Companies should not be allowed to fight back against hackers, cybersecurity specialists and former government officials warned, after senators last week introduced legislation raising the idea of such counterattacks.
The job of targeting hackers should be left to the government authorities that are best equipped to carry it out, the cyber experts said.
Senators Steve Daines (R., Mont.) And Sheldon Whitehouse (D., RI) introduced a bill on June 30 that would require the U.S. Department of Homeland Security to study the risks and benefits of allowing companies take action against hackers in the event of an attack.
The bill came after two major ransomware attacks in May targeting critical infrastructure operators: Colonial Pipeline Co., which forced the six-day shutdown of the East Coast’s largest fuel artery, and JBS meat. SA,
that shut down some of the U.S. beef and pork processing.
“The Colonial Pipeline ransomware attack shows why we should explore a regulated process for companies to respond when they are targeted,” Whitehouse said in a statement. Aides to Senators Whitehouse and Daines declined to make them available for interviews.
Former Defense Department officials said that allowing companies to “hack,” as it is known in cybersecurity circles, is a flawed and even dangerous proposition.
“A lot could go wrong and very few things can go right,” said Anup Ghosh, a former program director at the Defense Advanced Research Projects Agency, or Darpa, part of the Department of Defense.
Ghosh, now CEO of cybersecurity firm Fidelis Cybersecurity Inc., said that for a company, even deciding who to strike back is fraught with risk, given the difficulties of attributing attacks to individuals, gangs or nation-states. Bringing the private sector into the field of cyber warfare also has national security implications, he said, such as disrupting intelligence operations that companies may not be aware of.
Former UK cybersecurity official Ciaran Martin framed his opposition to the hacking proposals more directly at an event Tuesday at the Royal United Services Institute, a British defense and security think tank.
“Hacking is a crazy idea,” said Martin, who until August 2020 headed the UK’s National Cyber Security Center, part of the country’s digital spy agency, the Government Communications Headquarters.
Under US law, only the federal government can take offensive cybersecurity measures through law enforcement and the military. In January, the Justice Department worked with international partners to disrupt computer networks used to launch a prolific series of attacks using malware known as Emotet.
Studying whether companies could replicate such operations is not in itself a bad idea, said Maurice Turner, a cybersecurity fellow at the Alliance for Security Democracy, part of the US German Marshall Fund, a think tank. But he warned that companies could get into geopolitical conflict.
Incomplete or inaccurate information could also cause collateral damage to other companies, said Jacob Williams, a former Department of Defense cyber analyst who is now the chief technology officer for incident response firm BreachQuest Inc.Hackers often mask their presence. launching attacks through legitimate servers. , which could be vital to the operations of other companies, he said.
“While law enforcement can easily see a server being shared by executing a subpoena, offensive security teams don’t have that tool available,” he said. “Even assuming a private hosting server, should private organizations be allowed to re-compromise the victim in the name of security?”
Such nuances highlight how the government and the private sector must maintain clear dividing lines on cybersecurity, particularly when it comes to cyberwarfare, said Hitesh Sheth, chief executive of cybersecurity firm Vectra AI Inc.
“No recent development inspires me to rethink that balance,” he said.
—Catherine Stupp contributed to this article.
Write to James Rundle in [email protected]
Copyright © 2020 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8