difficult to know what group or entity to use offensive cyber means against. These attacks can be masked, he said.
Durbin also said there is the risk of escalation in a hack back, and highlighted that cyber weapons are software that "can be re-engineered and used against us."
Durbin suggested having deterrent capabilities to prevent cyber-attacks.
Howe said the U.S. government needs policies to buttress offensive cyber operations, noting that this would be part of cyber deterrence policy. She also said the U.S. government is the "best in the world" at attributing cyber-attacks, adding its capabilities are "fantastic" and "we haven't gotten it wrong."