The day of reckoning is here. President Obama vowed to strike back against Russia after the DNC hacks. The attack window was set between Election Day and Inauguration Day. And since Trump won, Obama cannot defer it to the next administration. Any counter-strike must happen now or never. Assuming a CIA covert operation (as NBC reported) it may have already begun.
Yesterday CIA officials briefed Congressional leaders on the DNC breach, offering credible evidence it was carried out by Kremlin spy agencies hoping to tilt the US election to Donald Trump. The White House hopes the briefing will build bipartisan Congressional support for a cyber counter-strike.
While CIA was on Capitol Hill, an Obama homeland security advisor told reporters over breakfast “it is incumbent upon us to … conduct some after-action”. Vice-President Joe Biden told a national TV audience, “We’re sending a message. We have the capacity to do it. He [Putin] will know it. And it will be at the time of our choosing. And under the circumstances that have the greatest impact.” A Putin aide answered, “Obviously we will respond, especially since they are mentioning specific representatives of the Russian leadership.”
Cyber sabers are rattling in Washington and Moscow.
This raises the thorny issue of Active Cyber Defense (ACD) or “hack back”. Governments are allowed to hack back militarily. In fact, DARPA has an openly acknowledged ACD research program. In this case, even if kept secret from the public, a counter-strike would send a loud message to Russian leaders: America will defend herself.
The American private sector, on the other hand, isn’t allowed to defend itself, and can suffer collateral damage when nations battle in cyberspace. ACD is generally considered off-limits to a US private entity. Companies fight off cyber-attacks with both hands tied behind their backs. Some conduct benign defensive operations, such as eavesdropping on adversary chat rooms, hiding beacons in stolen documents, sink holing malicious botnet traffic, or deploying honeypots to divert attacks. But even these innocuous activities may violate current law.
Private companies get caught in the crossfire when countries engage in cyber warfare. For example, the denial-of-service attacks (DDoS) directed at US banks was widely attributed to the Iranian government, exacting revenge for the Stuxnet attack tied to the US and Israel. And the breach of Sony Pictures was attributed to North Korea, angry the US allowed Sony to release “The Interview”. The US military hit back in that case, but Sony could not.
Of the four levels of ACD, only the first is considered clearly legal for US private companies:
on-site threat intel collection
remote threat intel collection
attacker surveillance
counterattack
At level 1 a company analyzes its logs forensically to understand an attack, taking no further action other than tightening its defenses. At the other extreme, level 4 can damage someone else’s systems (potentially the wrong systems if an attack is misattributed) so it’s understandable level 4 would be illegal in most cases. Level 4 operations must be carried out in partnership with law enforcement, like when Microsoft helped the FBI take down botnets.
Levels 2 and 3 are a gray area. Many legal experts consider them potential Computer Fraud and Abuse Act (CFAA) violations so most US companies avoid them. Since there’s a lack of case law, caution is prudent. We need a CFAA amendment to turn those gray areas black or white. For example, a safe harbor in cases where a victim can demonstrate that attacker tracking or beaconing is the only way to defend itself from additional attacks. Of course, US law applies only in the US, and attackers (or the computers they control) are often overseas.
You can shoot a burglar in your house, but as a general rule you can’t follow the burglar back to his house and shoot him there. Are the rules in cyberspace different? Some attorneys have suggested that a company acting in self-defense outside its own cyber borders would “not likely be prosecuted under the CFAA, depending on the exigency of the circumstances.” Former DHS assistant secretary Stewart Baker argued CFAA has implicit self-defense loopholes.
A thoughtful legal analysis by Sean Harrington concludes any such legal loopholes may be wishful thinking. He urges security practitioners to adhere to a risk-based approach while avoiding “types of active defense where misattribution is possible”.
For now, our hands are tied behind our backs. Another round of cyber-attacks between the US and Russia could break out any day now. Guess who gets caught in the crossfire?
UPDATE 12/29/16: FBI and DHS (NCCIC) released a joint report today attributing the DNC hacks to Russian intelligence agencies. The report lacks details, but the fact FBI and DHS publicly agree with CIA is significant. Obama’s actions announced today seem justified & proportional, and strongly hint at a covert cyber-strike in addition to the publicly announced actions.
UPDATE 1/5/17: In a PBS interview tonight, Vice President Joe Biden confirmed a covert action was carried out against Russia. He did not offer details.
UPDATE 6/23/17: In a Washington Post article today, former senior Obama officials stated that the Russia counter-strike only got as far as implanting cyber munitions in key Russian networks. Actual "detonation" was left for the Trump administration to carry out if it so chooses.
UPDATE 10/13/17: The Active Cyber Defense Certainty Act (ACDC) was introduced in Congress. It would give individuals and companies the legal authority to leave their network to 1) establish attribution of an attack, 2) disrupt cyberattacks without damaging others’ computers, 3) retrieve and destroy stolen files, 4) monitor the behavior of an attacker, and 5) utilize beaconing technology.
Michael McCormick is an information security consultant, researcher, and founder of Taproot Security.