Time to consider the 'hack-back' strategy?
The U.S. government may have legal access to some surprisingly dirty cyber tactics -- and in order to stave off future hacks, it may need to use them.
America has the big stick in cyberspace. But does it matter, if the rest of the world believes we won't use it?
Three experts from outside government mulled that deterrence question at a Sept. 30 hearing of the House Foreign Affairs Committee on cyber war.
Their verdict: There's an awful lot the U.S. could do, and it might need to launch a cyber strike or two to get adversaries off its back.
Chairman Ed Royce (R-Calif.) noted that the nation's intelligence chiefs have lamented the lack of a clear national cyber deterrence strategy. "From the private sector to government, our country is taking body blow after body blow in cyberspace," Royce said in his opening statement. "Why aren't we hitting back?"
James Lewis, director and senior fellow in the Center for Strategic and International Studies' Strategic Technologies Program, said hitting back could be just the thing.
"We need to make credible threats," he said. "We need to have countries believe that we will respond with punitive action."
While Israel, Russia and, to a lesser extent, the United Kingdom and France have all shown they'll hit back after a cyberattack, the U.S. has lagged, Lewis said.
"We need to have people believe if they hack us there will be punishment," Lewis said. "We have the capability ... people don't think we'll do it."
"Many of us are coming to the belief that we might have to do it once," he added.
If the U.S. does pursue a punitive hack -- government-sponsored, not companies taking matters into their own hands -- there are some surprising options available.
In the case of China, Georgetown University's associate director of the Institute for Law, Science and Global Security Catherine Lotrionte said, the U.S. government could steal private financial data of Chinese oligarchs and leak it to the press, damaging those leaders' reputations with their own people.
"International law is quiet on espionage," Lotrionte told FCW following the hearing. "We've never regulated it. Taking their stuff and embarrassing them? That's not regulated under international law."
Another option: taking economic information from foreign firms and sharing it with American companies.
"There's no law that says you are not allowed to share intelligence information with American companies, or citizens," Lotrionte told FCW. "There's no law that prohibits that, aside from PII of Americans."
During the 1990s, Lotrionte recalled, the U.S. government debated whether to pursue such actions against Israeli and Japanese companies, but ultimately decided against such a course.
"What won the day was people did not think it was in our nature," she said. "The public wasn't comfortable with that coziness [between business and government]."
But the U.S. could still go down that path as a cyber deterrent, she noted. In order to keep the process aboveboard stateside, the government could essentially auction off the information, instead of picking favorite companies to receive pilfered data.
In the hearing, several members expressed disbelief at the apparent legality of the tactics Lotrionte proffered -- but also pledged to consider them.