Should the U.S. Government Fight Back When Businesses Are Cyberattacked?
By Robert K. Knake and Richard A. Clarke
The attacks started out small. The first wave, at the end of 2011, was just probing and planning, stress-testing the capabilities of the world’s largest financial institutions. Over the next nine months, the attacks would occur only sporadically, a day here and there, but in September 2012 the frequency and severity of the distributed denial-of-service (DDoS) attacks went up. The websites of U.S. banks such as JPMorgan and Bank of America were flooded with traffic on an unprecedented scale, and, oddly, at predictable intervals, Tuesday through Thursday from 10:00 a.m. to 2:00 p.m., Eastern Standard Time, as if someone was trying to send a message.
Media outlets, with the help of unnamed officials in the Obama administration, quickly pointed to Iran as the culprit, believing the attacks were a response to the Stuxnet malware that had disrupted Iran’s nuclear enrichment program several years earlier. Phones began to ring throughout the White House West Wing. At every level from CEO down to chief information security officers, the banks wanted the government to do something to stop the attacks.
The Obama administration selected a limited response. Rather than escalate tensions with Iran by striking back in cyberspace or sending a carrier group through the Strait of Hormuz, the administration chose to treat the attacks like any other mildly disruptive internet activity. The Department of Homeland Security coordinated remediation, sending information on the attacking IP addresses to ISPs and hosting providers so they could notify the owners of infected accounts to get them to delete the malware and slow the attacks. The State Department issued démarches to foreign governments to request their assistance in shutting down the attacks. No proverbial missiles were fired in cyberspace. The banks were not happy.
Not liking the response they got, the banks took their case to the Wall Street Journal. “We’d like them to act,” declared one unnamed bank official. But act how? What this and other unnamed bank officials wanted the government to do was to either “block the attacks” or “take down the network of computers mounting them.” As simple as these options sound, for both technical and legal reasons, the U.S. government did neither.
While the DDoS attacks against the banks were allegedly carried out by Iran, the malicious traffic did not stream out of servers located in Tabriz, Isfahan, and Tehran, which would have allowed for both easy attribution and blocking at national borders. Instead, the attackers commandeered computers all over the world, most of them in the United States.
In order to “block” this traffic, the U.S. government would have had to be sitting in between the attacking computers and the target computers. While blocking the attacks sounds appealing, the reality is that the United States has open borders in cyberspace. No agency of the federal government sits at the internet exchange points, where the undersea cables come up onto land, to inspect each packet of internet traffic. Without such a capability, the U.S. government is simply not positioned to block malicious traffic to protect banks or any other companies.
Nor should we want such a system to be built. While China has a Great Firewall, a vast system of traffic inspection and interception deployed at the borders of China’s internet and throughout the country, calling the system a firewall suggests, erroneously, that it has value for cybersecurity when it is, in fact, a tool for censorship and surveillance. Similarly, a Great Firewall of the United States would be an ineffective tool for cybersecurity, but a very useful tool for domestic spying and censorship, something we as Americans should be concerned about giving to our government.
Taking down the botnet through more aggressive means was also not practical. Directing the U.S. military to knock the attacking computers off the network would have meant launching a military operation against targets both in third-party countries such as Germany, Canada, and France, as well as in the United States. It is difficult to fathom the implications of the U.S. government taking such an action (there are still likely lawyers in the bowels of the Eisenhower Executive Office Building sorting through this). Foreign governments could reasonably label the activity as an act of war. American companies and individuals would rightly view it as an unreasonable invasion of their privacy without due process.
The attacks continued until May 2013. While CEOs continued to demand that the government make the problem go away, many of their chief information security officers quietly thanked their friends in government for not doing anything. The attacks got them the money they needed to make security investments that were long overdue. In that year’s filings with the Securities and Exchange Commission, not one of the banks listed the attacks as having a material impact on their business, despite having previously called for the United States to treat them as acts of war.
Many CEOs remain unconvinced. Keith Alexander of the venture-backed cybersecurity start-up IronNet is unequivocal in his belief that private companies protecting themselves from nation-state threats is not working. “I flipped through this before you arrived,” he told us, dropping a pocket copy of the Constitution on the table. “It still says that the purpose of the Union is to provide for the common defense. There is no parenthetical that says ‘except in cyberspace.’”
Alexander has been making the case that we should no more expect U.S. companies to defend themselves from Russian cyberattacks than we should from Russian nuclear bombers. Writing in the Financial Times with Jamil Jaffer, he notes: “In no other context do we rely on private-sector actors to defend themselves against national-level threats. After all,” he continues, “we don’t expect Walmart or Tesco to put surface-to-air missiles on top of their warehouses to defend against Russian bombers. Yet when it comes to cyberattacks, we demand exactly that from JPMorgan and Barclays.”
“The purpose of the Union is to provide for the common defense. There is no parenthetical that says ‘except in cyberspace.’”
It’s a compelling but somewhat flawed argument. Cyberattacks, as disruptive as they are, are not Russian bombers carrying nuclear warheads. Cyberspace is also an altogether different domain than the air through which nuclear bombs fall and missiles fly. Moreover, distinguishing between criminal attackers and foreign nation-state groups is becoming increasingly difficult, as some criminal groups are every bit as sophisticated as the best nation-state groups today and are often hired by foreign governments.
If the U.S. government had chosen a more aggressive response to the 2011–2013 attacks, the ramifications could have been far-reaching. A tit-for-tat escalation with Iran would likely have prevented the nuclear deal achieved two years later. On cybersecurity, a stronger response would have settled the question of who is responsible for protecting the private sector in cyberspace in favor of making it a government responsibility. That determination would have had far-reaching consequences for the future of the internet.
Current law prohibits private-sector companies from retaliating in these situations, and rightly so — private companies escalating in the cyber arena create the likelihood that they will start a war that the United States military will need to finish. But recognizing that companies have a legitimate gripe, Congress has tried to craft a law. A proposed law, the Active Cyber Defense Certainty Act, is, in fact, quite sensible, to the point that it makes such operations totally unworkable. Under the proposed act, companies wouldn’t be allowed to do anything destructive or retaliatory, but they could “hack back” to establish attribution and find out what was taken. Before a company went off its own network, it would need to notify the FBI’s National Cyber Investigative Joint Task Force. The company would have to share what type of breach occurred, who the company would combat with its active defense measure, how it is preserving evidence for further investigation, and what steps it is taking to minimize harm to third parties. All that would give it a “defense” against charges of violating the Computer Fraud and Abuse Act, but not immunity from it.
In the circumstances where intelligence collection or tactical or retaliatory action is called for, it is likely a better idea for companies to rapidly pass off information on the incident to government and to have government take those actions when it is in the national security interest. There are limits to the value of offense and dangers in over-relying on it.
“We all know the old saying ‘Those who live in glass houses shouldn’t throw stones.’ In cyberspace the U.S. government has the best stones… But let’s also recognize that we live in the glassiest house.”
Michael Sulmeyer, a senior cybersecurity policy official at the Pentagon in the Obama era, has a neat way of summing up the problem with looking to offense as the solution to the cybersecurity dilemma. “We all know the old saying ‘Those who live in glass houses shouldn’t throw stones.’ Well,” he says, “let’s just assume that in cyberspace the U.S. government has the best stones, the sharpest, the shiniest stones, really great stones. But let’s also recognize that we live in the glassiest house. So sharpest stones, glassiest house. Will we really care that we can send our super-sharp, awesome stones through somebody else’s window when they can throw a cinder block through our glass house?” Usually, that ended the desire of anyone in the audience to argue that hitting back in cyberspace should be a major part of the solution.
All national security decisions are about making trade-offs, nowhere more so than in cybersecurity, where every policy choice has the potential to impact our economic prosperity and our most cherished values of freedom of speech, freedom of expression, and the right to be free from unwarranted search and seizure.
Making the private sector bear the costs of absorbing these attacks is, at first blush, an unappealing prospect to most CEOs. After all, as General Alexander points out, the first responsibility of the federal government is to provide for the common defense. Yet every time policy makers unpack how government could take on this responsibility, private-sector enthusiasm quickly begins to fade because of the unintended consequences of government involvement. On cybersecurity, there are only bad options. Private responsibility for network defense with government support is the least bad one.