Time to consider the 'hack-back' strategy?

Shutterstock image (by igor.stevanovic): anonymous computer hacker.

America has the big stick in cyberspace. But does it matter, if the rest of the world believes we won't use it?

Three experts from outside government mulled that deterrence question at a Sept. 30 hearing of the House Foreign Affairs Committee on cyber war.

Their verdict: There's an awful lot the U.S. could do, and it might need to launch a cyber strike or two to get adversaries off its back.

Chairman Ed Royce (R-Calif.) noted that the nation's intelligence chiefs have lamented the lack of a clear national cyber deterrence strategy. "From the private sector to government, our country is taking body blow after body blow in cyberspace," Royce said in his opening statement. "Why aren't we hitting back?"

James Lewis, director and senior fellow in the Center for Strategic and International Studies' Strategic Technologies Program, said hitting back could be just the thing.

"We need to make credible threats," he said. "We need to have countries believe that we will respond with punitive action."

While Israel, Russia and, to a lesser extent, the United Kingdom and France have all shown they'll hit back after a cyberattack, the U.S. has lagged, Lewis said.

"We need to have people believe if they hack us there will be punishment," Lewis said. "We have the capability ... people don't think we'll do it."

"Many of us are coming to the belief that we might have to do it once," he added.

If the U.S. does pursue a punitive hack -- government-sponsored, not companies taking matters into their own hands -- there are some surprising options available.

In the case of China, Georgetown University's associate director of the Institute for Law, Science and Global Security Catherine Lotrionte said, the U.S. government could steal private financial data of Chinese oligarchs and leak it to the press, damaging those leaders' reputations with their own people.

"International law is quiet on espionage," Lotrionte told FCW following the hearing. "We've never regulated it. Taking their stuff and embarrassing them? That's not regulated under international law."

Another option: taking economic information from foreign firms and sharing it with American companies.

"There's no law that says you are not allowed to share intelligence information with American companies, or citizens," Lotrionte told FCW. "There's no law that prohibits that, aside from PII of Americans."

During the 1990s, Lotrionte recalled, the U.S. government debated whether to pursue such actions against Israeli and Japanese companies, but ultimately decided against such a course.

"What won the day was people did not think it was in our nature," she said. "The public wasn't comfortable with that coziness [between business and government]."

But the U.S. could still go down that path as a cyber deterrent, she noted. In order to keep the process aboveboard stateside, the government could essentially auction off the information, instead of picking favorite companies to receive pilfered data.

In the hearing, several members expressed disbelief at the apparent legality of the tactics Lotrionte proffered -- but also pledged to consider them.

About the Author

Zach Noble is a former FCW staff writer.


  • Acquisition
    Shutterstock ID 169474442 By Maxx-Studio

    The growing importance of GWACs

    One of the government's most popular methods for buying emerging technologies and critical IT services faces significant challenges in an ever-changing marketplace

  • Workforce
    Shutterstock image 1658927440 By Deliris masks in office coronavirus covid19

    White House orders federal contractors vaccinated by Dec. 8

    New COVID-19 guidance directs federal contractors and subcontractors to make sure their employees are vaccinated — the latest in a series of new vaccine requirements the White House has been rolling out in recent weeks.

Stay Connected