Bob Gourley is a member of TheCipherBrief.com’s cyber advisory board. The following provides his context on key cybersecurity policy issues of interest to the technology and business community.
The Cipher Brief: When organizations are targeted with cyber attacks, are they able to respond by hacking back – to either retrieve their stolen data, identify the hacker, or stop a disruptive attack from occurring?
Bob Gourley: That is definitely the realm of law enforcement, the intelligence community, and the Department of Defense – a company ought to think twice before doing it.
The only way any company can handle that is by contacting the government. The constitutional systems of laws we have in place right now make it totally illegal for any company or any individual to do that. It would be a felony, meaning there is prison time involved.
But if the government does it, the law covers it. It is appropriate for nations to take defensive measures like that and there are processes and procedures for it. All three branches of government are involved.
TCB: Can you give us an example of when it would be appropriate for a government to respond by hacking back?
Gourley: There could be hypothetical scenarios where a cyber attack might be the right response – but cyber attacks are an asymmetric kind of attack on the United States, and it is usually in the best interest to use the rule of law and economic and diplomatic measures to try to mitigate them.
For example, lets say a cyber attack comes from a Chinese government-sponsored entity, and the U.S. decides to attack back by shutting down the power in a Chinese city. But shutting down that power impacts a lot of innocent Chinese civilians – it could potentially impact a hospital or emergency communications. It puts people’s lives at risk. That is not directly symmetric.
Now, let’s say it is totally targeted; we are only targeting that one, attacking entity with a cyber attack. We have to really think through: is it in the nation’s best interest to do it that way? Do we have an option to do it through the rule of law and diplomatic activity?
Whatever you do, if you are doing it against a country that possesses nuclear weapons, you have to be careful – acts like this put you on an “escalation ladder.”
TCB: What about, for example, denial of service attacks targeting U.S. financial institutions? In this instance, wouldn’t hacking back specifically target the adversary’s command and control infrastructure to disable the attack? Why catch the arrow, when you can go after the archer?
Gourley: Let’s say that the arrow is coming from Algeria, where someone set up a big distributed denial of service (DDoS) attack infrastructure where they penetrated four or five internet service providers (ISP) throughout southern Europe. And lets say hypothetically all those ISPs started DDoSing the U.S. financial sector. Who do we hack back in that scenario? Do we attack those cities that have the ISPs in southern Europe to “go after the archer?” When you go after the archer, you’re going to be attacking innocents that got hacked by this bad actor (in this scenario from Algeria).
Attacking the archer, in this case, is going to be attacking an unwitting entity. The “archer” is actually being forced to aim their arrow at the U.S. by a malicious person in a totally different country. So, in this scenario, maybe the true attacker lives outside of Algiers in Algeria. You find his house, and conduct a cyber attack against his house. Is that really what you want to do? What kind of targeting would we have to have in order to do that? Would we invest millions of dollars to do that or would we simply use law enforcement and try to get the individual arrested – assuming we could find out who did it?
This is so asymmetric. We need other measures in order to stop DDoS attacks other than just hacking back.
TCB: What about countries that are fairly insulated from other avenues of response, such as North Korea, who is already heavily burdened by sanctions? How do you respond to them?
Gourley: It is really the duty of our national security community to give our president a full range of options.
Some options against North Korea might be a massive attack against computers that would make them inoperable – turn them into bricks. There has been malicious code that has executed attacks like that, such as, for example, against Saudi Aramco in 2012 where over 30,000 computers were ‘bricked.’ Let’s assume that every computer in North Korea is under the control of the regime and is therefore a legitimate target. We develop some malicious code that silently moves among every computer, and then upon order of the president, we turn those into bricks. That is something that should be considered, but it should not be the only thing considered. When that happens, what is the response? Is the response going to be a hundred thousand artillery shells on Seoul within 12 minutes of the attack?
TCB: What role does escalation control play in using cyber capabilities?
Gourley: One thing that has to be thought through when talking about escalation control is how to communicate and signal to the adversary. This was a topic at the very beginning of the Cold War with the Soviet rise to nuclear statehood – in a threatening situation, how do you signal to the adversary? At first, there was no direct hotline, but since, lots of signaling strategies have been developed – we have even thought about how to signal to the adversary after a nuclear war goes hot.
Now, in the cyber world, it is also certainly concern. How do you signal to an adversary when the very networks you use to communicate with them are under attack? It is absolutely critical not to decimate the communications infrastructure to keep escalation under control.
TCB: Is there a possibility that signaling through cyber capabilities could be misinterpreted?
Gourley: It could certainly be misinterpreted. Going back to the example of attacking all the computers in North Korea, how would that be interpreted? Could it be interpreted that in the next 20 minutes the North Koreans should expect a nuclear strike on their deeply buried assets and therefore they need to begin the invasion of the South as soon as possible? That is the kind of thing that you have to think through before ordering any kind of attack like that – how is the adversary going to respond and react?
And when it is a nuclear power, such as China or Russia, it is especially important to think through these things. If a Russian business network is operating in a kleptocracy, they are under the regime’s control. If those Russian businesses are stealing hundreds of millions of dollars from the U.S., it is easy to say that we should conduct a cyber attack against their business networks. We know where they are and the U.S. can execute that kind of attack. But what kind of escalation does that cause and does that in turn open the U.S. up to attacks from all over the world?
Ultimately, we do need to give our national security decision-makers a full range of options. While hacking back may be the most sexy of options, it is one that we should rarely employ.
What we should do is raise our defenses nationally and no company of any size should think of themselves alone. They have to coordinate with other companies – everybody is sharing cybersecurity information now and that is a good thing. Finally, companies absolutely need to have the right relationship with the Secret Service and the FBI for when they are under attack from someone in another country.