In an very well-written article
posted over at the Volokh Conspiracy
website (which is not about what you think
), Stewart Baker
looks at the issue of hack-backs, and offers up a disturbing discussion about US government sponsored cybersecurity agencies - and how little they apparently do to protect the general public. And more disturbingly - how increasingly adamant they are becoming about not
allowing the general public to protect itself.
Luxembourg: The Steve McQueen of Cybersecurity
Stewart Baker • April 12, 2013 8:45 pm
Here’s the scant good news on cybersecurity It’s getting harder for attackers to hide. The same security weaknesses that bedevil our networks can be found on the systems used by our attackers. A shorter version is something I call Baker’s Law: “Our security sucks. But so does theirs.”
That’s good news because, with a little gumption, we can exploit hacker networks, gather evidence that identifies our attackers, and eventually take action that will make them regret their career choices.
Unfortunately, the United States has been sitting out this attribution revolution. Our vaunted CyberCommand may be energetically exploiting hacker networks, but it isn’t helping private victims of cyberespionage. Foreign governments are hacking US companies, law firms, activists, and individuals with abandon, but our government seems unable or unwilling to stop the attacks or identify the attackers. In fact, hacking victims who want to gather evidence against the bad guys are being warned off, told that conducting a private investigation could put them at risk of prosecution. As an anonymous Justice Department recently told the press,
“Arguments for or against hack-back efforts fall into two categories: law and policy,” the DOJ spokesman told BNA. “Both recommend against hack-back. Under current law, accessing a computer that you do not own or operate without permission is likely a violation of law. And while there might be something satisfying about the notion of hack-back on a primal level, it is not good policy either.”
Actually, the spokesman could have stated the Department’s policy even more concisely: “We don’t know how to protect you, but we do know how to keep you from protecting yourselves.”
Justice wants to cut off the debate over hacking back...
<Read the full article here.>
The article goes on to discuss the actions taken by two private computer security entities residing in Luxembourg who successfully hacked-back the shadowy cyberwarfare group Unit 61398
of the Chinese Army and came away with a wealth of information on exactly who they are, and how they operate. Something that "would likely be illegal" for a US entity to do. At least as far as our ever watchful Department of Justice is concerned.
Well worth a read, both as a cautionary tale, and also for the techno-geek laughs it provides.
Note: the article author Stewart Baker spent "3½ years at the Department of Homeland Security as its first Assistant Secretary for Policy" before returning to private law practice. So his insights are especially interesting since he approaches the topic with the dual perspective of someone who was both a former DHS government 'insider' and is now a private attorney. (Read his work bio here