WASHINGTON: Cyber bounty hunters waging “active defense” of critical infrastructure (CI) is only one among a number of explosive ideas in a new Atlantic Council study by two former DoD officials.
Because the US government does not have enough capacity to defend the nation’s networks — despite recent efforts to beef up the authorities and capabilities of the military’s Cyber Command — the study proposes the deputization of private sector “actors” (read: hackers) as “certified active defenders.” These would be “private-sector entities with high cyber capabilities who will work under government direction and control,” the study explains.
A loose analogy is privateers in the age of sail: “The Constitution provides for ‘letters of marque,’ and certified active defenders … would be a modern version,” the study says, except with a “focus on defense and resilience” and, unlike privateers, under government control.
The concept is only one among many contained in the new report by Frank Kramer, assistant secretary for international security affairs in the Clinton administration, and Bob Butler, deputy assistant secretary for space and cyber under Obama. The authors are advocating for a new framework for US cybersecurity based heavily on DoD’s 2018 Cyber Strategy — only expanded to include the Department of Homeland Security (DHS), the Treasury, the FBI, the Intelligence Community and the State Department. That includes bringing the “defend forward” and “attack support” concepts to the protection of civil CI in certain key sectors. This more aggressive US government-led approach is needed, they argue, because the main threat to CI today are adversary nation-states, not criminals — that the private sector cannot be expected to defense against on their own.
The proposed framework, laid out in “Cybersecurity: Changing the Model,” would create a National Cybersecurity Fusion Center to “organize multiagency programmatic and operational aspects of support to key critical infrastructure. Kramer and Butler single out eight “critical infrastructure and key resources” that they believe require stronger government intervention to protect and should be the focus on the center’s activities: “energy, especially the electric grid, and oil and gas pipelines; finance; telecommunications; transportation, particularly air, rail and maritime; and water and wastewater treatment.” If disrupted, these functions “could have significant cascading effects on the economy,” the study explains.
The new Fusion Center, which might be virtual rather than “bricks and mortar” Kramer told me, would have to power to mandate that certain critical infrastructure sectors use specific “highly effective cyber technologies and techniques.”
It would also be the body licensing “certified active defenders,” i.e. private-sector entities with high cyber capabilities who will work under government direction and control.”
Needless to say, the study has raised eyebrows among experts with experience in cyber defense at US agencies and in academe.
One former DoD cyber official exclaimed: “Bounty hunters to bring back proof and get a prize!? This is like extending the Second Amendment for ‘certified acting defenders’ to act on private networks. Where is the legal authority?”
Another former US government cybersecurity expert said that approving intrusions on foreign networks by private actors was dangerous, even if they didn’t actually “break anything” while they were there. “With the ‘defending forward’ strategy, DoD means you hack your way into (adversary) networks and simply investigate, but you are physically there so you can do something when there is a trigger. This is still intruding in their network.” Allowing private actors to do this could create serious instability between countries,” this expert said, especially if the network being penetrated was actually one owned by a US ally that had unfortunately been compromised by a potential adversary like Russia or China.
For their part, Kramer and Butler stress that they are not talking about giving these deputized “defenders” offensive powers — “we are not advocating the right to hack back,” Kramer explained — but rather to take on “active defense.” They also acknowledge that there is a fine line between active defense and offense, and noted that the key would be government control via authorities that would have to be provided by Congress.
Indeed, Kramer and Butler acknowledge that many pieces of their proposal, which they explain uses a “nested approach” to challenges at the private sector, state and local, national and international levels, will require changes to a number of legal authorities and direct action by Congress. In fact, the report, has an entire section outlining what Congress should do. “This is a framework document, not an operational one,” said Kramer. “We want to open a dialogue.”
Charles Harry, Director of Operations at the University of Maryland’s Maryland Global Initiative in Cybersecurity (MaGIC), who spent 14 years at the National Security Agency, said that while “what they’re proposing is one option, my personal feeling is that we are not going to be safer by going more on the offense. Instead, the real issue is resiliency. The key is figuring out how we can better understand systemic and organizational risk in order to better devote resources to CI, and minimize impacts so that any system is back up in a half hour or 45 minutes.”
Finally, one has to wonder how such an aggressive approach would fit with current US cyber policy and strategy writ large — given that the Trump administration has put a strong emphasis on working with allies to establish cyber norms of behavior. Indeed, even if only confined to DoD actions, the “defend forward” strategy conflicts with a cooperative normative approach, as it would see DoD undertaking exactly the kind of cyber probing that the US has chided Russia and China for. That inherent conflict, one expert said, is something the Trump administration doesn’t seem to have yet internalized.