At a glance.
- Hacking back? Not, perhaps, as easy as it sounds.
- Comment on pipeline cybersecurity regulation.
- Observations on the current state and direction of US cybersecurity policy.
Hack-back legislation raises questions.
The Study on Cyber-Attack Response Options Act up for consideration in the US Senate, Breaking Defense reports, would direct the Secretary of Homeland Security to examine the pros and cons of permitting industry to even the score against cyberattackers, under proper oversight. The Secretary would outline the bounds of the program, including the authorizing agency, participating parties, allowable actions, appropriate precautions, and attribution standards.
While a number of private firms possess some technical capacity to conduct hack-backs, and have historically helped Government agencies fight cybercrime, critics worry about the potential for collateral harms, errors, and escalation, and the imbalance between a company’s cyber team and say, the SVR. Other problems could result from threat actors’ propensity to stage attacks from domestic infrastructure, and from the trickiness of norms surrounding proportionality and attribution.
Pipeline regulations: too little, too late?
Pipeline Technology says the Department of Homeland Security is “at last” addressing pipeline security, following “the most disruptive cyberattack on record,” May’s Colonial Pipeline hack. The standards come “two decades late,” Slate adds, after having been rejected over twenty years ago under President Clinton. The Biden Administration, however, has signaled its readiness to dole out mandatory guidelines to sectors that fail to secure themselves. How vigorously the Administration will enforce these guidelines is another question.
There are also lessons for industry here. Ric Longenecker, Chief Information Security Officer at Open Systems, thinks it's time for infrastructure companies find a partner to help upgrade their security:
“It’s no surprise that new government legislation is being proposed given the severity of recent high-profile cyberattacks and their real -- and potential -- impacts on our daily lives. Recent guidance from the Department of Homeland Security and other agencies shows that we’re moving rapidly in this direction. This bill, like any new piece of legislation, will get off to a rocky start and take time to work its way through Congress. However, this signals that it’s a good time for companies to find a cybersecurity partner and work through this together.”
Comments on the direction of US cyber policy.
Dark Reading reviews the Biden Administration’s response to the rising ransomware threat, which has encompassed diplomatic maneuvers, an interagency task force, a new Justice Department mandate, and renewed attention to the supply chain.
SDxCentral amplifies private sector calls for a more robust reply to Chinese hacking. VMware’s Tom Kellermann says CyberCom should “take the gloves off and proportionately disrupt and degrade” attackers’ infrastructure, while simultaneously targeting hackers’ WePay and AliPay assets and Singapore travel habits. Tenable’s Amit Yoran draws further attention to alternative measures like “indictments, prosecution, freezing of assets, sanctions, [and] trade policies.” The Information Technology and Innovation Foundation’s Daniel Castro also thinks allied forces “should escalate their response,” and IronNet’s Jamil Jaffer agrees that “much more aggressive sanctions” are needed—economic fallout be darned.
The Denver Gazette reports similar sentiment in Washington think tanks. Silverado Policy Accelerator’s Dmitri Alperovitch points out the greater severity of Beijing’s cyber affronts relative to Moscow’s on “every conceivable technical standard,” arguing for stronger penalties for “the sake of both strategic and normative consistency.” The Foundation for the Defense of Democracies’ Craig Singleton thinks President Biden should consider exercising a President Obama Executive Order authorizing sanctions on corporate espionage beneficiaries. Press Secretary Psaki said the Administration isn’t trying to project weakness, and won’t hold off on additional actions for economic reasons.
The Times of Israel recounts US Cybersecurity and Infrastructure Security Agency Executive Director Brandon Wales’ view that the West has “a lot more work to do” in terms of yoking together public, private, and international cyber capacities towards a common vision against an increasingly harsh threat landscape. Jerusalem’s “global network shield” represents one possible path forward.