Time to consider the 'hack-back' strategy?

Shutterstock image (by igor.stevanovic): anonymous computer hacker.

America has the big stick in cyberspace. But does it matter, if the rest of the world believes we won't use it?

Three experts from outside government mulled that deterrence question at a Sept. 30 hearing of the House Foreign Affairs Committee on cyber war.

Their verdict: There's an awful lot the U.S. could do, and it might need to launch a cyber strike or two to get adversaries off its back.

Chairman Ed Royce (R-Calif.) noted that the nation's intelligence chiefs have lamented the lack of a clear national cyber deterrence strategy. "From the private sector to government, our country is taking body blow after body blow in cyberspace," Royce said in his opening statement. "Why aren't we hitting back?"

James Lewis, director and senior fellow in the Center for Strategic and International Studies' Strategic Technologies Program, said hitting back could be just the thing.

"We need to make credible threats," he said. "We need to have countries believe that we will respond with punitive action."

While Israel, Russia and, to a lesser extent, the United Kingdom and France have all shown they'll hit back after a cyberattack, the U.S. has lagged, Lewis said.

"We need to have people believe if they hack us there will be punishment," Lewis said. "We have the capability ... people don't think we'll do it."

"Many of us are coming to the belief that we might have to do it once," he added.

If the U.S. does pursue a punitive hack -- government-sponsored, not companies taking matters into their own hands -- there are some surprising options available.

In the case of China, Georgetown University's associate director of the Institute for Law, Science and Global Security Catherine Lotrionte said, the U.S. government could steal private financial data of Chinese oligarchs and leak it to the press, damaging those leaders' reputations with their own people.

"International law is quiet on espionage," Lotrionte told FCW following the hearing. "We've never regulated it. Taking their stuff and embarrassing them? That's not regulated under international law."

Another option: taking economic information from foreign firms and sharing it with American companies.

"There's no law that says you are not allowed to share intelligence information with American companies, or citizens," Lotrionte told FCW. "There's no law that prohibits that, aside from PII of Americans."

During the 1990s, Lotrionte recalled, the U.S. government debated whether to pursue such actions against Israeli and Japanese companies, but ultimately decided against such a course.

"What won the day was people did not think it was in our nature," she said. "The public wasn't comfortable with that coziness [between business and government]."

But the U.S. could still go down that path as a cyber deterrent, she noted. In order to keep the process aboveboard stateside, the government could essentially auction off the information, instead of picking favorite companies to receive pilfered data.

In the hearing, several members expressed disbelief at the apparent legality of the tactics Lotrionte proffered -- but also pledged to consider them.

About the Author

Zach Noble is a former FCW staff writer.


  • Management
    shutterstock image By enzozo; photo ID: 319763930

    Where does the TMF Board go from here?

    With a $1 billion cash infusion, relaxed repayment guidelines and a surge in proposals from federal agencies, questions have been raised about whether the board overseeing the Technology Modernization Fund has been scaled to cope with its newfound popularity.

  • IT Modernization
    shutterstock image By enzozo; photo ID: 319763930

    OMB provides key guidance for TMF proposals amid surge in submissions

    Deputy Federal CIO Maria Roat details what makes for a winning Technology Modernization Fund proposal as agencies continue to submit major IT projects for potential funding.

Stay Connected