- - Tuesday, October 20, 2015

Like millions of other federal retirees, I recently received a letter from the Office of Personnel Management (OPM) telling me that a “cybersecurity incident” may have compromised my “personal information, including name, Social Security number, date and place of birth and current or former address.” In plainspeak, the OPM computer system had been hacked.

This “incident,” as OPM bureaucratically phrases it, is only one of the more recent in a long string of such cyber-attacks that have affected government and private organizations alike. Responses are almost always the same: Government officials and other “experts” speculate that the attack came from Russia, China, North Korea or some country in the Middle East. They promise to tighten up security. (And sometimes a resignation is required to mollify Capitol Hill.)

Although technological improvements are no doubt needed, the principal problem now is not technical, but legal. The problem starts with attribution: Who or what entity did the hack? Imagine that a missile lands in this country. Administration officials opine that the missile “may have” or “in all likelihood” or “possibly” originated in Country X. The American people would be up in arms. They would rightly demand to know how we can spend billions and billions of dollars on national defense and not know for sure where a missile originated.

That is precisely the issue with cyber-attacks. Why don’t we know to whom to attribute attacks? Is it a matter of physics or technology? No, not primarily. The answer is that the law in most circumstances makes it difficult for us to determine the origins of cyber-attacks.

How so? Cyberdefense experts want to know definitively the origin of a cyber attack. And one of the best ways to do that is by so-called hacking back, that is, tracing the cyberattack backward through each of the U.S. servers through which the attacker passed until the computer originating the attack is uncovered. If the origin of an attack were known, the State or Defense Departments could take effective action against the nation harboring the attackers or directly against the hackers themselves.

So why don’t we hack back? Under various U.S. laws — no surprise — it is felonious to hack into domestic computer systems. Among others is the Computer Fraud and Abuse Act (10 U.S.C. 1030). The problem is that laws prohibiting hacking apply to government officials defending the nation’s computer systems as well as to private citizens bent on mischief. With few exceptions, a Foreign Intelligence Surveillance Act (FISA) order or a criminal warrant under Title III is required to enter a domestic computer system. Neither of these avenues is likely to be available or of use. First, it is doubtful that either would be granted to enter an “innocent” server — that is, a server through which a hacker is passing, because the owner of that server has done nothing wrong. But even if that problem could be hurdled, a new, separate order or warrant would be needed for each “innocent” server through which the hacker passed. This solution is impractical because it would simply take too much time.

Hackers are familiar with U.S. law. Accordingly, their routes from Country X to, say, the Pentagon or OPM are circuitous. Their first hop into this country may be into a corporate server; then they may hop through the systems of universities. Only after some number of such hops do they finally attack the Pentagon or OPM computer systems. Hackers know that hacking back is unlawful in the United States, and they also know that universities would strongly resist any intrusion into their computer systems by federal cyberdefenders.

Our inability to hack back, in my view, is no longer tenable. Our cyberdefenses are way out of date. They work by trying to create an electronic moat around each facility using firewalls to prevent hacks. Thus, in effect there are thousands of moats around thousands of government facilities. Even if the firewalls were always effective — and they are not — they can be defeated by sloppy computer tradecraft, for example, weak passwords. Just as castle moats were ultimately undermined by developments in weaponry, so cybermoats are increasingly ineffective. In effect, we are always playing defense near our own end zone.

So why don’t we have a hack-back regime? The reason is political. Imagine the reaction if the National Security Agency (NSA) or the FBI, for example, hacked back through university servers in the U.S. chasing down cyber-attackers. The reaction would be akin to the reaction the Edward Snowden revelations generated.

Is the situation hopeless? Must government stand by while its computer systems and those in the private sector are attacked? I don’t think so. It seems to me that a FISA-like regime could be established that would involve the federal judiciary in authorizing hack-backs. The NSA, FBI or some other federal agency would apply to a special federal court — call it the Federal Cybersecurity Defense Court — averring that Pentagon computer systems, say, are under sustained attack and requesting authority to trace the attack backward. The court could then authorize the trace. There would be rigorous limits on what the federal agency could do in its hack-back. It could not, for example, root around in university computer systems looking at academic work or research. Other restrictions could be created. Oversight would assure compliance.

Fundamentally, the issue here is one of intent. In most circumstances, police need a warrant to enter a private residence; firemen do not. Similarly here, the purpose of hacking back through “innocent” servers is not to obtain intelligence or evidence of a crime that sits on those servers. Rather, the purpose is simply to ferret out the criminal whose attack passed through the servers. As Justice Oliver Wendell Holmes once observed: “Even a dog distinguishes between being stumbled over and being kicked.”

Robert L. Deitz is professor of public policy at George Mason University. He was the general counsel of the National Security Agency from 1998 to 2006.

Sign up for Daily Opinion Newsletter

Manage Newsletters

Copyright © 2020 The Washington Times, LLC. Click here for reprint permission.

Please read our comment policy before commenting.


Click to Read More and View Comments

Click to Hide