Cybersecurity pros responded with cautious praise Tuesday after national security adviser John Bolton declared the U.S. government will begin punching back against a broader range of misbehavior in cyberspace.
After successfully foiling attempts to disrupt the midterm elections, the Trump administration wants to use similar tactics to prevent economic harm such as intellectual-property theft, Bolton told the audience at a Wall Street Journal event.
“We thought the response in cyberspace against electoral meddling was the highest priority last year, and so that’s what we focused on. But we’re now opening the aperture, broadening the areas we’re prepared to act in,” he said.
The broad goal, Bolton said, is “to say to Russia or anybody else that’s engaged in cyberoperations against us, you will pay a price. If we find that you’re doing this, we will impose costs on you until you get the point that it’s not worth your while to use cyber against us.”
That’s a bold pledge that risks ratcheting up digital conflict with Russia, China and other U.S. adversaries, and it could prompt significant blowback against U.S. companies, cyber experts told me. But, on the other hand, it’s also about the only option left after sanctions, indictments and diplomatic saber-rattling have failed to stop a barrage of cyberattacks, they said.
“He’s saying we’ll use every tool in the arsenal … and those all come with risks,” Bobby Chesney, a former Justice Department official who directs the Center for International and Security Law at the University of Texas at Austin, told me. “I don’t think the experience of the past decade suggests that we had the right balance previously. So improving the availability of cyber [tools] will likely be helpful.”
Experts also warned, however, that the Trump administration should not start hacking adversaries without setting clear boundaries about what will prompt digital retaliation and what won’t.
“Part of the strategy has to be saying, ‘Don’t go above this line, or using these tools will be acceptable,’” Megan Stifel, senior policy counsel at the Global Cyber Alliance nonprofit and a former National Security Council cybersecurity official, told me.
The administration also shouldn’t hack back against adversaries for stealing U.S. companies’ intellectual property unless officials are highly confident about which group is responsible — and sure their response will be narrowly targeted against that guilty party, Stifel said.
Finally, officials should be prepared for instances in which adversaries respond by counterpunching harder, said Geoff Hancock, a principal at the company Advanced Cybersecurity Group told me.
“There’s definitely going to be blowback,” Hancock said. “I foresee a time in the future where we’re going to respond to something and we’re going to get attacked pretty significantly by a foreign actor and it’s going to be a big issue, ‘How did America let this happen?’ We need to gird our loins for that.”
The Trump administration’s tough language on hacking back stands in contrast to the Obama administration, which was generally fearful of getting into a tit-for-tat cyber conflict with Russia or China. One main fear was that U.S. companies could be more vulnerable in a major hacking contest because they rely more heavily on the Internet than companies in other nations do.
Bolton made a show of declaring last year, when the administration reversed Obama-era restrictions on offensive hacking by the military, that: “Our hands are not tied as they were in the Obama administration.”
Experts have noted, however, that what’s publicly known about the Trump administration’s offensive hacking operations doesn’t seem especially reckless.
Indeed, the only known operation occurred two months after those Bolton comments when U.S. Cyber Command teams shut off the Internet at the notorious Russian troll farm the Internet Research Agency during the 2018 midterm elections. The goal was to disable any attempt at repeating the IRA’s 2016 barrage of phony social media posts focused on sowing discord among Americans and undermining Democratic nominee Hillary Clinton.
Bolton described the U.S. military’s offensive hacking operations Tuesday as ultimately aimed at making cyberspace a more peaceful place.
“This is, in the cyber sense, creating a structure of deterrence,” he said. “One way you avoid conflict is to convince your potential adversary that they will lose a lot more than they stand to gain.”
He acknowledged, however, that even if U.S. adversaries reduce their cyberattack operations, both sides will likely keep hacking each other for the foreseeable future.
“It’s not a game that ever ends,” he said.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED, PATCHED, PWNED
PINGED: Sens. Ron Wyden (D-Ore.) and Amy Klobuchar (D-Minn.) pressed the FBI in a letter sent Tuesday morning for more information about an election software company that alerted the bureau about suspicious activity on its networks before the 2016 election.
Electronic poll books supplied by that company malfunctioned on Election Day in Durham, N.C., causing long wait times and raising the specter of Russian hacking — which the Department of Homeland Security is now investigating. Wyden and Klobuchar want to know whether FBI officials investigated the company’s hacking concerns before the 2016 contest, whether they’ve examined the Durham poll books since the election and what they’re doing to ensure election officials report similar hacking concerns before the 2020 election.
The senators are also requesting any information shared between the FBI and FireEye, the cybersecurity firm VR Systems hired 10 months after the initial breach. Wyden formerly criticized VR Systems for waiting so long to investigate the breach, telling Politico it “may have been long after evidence of hacking had disappeared.”
PATCHED: Lawmakers seem unlikely to extend a deadline for government contractors and grant recipients to scrub their systems of Huawei technology after Senate Minority Leader Chuck Schumer (D-N.Y.) bashed the request from the White House budget office in a floor speech Tuesday.
Congress passed that ban last year amid fears the Chinese telecom would spy on or sabotage U.S. government systems and “a delay in instituting the ban…would only extend a window of opportunity for what is already a dire threat to our national security, “ Schumer said.
Acting White House Office of Management and Budget Director Russel T. Vought said this week that implementing the ban in 2020 as planned would place too great a burden on government contractors and on rural grant recipients who rely more heavily on Huawei.
PWNED: A top official in the United Arab Emirates is denying his nation hacks dissidents and journalist — even after a Reuters investigation revealed a vast hacking operation that relied partly on former U.S. government cyber pros, Motherboard’s Ben Makuch reported.
The official, Minister of State Anwar Gargash, also told reporters during the Globsec diplomatic conference he doesn’t know how much the nation spends on digital weapons, Makuch reported.
“Gargash was evasive when asked whether the country still works with DarkMatter,” the Abu Dhabi-based company that allegedly connected the American hackers with the UAE, according to Motherboard.
“The latest denial from Gargash comes on the heels of one of U.A.E.’s key regional allies — Saudi Arabia — allegedly using Israeli-made NSO Group spyware to surveil its dissidents,” Makuch reported.
Using a Domain Name System firewall — a computer tool that checks websites to make sure they’re not malicious — could prevent, or at least mitigate, about one-third of data breaches, according to a Global Cyber Alliance study released Tuesday.
Universal use of DNS firewalls could also prevent about one-third of the financial losses from global data breaches, the report’s authors found — making it easily one of the most cost-effective digital protections. That would amount to roughly $200 billion saved annually accodding to a 2017 estimate from the Center for Strategic adn International Studies think tank and McAfee.
More cybersecurity news from the public sector:
Majority Leader Mitch McConnell (R-Ky.) on Tuesday said that the Senate will have an election security briefing in the wake of special counsel Robert Mueller’s report on Russian interference in the 2016 election.
Cybersecurity news from the private sector:
THE NEW WILD WEST
Cybersecurity news from abroad:
- The House Intelligence Committee on Thursday hosts a hearing on the “National Security Challenges of Artificial Intelligence, Manipulated Media, and Deepfakes.”