Columnist

Ignatius: Private, business data needs protection, but how?

U.S. agencies have successfully ‘hacked back,’ but there are cautions for those outside government.

By David Ignatius

The Washington Post

When the debris settles after special counsel Robert Mueller completes his investigation into Russian hacking of the 2016 presidential election, America will still be left with the underlying problem that triggered the probe in the first place: the threat of malicious cyberattacks against political parties, corporations, and anybody else who uses the internet.

Here’s a disturbing fact: Even after all the uproar that has surrounded Mueller’s inquiry, the U.S. government can’t do much to protect most private citizens or organizations against attacks. There’s better security now for election systems and critical infrastructure, but that doesn’t help the banks, hedge funds, law firms and other companies with sensitive data, which are basically on their own.

Mueller’s findings about President Trump will have their own fiery afterlife on Capitol Hill, which nobody can predict. But Congress should also be thinking about the less-sexy fallout from the investigation, which highlighted the vulnerability of all data to foreign spies, meddlers and information pirates.

U.S. Cyber Command and the National Security Agency have already gone on the offensive against Moscow. Last fall, their joint “Russia Small Group” secretly “hacked back,” in effect, against Russia’s Internet Research Agency, briefly shutting down some of its computers. The aim was to deter the Russians from meddling in the 2018 midterm elections, and it seems to have worked.

Private companies are going on the offensive in cyberspace, too, even though the legal terrain is murky and there’s a big risk of triggering a tit-for-tat melee.

“Some organizations are conducting active cyber-defense ‘hacking back,’ but in my experience this will amplify the global cyber-arms race,” warns Milan Patel, a prominent former FBI cyber expert who’s now with BlueVoyant, a cyber-consulting firm. “Rather than hacking back, which will only bring a short-term sense of relief, companies need to do a better job at education and training.” Patel estimates that 92 percent of attacks originate from spear-phishing, where employees unwittingly click on malicious malware.

American history offers an unlikely lesson in how cyber-offense might be enhanced and also regulated, as explained by Michael Chertoff, former secretary of homeland security, in his recent book “Exploding Data.”

At the very beginning of our nation, when America and France were fighting an undeclared war, the U.S. Navy was too weak to protect American vessels from attack. The high seas were an 18th-century version of cyberspace, with attackers lurking everywhere. So, as Chertoff notes, the U.S. Constitution mandated that: “Congress shall have Power … To declare War, grant Letters of Marque and Reprisal, and make Rules concerning Captures on Land and Water.”

Today, argues Chertoff, the government could grant the equivalent of letters of marque to private cyber-defense companies. “To bolster its capacity to defend and deter cyberattacks, the government should train and license ‘privateers’ for certain specific operations … to assist in deterring attacks against U.S. companies and infrastructure,” he writes.

But Chertoff cautions in an interview: “Don’t try this at home!” Meaning, companies should avoid any retaliatory action that might be illegal under U.S. or foreign law, or that would trigger counter-reprisals that would make the problem even worse.

In the real-world marketplace, cyber consultants are already selling “active defense” tools that push the envelope. Illusive Networks specializes in what its website calls “deception-based cybersecurity.” The idea is to create what intelligence organizations call “honeypots” that lure attackers and allow defenders to observe and manipulate them. “To catch an attacker, you must think like one,” says the company’s website.

Another cyber-deception specialist is Attivo Networks. Its website explains: “Deception changes the asymmetry against attackers with attractive traps and lures designed to deceive and detect attackers.” A third prominent player in the active-defense market is Endgame, which promises on its website that its software can hunt and stop exploits, phishing, malware, ransomware and other attacks. Social-media platforms such as Facebook have become increasingly active, too, in defending their networks.

Cyber experts warn that active defense is a slippery slope. A honeypot can identify invaders. But it can also lure them to gobble malicious software that disables the attackers’ network, or to steal false documents that deliberately mislead the attackers. And because attackers hide in servers that aren’t their own, a reprisal meant to target malicious hackers could take down a hospital or university.

The Mueller investigation has galvanized efforts to protect U.S. elections from future meddling. But the larger American vulnerability to cyberattack remains, and it deserves more attention.

As U.S. companies move to protect their secrets, sometimes using tools once reserved for intelligence agencies, they need better guidance from Washington.

Follow David Ignatius on Twitter @IgnatiusPost.

Talk to us

> Give us your news tips.

> Send us a letter to the editor.

> More Herald contact information.

More in Opinion

RGB version
Editorial cartoons for Monday, April 29

A sketchy look at the news of the day.… Continue reading

Volunteers with Stop the Sweeps hold flyers as they talk with people during a rally outside The Pioneer Courthouse on Monday, April 22, 2024, in Portland, Ore. The rally was held on Monday as the Supreme Court wrestled with major questions about the growing issue of homelessness. The court considered whether cities can punish people for sleeping outside when shelter space is lacking. (AP Photo/Jenny Kane)
Editorial: Cities don’t need to wait for ruling on homelessness

Forcing people ‘down the road’ won’t end homelessness; providing housing and support services will.

Comment: Justice delayed, but will a Jan. 6 trial be denied?

The court’s oral arguments raise doubts about Trump facing some if any charges over the insurrection.

Saunders: Free speech isn’t a right to block others’ education

Campus protesters should face jail, expulsion for shouting down officials and disrupting classes.

FILE - The TikTok logo is displayed on a mobile phone in front of a computer screen, Oct. 14, 2022, in Boston. TikTok is gearing up for a legal fight against a U.S. law that would force the social media platform to break ties with its China-based parent company or face a ban. A battle in the courts will almost certainly be backed by Chinese authorities as the bitter U.S.-China rivalry threatens the future of a wildly popular way for young Americans to connect online. (AP Photo/Michael Dwyer, File)
Comment: Social media problem much larger than TikTok

The sell-or-ban law for the video app ignores the harms caused by the entire social media industry.

City of Snohomish property purchase was legitimate

A concerned citizen sent me a copy of a Facebook post by… Continue reading

Was traffic fatality result of relaxed police pursuit law?

I read with horror the article about the poor woman who was… Continue reading

Forum: Energy efficiency needs emphasis from utilities, agencies

Snohomish PUD has been a leader in energy conservation, but more work is needed as electricity demand grows.

Comment: Congress can add drones to fight against wildfires

Congress’ passage of the FAA bill can safely put drones to the task of scouting wildfires and other disasters.

Comment: Leave working forests to their vital climate work

State forests managed for timber are more effective in reducing carbon emissions than locking them away.

Solar panels are visible along the rooftop of the Crisp family home on Monday, Nov. 14, 2022 in Everett, Washington. (Olivia Vanni / The Herald)
Editorial: Federal, state program will put more roofs to work

More families can install rooftop solar panels thanks to the state and federal Solar for All program.

Patricia Robles from Cazares Farms hands a bag to a patron at the Everett Farmers Market across from the Everett Station in Everett, Washington on Wednesday, June 14, 2023. (Annie Barker / The Herald)
Editorial: EBT program a boon for kids’ nutrition this summer

SUN Bucks will make sure kids eat better when they’re not in school for a free or reduced-price meal.

Support local journalism

If you value local news, make a gift now to support the trusted journalism you get in The Daily Herald. Donations processed in this system are not tax deductible.