Podcasts
Caveat
Ep 87
Caveat 7.28.21
Ep 87 | 7.28.21

Hacking back from a policy perspective: a bad idea.

Show Notes
Transcript

Anup Ghosh: We need to establish norms and red lines that should you cross this line, there will be reaction. And the reaction will cause pain.

Dave Bittner: Hello, everyone, and welcome to Caveat, the CyberWire's privacy, surveillance law and policy podcast. I'm Dave Bittner. And joining me is my co-host, Ben Yelin, from the University of Maryland Center for Health and Homeland Security. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: On this week's show, Ben digs into the NSO Group Pegasus Spyware controversy, I look at a Catholic priest being outed through de-anonymized mobile device data - and later in the show, my conversation with Anup Ghosh. He's CEO of Fidelis Cybersecurity. We're going to be discussing his views on the private sector hacking back. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. 

Dave Bittner: All right, Ben. Boy, we got a lot of big (laughter) stories this week. 

Ben Yelin: Yes, we do. 

Dave Bittner: So let's jump right into it. Why don't you start things off for us? 

Ben Yelin: So I'm going to start with the big one. And ever since this was released - we actually have some Caveat fans out there who have contacted me via social media saying, you got to talk about this. 

Dave Bittner: (Laughter). 

Ben Yelin: So we are fulfilling their wishes. So a big story came out this week from a bunch of news sources. I'm using an article from The New York Times written by Ronen Bergman and Patrick Kingsley. (Reading) Israeli spyware maker is in spotlight amid reports of widespread abuses. So data that was leaked to a bunch of different news organizations through a consortium suggests that a bunch of different countries, including some very repressive governments around the world, are using Pegasus. That is a cyberespionage tool developed by NSO, which is a Israeli cybersecurity, cybersurveillance company. 

Ben Yelin: And so there are some major downstream effects of this story. First and foremost, we now know that this spyware has been used on journalists from countries as diverse as Azerbaijan, France, Hungary, India and Morocco. So all different levels of - countries of all - at all different levels of development have experienced the use of this cybersurveillance tool. And it's been used for very, I think, dangerous purposes - tracking journalists, trying to quash dissent in totalitarian countries. NSO and the Israeli government have pushed back against this story. NSO itself categorically - excuse me - denies the allegations. And, you know, they've been pretty forceful in denying it, saying that they don't know where this list came up with... 

Dave Bittner: Right. 

Ben Yelin: ...Of all of the contacts that - or all of the devices on which the spyware has been installed. And the Israeli government has said that - they don't really have enough - they haven't had enough time to react to the story, to investigate it, to figure out what the truth is. 

Dave Bittner: Yeah. I mean, NSO says that - you know, that they sell these tools for use to help fight against things like terrorism. But once it's out of their hands, they have no control over how these governments use the tool. 

Ben Yelin: Right. That's what they all say. 

Dave Bittner: (Laughter). 

Ben Yelin: And I completely understand that perspective. I mean, I think there is a place for cyberespionage when we're talking about terrorist surveillance. 

Dave Bittner: Right. 

Ben Yelin: But what this article notes is it's going to have second-order effects on some very important things, like what we consider in the United States to be First Amendment rights - free speech, freedom of association. The concern here is that because this technology is so good, because Pegasus the system is so successful, it's going to have a chilling effect on First Amendment protected activities - so journalists' communications with sources, activists' communications with one another. We might get into an area where because people know that this technology is so powerful and that it can break even the most stringent encryption systems, that it might be dangerous to engage in these communications. And that can be unduly repressive. 

Ben Yelin: And this isn't just happening in the Saudi Arabias of the world. It's happening in Western democracies as well. So I think that's where you have the area of concern. The other angle that I think is interesting is the iPhone angle. So iPhone, you know, with the - obviously with the support of Apple, they - the makers of iPhone have claimed that they have the most stringent security features on the market. That's how they advertise themselves. 

Dave Bittner: Right, right. It's - they lead with privacy - as in a lot of their advertising campaigns. 

Ben Yelin: Absolutely. Basically, you know, we are the industry leaders in privacy. You can feel safe that even the most nefarious actors aren't going to break into these devices. What we now found out, and as part of this Pegasus leak - and this comes from The Washington Post - that 23 separate Apple devices were successfully hacked as part of Pegasus. And that exposes significant flaws in iPhone security. And where this has a political impact and, you know, where this has an impact on people's associational rights, free speech rights is people are running out of places to communicate privately. And the ability to communicate privately is very important to sustaining a democratic system of government, of holding powerful authoritarian governments in check, et cetera, et cetera. And so if they are able to breach iPhones, which are constantly being updated with significant new security features and - you know, and if they're able to break into certain encrypted messaging applications, then we know that the reach of this spyware program is much larger than we previously knew. 

Ben Yelin: We also know now - now we have lists of - at least alleged lists of people whose devices have been spied as part of this NSO spyware. And it's prominent individuals. They - we have articles now of prominent activists. We have this example in The Washington Post of an iPhone of the French wife of a political activist jailed in Morocco whose device was breached by the spyware. And, you know, that's obviously going to have a deterrent effect on the ability to free her activist husband, who's jailed in Morocco. So I think this does have dangerous downstream effects. I think that's why the story is spreading so widely. It's why there's a big pushback. I think it's something that we're going to be talking about for a long time. 

Dave Bittner: You know, the U.S. has a list of nations that you're not allowed to do business with - right? - Things you're not allowed to export to certain places. 

Ben Yelin: Yes - North Korea. 

Dave Bittner: Yeah, exactly. Why does Israel allow this? Why open themselves up to this headache? 

Ben Yelin: So, I mean, there are a number of reasons. And some of them are, you know, potentially could - we could be stepping on a couple of landmines here. I mean, Israel is known for being an industry leader among countries, particularly Western democracies, in developing security technology. 

Dave Bittner: Right. 

Ben Yelin: And that's by necessity because... 

Dave Bittner: Right. 

Ben Yelin: ...They have to be so careful about their own security. 

Dave Bittner: Right - the neighborhood in which they live. 

Ben Yelin: They're surrounded by hostile nations. 

Dave Bittner: Right. 

Ben Yelin: So they have to do a good job. 

Dave Bittner: Yeah. 

Ben Yelin: You know, they are forced to develop this type of advanced technology. And it ends up that, you know, in developing it, they've created a huge asset for their country, their economy and their political economy. I mean, these - the services that they develop are very valuable not just to authoritarian governments but to governments all over the world who want to track things like terrorism, drug trafficking, narcotics, et cetera. 

Ben Yelin: So, you know, I think you can understand why Israel would want to sell this product. I mean, it's a valuable export. And, you know, until this story came out and other stories like it, you didn't have the sort of blowback that you get for the fact this spyware was used for really disturbing purposes. 

Ben Yelin: So you can see why they would want to sell it in the first place. I think, you know, now that both NSO and the Israeli government, Israeli Defense Forces, are being subject to blowback from this article, maybe there might be some sort of change in their posture about how widely they want to sell these products lest they be held responsible, at least in the court of public opinion. And I think that's, you know, a really interesting question. 

Dave Bittner: Yeah, absolutely. You know, again all nations do espionage, but I guess that's - well, is that different from selling this tool? I don't know. I'm of two minds of this. I guess you could hear in my voice that - on the one hand, it is a legitimate tool. Like, you could see it being used to help stop things like terrorism. 

Ben Yelin: For sure. 

Dave Bittner: But if you - but at the same time, if you're selling it to certain regimes, how can you with a straight face say where - it's like that scene from Casablanca. We're shocked, shocked to find that there's gambling in this establishment. 

Ben Yelin: In this institution. Yeah. 

Dave Bittner: Like, if you're selling it to certain regimes, how can you say with a straight face that you expect they're not going to use it for these sorts of things? 

Ben Yelin: Yeah. You know, one thing that's interesting is you have these two extremes. You have the clearly justified use - rooting out terrorism. Then you have the clearly nefarious use, which is cracking down on political dissent, spying on journalists, et cetera. The thing that's kind of interesting to me is you have these middle-of-the-road scenarios where they're using - countries are using Pegasus for not, you know, things that are necessarily morally abhorrent but are just kind of questionable. They talk about how in this New York Times article, Pegasus was deployed in Mexico in 2017 against policymakers and nutrition activists in the country who are pushing for a soda tax in a country that has serious health problems - sort of the original Mike Bloomberg proposal in New York City, where if you tax soda, you can cut down on some public health problems related to obesity. 

Dave Bittner: Right. 

Ben Yelin: You know, is that as disturbing as cracking down on political dissidents and activists? No, but it's also - it doesn't seem to me to be a legitimate use of cyber espionage. 

Dave Bittner: Right. Right. It's like calling up your buddy who's a police officer and asking him to run the plates on a car. Like... 

Ben Yelin: Yeah. You're basically describing the Van Buren case, but yes. 

Dave Bittner: (Laughter) Right. Right. 

Ben Yelin: Yeah. 

Dave Bittner: Right. Yeah. I mean, it's a misuse of a - the tool is so casually available, right? There aren't guardrails on its use. So the folks who have access to it, if no one's looking over their shoulder and tracking, you know, what is it being used for, it's very easy for them to use it willy nilly. And then we have a problem. 

Ben Yelin: Right. Right. Yeah. Exactly. You know, this wouldn't be as much of a problem if Pegasus wasn't effective. It is effective. That's why countries keep purchasing it and keep using it. 

Dave Bittner: Right. 

Ben Yelin: And they're going to keep purchasing it and keep using it unless there are tangible consequences. Now, you know, this is the first step in getting us to those tangible consequences now that we have this expose that was sent to a media consortium. I'm wondering if this will inspire any countries in the short term to say, we're not going to purchase, you know, this type of spyware from NSO. We're not going to purchase Pegasus anymore. 

Dave Bittner: Yeah. 

Ben Yelin: To my mind, we haven't really seen that yet. I think countries are kind of hoping this will blow over because, you know, why use this - why lose this extremely effective tool if we don't have to? 

Dave Bittner: Right. Right. Just - let's keep it more quiet. That is... 

Ben Yelin: Exactly. Exactly. 

Dave Bittner: Yeah. Yeah. No. Yeah. Boy, interesting - I guess a bit of a bombshell story when this was posted recently. 

Ben Yelin: Yeah. Yeah. It was something that really hit my inbox this weekend, as a lot of people... 

Dave Bittner: (Laughter). 

Ben Yelin: ...Were interested in it and kind of shocked by it. I mean, none other than Edward Snowden himself said on Twitter that this is going to be the biggest story of the year. 

Dave Bittner: OK. 

Ben Yelin: I don't know if I'd go that far. 

Dave Bittner: Yeah. 

Ben Yelin: But it's a big story. It's a really important story. 

Dave Bittner: The year's only half over, Ben... 

Ben Yelin: Exactly. 

Dave Bittner: ...There's plenty of time for more (laughter). 

Ben Yelin: Uh oh. 

Dave Bittner: I know. Be careful what you ask for. 

Ben Yelin: Yeah. We should not jinx ourselves. Yeah. 

Dave Bittner: Yeah. Right, don't tempt fate (hushing). 

Ben Yelin: Exactly. 

Dave Bittner: Yeah. All right. Well, we'll have links to that story in the show notes for sure. My story this week comes from The Washington Post, written by Michelle Boorstein, Marisa Iati and Annys Shin. And it's titled "Top U.S. Catholic Church Official Resigns After Cellphone Data Used To Track Him On Grindr And To Gay Bars." This is a fascinating story about a publication - a journalist with an organization called the Pillar who was able to buy mobile app data from a data aggregator, from a company who sells this sort of thing. 

Ben Yelin: Which they are allowed to do, yep. 

Dave Bittner: Nothing illegal about that - and then went through the process of deanonymizing that data, and through that process, basically, outed a Catholic priest who had been using the hookup app Grindr. And evidently - allegedly, this priest was also visiting gay bars. So I - as we go through this, I want to be really careful that we're not, you know, kink shaming or anything like that, you know, for the priest himself. 

Ben Yelin: Right. The story is about an invasion of privacy. It's not about the priest himself. 

Dave Bittner: Right. Right. 

Ben Yelin: Yeah. 

Dave Bittner: Now, the priest has resigned because, obviously, if these allegations are true, that runs afoul of the commitments he's made as a priest and, you know, that sort of thing. So that is a part of the story, perhaps, a bit salacious part of the story, I suppose. But what I'm really interested here is the deanonymization angle. You know, you and I have talked about, you know, if I have a set of anonymized data and I say, show me all the data points that are Ben's house, and then also the ones that are where Ben works, guess whose data I have (laughter). 

Ben Yelin: Yeah. 

Dave Bittner: Right? 

Ben Yelin: That's pretty easy investigative work. 

Dave Bittner: Right. 

Ben Yelin: You don't have to be a well-trained detective to... 

Dave Bittner: Right. 

Ben Yelin: ...Draw some connections there. 

Dave Bittner: Just by correlating where someone sleeps - so show me where this device is pinging a cellphone tower, you know, in the middle of the night. So I know where that person sleeps. That's - chances are, that's their house. And then where they go every day, chances are, that's their office. There is going to be a very small set of people who align to both of those data points. And from there, Bob's your uncle, right? I mean, you have... 

Ben Yelin: Right. 

Dave Bittner: ...Basically, you're able to track someone's comings and goings pretty reliably. And that, evidently, is what this reporter did. 

Ben Yelin: Right. So the thing about deanonymizing data is in the vast majority of cases, nobody has enough of an incentive to really spend the time to track somebody down. You kind of have to be motivated to do it. If you are motivated to do it, what this story indicates is that the data is out there. You know, if you have any sort of device, you are being tracked unless you turn off your location services. 

Dave Bittner: Right. 

Ben Yelin: And if somebody is willing enough and has, you know, the ability to vote their own resources, time and money to deanonymizing that data, that's going to happen. And there's nothing that the legal system at this point can really do to stop it. There are no federal laws against selling this anonymized data or banning anonymized data collection. And the state laws that exist aren't very robust. And they're generally geared towards specific scenarios, like cyberstalking. So they're not about things like this, which, you know, wouldn't actually implicate anybody in a crime. It's about personally embarrassing this priest and causing him to have to resign from his work. So I think the lesson here, unfortunately, is that unless you really make an effort to keep your own movements and your own activities anonymous - and it has to be a pretty robust effort... 

Dave Bittner: Yeah. 

Ben Yelin: ...You're going to be subjected to the whims of the surveillance state. And there's very little that the legal system is going to do to protect you. 

Dave Bittner: Well - and, I mean, that's the ball game, isn't it? I mean, how - it seems to me like we're at a point now where if you want to participate in the world, if you want to have a mobile device, this is happening. Yeah. If you're using any apps - and again, you know, an app like Grindr, where you would think that anonymity is a - would be a very important, a key element, that they would align themselves with. The fact that they are selling anonymized data, to me, is troubling. But again, I guess they're under the - by saying it's anonymized, that allows them to, you know, say there's no problem here - right? - because you're unable to... 

Ben Yelin: Right. And that's what Grindr said, essentially, is the story itself is homophobic... 

Dave Bittner: Right. 

Ben Yelin: ...And they said, you know, the data described in it can't be publicly accessed. That's technically true. But, I think, the point this article makes and the point we're trying to make is that if somebody is determined enough, you can get answers from the anonymized data about an individual person. That person can be tracked down. We don't know exactly how that happened in the circumstances here. But it can happen, and it will happen. So, you know, it's just - it's funny, they - at the end of this article, they mention what we talked about in our previous story, that, you know, Israeli, military-grade spyware was leased to governments for tracking terrorists and criminals and human rights activists. So, you know, I think you can fit this story into the broader theme of we're all being watched... 

Dave Bittner: Yeah. 

Ben Yelin: ...Not in the way, you know, to sound conspiratorial, but in a way, you know, that, whether it's the private sector or the public sector, unless you are extremely careful and extremely diligent about, you know, protecting your own anonymity and privacy, information on you is going to be out there if you have a device. 

Dave Bittner: Yeah. It's being collected. 

Ben Yelin: It is. 

Dave Bittner: You cannot stop it. 

Ben Yelin: Yeah, which is, you know, kind of chilling, especially for people like the gentleman in this story, who, you know, wanted to - obviously wanted to keep this part of his life private... 

Dave Bittner: Right. 

Ben Yelin: ...And wasn't able to. 

Dave Bittner: Right. 

Ben Yelin: And that's kind of a pitfall of the digital age. 

Dave Bittner: And also, it - the fact that this journalist was able to do this and, presumably, not at great expense, you know, not at - I don't know the amount of effort that went into reporting this story, gathering this data, so on and so forth. But I guess where I'm going with this is, I wonder, is this going to become standard operating procedure for everyone gathering information on a political rival, you know? Where were you on the night of such and such, senator, right? 

Ben Yelin: Yep. 

Dave Bittner: (Laughter) If it's easy to do or, comparatively, it doesn't take a whole lot of money, time or resources to do something like this, is that the point where we get attention of policymakers, right? 

Ben Yelin: Once their private affairs have been uncovered? 

Dave Bittner: Yes. Yes. 

Ben Yelin: Possibly. I mean, maybe that's the way you get a federal law passed. You know, it reminds me of a story back in the '80s, when a Democratic senator who was running for president, Gary Hart, there were rumors of extramarital affairs. 

Dave Bittner: Right. 

Ben Yelin: And he was like, follow me around. I got nothing to hide. 

Dave Bittner: (Laughter) They did. 

Ben Yelin: And they followed him around. 

Dave Bittner: Turns out, he had stuff to hide. 

Ben Yelin: He had stuff to hide. Yeah. But at that point, you actually had to, like, put people on it. 

Dave Bittner: Right. 

Ben Yelin: You know, you actually had to tail him... 

Dave Bittner: Right. 

Ben Yelin: ...And follow him in a car and, you know, go to the house where he was having extramarital affairs. 

Dave Bittner: Yeah. 

Ben Yelin: Now we're realizing from this story and so many other stories, you know, it doesn't take that extensive of an investigation, if you are, you know, motivated enough to do it, to get private information on people. So yeah, I mean, we really might start seeing more frequently in political advertising, you know, on the night of this disaster, such and such candidate had dinner at Applebee's. Clearly, he doesn't understand... 

Dave Bittner: Right. 

Ben Yelin: ...You know, the severity of the event or something like that. 

Dave Bittner: Yeah. And, I mean, in a case like this, where this monsignor's career is... 

Ben Yelin: Ruined. 

Dave Bittner: ...Ruined, basically, through guilt by association. 

Ben Yelin: Yeah. 

Dave Bittner: Right? 

Ben Yelin: Yeah. I mean, that's the tragic part of this story. 

Dave Bittner: Yeah. 

Ben Yelin: There is a real human element to it. You know, I think the lesson for the rest of us is, we have to be extremely diligent if - I mean, if this is something that you're interested in. Some people just don't care about it. And that's fine. But if you do care about the fact that you are being tracked, you cannot be passive about it. You really have to be active in confronting that information. 

Dave Bittner: Yeah. All right. Well, we will have a link to that in the show notes, of course. If you have a question for us, we would love to hear from you. We have a call-in number. It's 410-618-3720. You can also write us at caveat@thecyberwire.com. 

Dave Bittner: Ben, I recently had the pleasure of speaking with Anup Ghosh. He is the CEO of Fidelis Cybersecurity. And our conversation centered on this notion of hacking back and whether or not that is a good idea in the private sector. Here's my conversation with Anup Ghosh. 

Anup Ghosh: Hacking back has been something that has been discussed, actually, a phenomena that we've seen over the last two decades. There have been some serious groups that have studied it as a matter of policy and feasibility. And, you know, at least in my two decades of being in security circles - I guess it's more than that now - every serious study I have seen has concluded this is a bad idea, primarily because attribution of attacks is very hard. Also, oftentimes, attackers use public infrastructure. And so when you're hacking back, you know, you're more likely hurting someone else other than whom you might intend. And finally, the consequences of escalation can go very badly for victims. So, you know, from a policy perspective, this is a bad idea. And I think anyone who's studied it has reached the same conclusions. 

Dave Bittner: Can we just get down to some of the real basics here? I mean, in general, what are folks talking about when they refer to hacking back? 

Anup Ghosh: Well, I think what's really spurred the recent discussion is ransomware, right? And it is understandable when all of your, you know, personal files, including photos, might be encrypted and therefore lost. If your entire business has been essentially shut down because of a ransomware attack, you might - you certainly will feel very strong emotions about getting back at the perpetrators who have really taken over your life. So I think it's a very emotional reaction, not to mention the fact that they're actually holding it ransom for money and, sometimes, a considerable amount of money. So it really is adding a lot of pain to this scenario. 

Dave Bittner: What are the comparisons to, you know, sort of real-world crimes? You know, if someone were to kidnap someone, or someone were to, you know, physically restrict access to a space or a business or something like that... 

Anup Ghosh: Sure. 

Dave Bittner: ...You know, there would be real-world reactions there. 

Anup Ghosh: Yeah, I think we do have real-world analogies here that hold up to some extent. So for example, you know, think about someone breaking into your house, robbing you and then later, you actually find out, you know, or you think you find out who it is, right? Well, you might be tempted to go and try and get back your stuff and maybe cause some pain on that person. We know, you know, first of all, this is illegal. Second, vigilantism typically doesn't end well, right? And so, you know, for these reasons, we do have law. We do have a justice system and law enforcement. And the same holds true in the cyber domain. We might think we know who got at us, but chances are we really don't. And anything we attempt to do against the adversary outside of our own networks could end badly, just like it might in the real world. 

Dave Bittner: Yeah. It strikes me, too, that, you know, even though we have robust laws for defending your homestead, for example - you know, the castle doctrine - you're still - you're not allowed to have booby traps all around your property, you know? That sort of thing isn't allowed. 

Anup Ghosh: Well, you know, I think you bring up a really interesting point, which is you are allowed to defend your property - right? - in many states. What is it? Stand my ground kind of laws, the castle doctrine, as you mentioned. And that's - that actually does create a guide, I think, in the security profession that you are allowed to defend your network, right? And if you do encounter an adversary on your network, you are allowed to engage and counter that adversary. And actually, that's a discussion we should be having, in my mind - is not the hack back. It's the detect, respond, counter your adversary on your network. And you are allowed to do that by law. So - and there are different levels of detection and response you can take. You know, active defense is something that is getting more fluency now in security circles as a philosophy, as a doctrine, if you will. 

Dave Bittner: What about the folks who are frustrated that - for example, they say the federal government isn't doing enough to defend us against these ransomware operators, for example. They're coming from foreign countries where they're not being pursued by the government and law enforcement in their own countries. And they say, you know, if this - again, if a foreign army came to the U.S. and shut down my business, there'd be a strong reaction from U.S. law enforcement and our military. We're not seeing that happen in the cyber domain. And so people are frustrated at that. 

Anup Ghosh: Yeah. And the frustration is understandable, especially if it's you - right? - who ends up being the victim, right? 

Dave Bittner: Yeah. 

Anup Ghosh: And so yeah, I think it is important that we speak up, we hold our representatives accountable for deterrence and action. And the truth is the U.S. government does have a lot of power to, you know, either strike back or cause uncomfortable pain to sponsors of these attacks. The challenge, however, is it's probably not going to be on a timeline that, you know, satisfies our immediate need for justice, if you will, right? 

Anup Ghosh: And the government can leverage a lot more authorities than private individuals or companies can and in ways that perhaps we wouldn't even think about. So, for example - and this isn't theoretical. We've seen this happen time and again. Economic trade, of course, is one means of us holding people accountable. You know, sanctions not only against countries but also individuals can create a lot of pain for actors. And these are sort of on the diplomatic side. On the law enforcement side, we've seen a lot of takedowns of infrastructure - right? - botnet infrastructure but also takedowns of individuals. The use of sealed indictments has been a powerful weapon in being able to round up perpetrators that have, you know, crossed outside the boundaries of their protection, right? 

Anup Ghosh: And so this has turned out to be fairly effective. And the U.S. government has far better attribution capabilities through its intelligence agencies than any individual or private company can. And so we've seen it happen before in the Obama administration. You know, even at the most senior levels, when President Obama met with China's premier, we saw dramatic action on that front. We've seen named indictments of Chinese POA. So there are measures that could be taken that are far broader than what individuals or companies can take in the U.S. And we just need to make sure that our government is focused on that. 

Dave Bittner: Do you suppose there might be a communications gap here? As - you know, as you and I have been talking about, I think there is that powerful emotional component. And I think sometimes people feel as though they're not being heard, that, you know, they're not seeing a direct and immediate response. And perhaps if there was a way for law enforcement to say, look; we hear you; we see what's going on; you know, we're working on it; and trust us, you know, that things are being done even though they might not seem, you know, evident or immediate... 

Anup Ghosh: Yeah, I don't think you'll really be able to build that trust until we see better results. So, for example, an individual's business or machine being held ransom is not going to get the attention of the FBI, right? But a critical infrastructure that - like Colonial Pipeline that ends up causing gas lines throughout the East Coast in the summer, that's going to cause a lot of pain for politicians, for the president in particular, right? You know, it's one of those weird things that people watch, which is how much do I pay for gas, right? 

Dave Bittner: Right. 

Anup Ghosh: And, you know, it was interesting. During that same week, the White House had released its executive order, which was more, I think, esoteric. You know, and people in security circles and certainly federal security circles paid attention to that while the rest of the nation did not. That same week is when the Colonial Pipeline ransomware made news. And that - my reaction was, this is more likely to get action than the executive order just because of the price of gas going up, and people staying in gas lines actually creates real political pain for the president. 

Anup Ghosh: And we have seen some stronger words come out recently from the Biden administration that it will hold Russia accountable. And I think that is the right strategy going forward, which is - look. Foreign governments that are harboring criminals can only say, you know, for so long, we're not responsible, because perhaps they're - you know, they're implying these are private individuals or contractors. But the reality is oftentimes they are intelligence agencies. And even when they are private individuals, they're operating under the sanctuary set up by these foreign regimes. And that part has to end. You know, that cannot be tolerated. And we have to make that clear. 

Anup Ghosh: And more to the point, we need to establish norms and red lines, right? And that - I don't think that's been that effective - right? - to what is acceptable hacking, if you will. I put that in quotes, right? And what is unacceptable that, should you cross this line, there will be reaction? And the reaction will cause pain. And we have, you know, a series of escalation capabilities that will seriously hurt you, right? And that doctrine, if you will, has not been made real clear. And therefore, you know, actors, foreign governments feel free to continue to allow the activity to happen. 

Dave Bittner: Yeah. It seems to me like - you know, you think about a demonstration of capabilities, you know? But then you have the danger of escalation, right? 

Anup Ghosh: Yeah, yeah. And I do think that Russia, China, other foreign governments have an understanding of the U.S.' capability in this area. And it's No. 1 bar none, right? Are we willing to demonstrate that capability, to do a demonstration in order to flex? The reality is we're not because doing so would burn our methods, right? And then we wouldn't be able to use them at a future time. 

Anup Ghosh: But what is powerful, I believe, is some of the law enforcement actions, right? That can actually - if you can get to the right folks using both sort of traditional criminal investigations, which turn out to be very powerful in this fight, as well as cyber forensics and cooperation with private companies, particularly ones that control infrastructure, you know, that sort of private-public cooperation is a linchpin to being able to identify who are the perpetrators behind and that it is up to the U.S. government to take action. And we have seen this before, right? And it needs to be organized. And it needs to be made clear when you take certain actions, there will be certain reactions that are far more uncomfortable. You know, people use the word proportionate, but it has to be a little bit disproportionate, to be honest, to get - to have the deterrent effect. 

Dave Bittner: All right. Ben, what do you think? 

Ben Yelin: It's really interesting to talk about the analogues in the non-digital world. But I think oftentimes the reaction is, all right, well, if somebody, you know, attacks me, I'm going to defend myself. That's not really what the analogue is. Hacking back is not simply defending yourself. As the interviewee said, it's not a simple Castle doctrine thing where, like... 

Dave Bittner: Right. 

Ben Yelin: You come into my network, I will destroy you. 

Dave Bittner: Right. 

Ben Yelin: Instead, it's... 

Dave Bittner: You come into my house, I'm going to go to your house and burn it down. 

Ben Yelin: Go to your house and - exactly. 

Dave Bittner: (Laughter) Right, right. 

Ben Yelin: In case you haven't heard, that is illegal vigilantism. 

Dave Bittner: Right. Yeah. 

Ben Yelin: And that's why hacking back is a bad idea, which seemed to be the general theme of the interview and my perspective as well. 

Dave Bittner: Yeah, absolutely. I do have a follow-up conversation with him that's going to air over on the CyberWire where we talk about this notion of active defense within your network, sort of a middle ground. So if it's a topic you're interested in, that'll be running, I think, in the next week or so over on the CyberWire. Do a search for Anup or Fidelis Cybersecurity, and you'll find it. It's sort of an interesting Part II to this conversation. And, of course, we want to thank him for joining us. 

Dave Bittner: That is our show. We want to thank all of you for listening. The "Caveat" podcast is proudly produced in Maryland at the start-up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.

Caveat
Podcast Info
HOST(S):
Dave Bittner
Ben Yelin
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Ben Yelin, JD, is the Program Director for Public Policy & External Affairs at the University of Maryland Center for Health and Homeland Security, where he consults public and private entities on homeland security, cybersecurity and emergency management policy. He is also an adjunct faculty member at the University of Maryland Francis King Carey School of Law, where he teaches courses on electronic surveillance and the Fourth Amendment.
Schedule: Wednesdays
Creator: CyberWire, Inc.
ADVERTISEMENT
Privacy.com
Privacy.com

Privacy.com protects your privacy when making purchases online. Set per-website transaction limits, pause and block unwanted payments, and generate new virtual card numbers with a click. Learn more at privacy.com/caveat.