US Lawmakers Propose ‘Hack Back’ Law to Allow Cyber Retaliation Without Permission of Third-Party Country

US Lawmakers Propose ‘Hack Back’ Law to Allow Cyber Retaliation Without Permission of Third-Party Country

US legislators are proposing new legislation that would empower US cyber defenses to hack back at cyber aggressors, even if they’re using a third-party country’s infrastructure, without the explicit consent of the respective country.

The National Defense Authorization Act would also create a new cyber entity with the technology and skills to strike back at cyber aggressors, namely China and Russia, that seek to disrupt US critical infrastructure or weaken its cyber resilience. If approved, the bill not only let the US military “hack back” at aggressors, but also creates a “Cyberspace Solarium Commission” whose purpose is to propose and implement strategic cyber defenses that augment the United States’ resilience towards cyber-attacks.

What could possibly go wrong?

  • Attribution is imprecise and prone to error, and so
  • Attribution is vulnerable to “false flags”

  • Relies on having people with the needed skills to launch the “hack back”

  • Assumes the government, private industry, individuals, non-profits, etc.can defend the counter attack

  • Lacks judicial and/or legislative oversight to make sure it’s not abused

  • Arguably violates dozens of treaties

And these are off the top of my head.

Private Transport Monopolies Will Be Bad for Everybody:

Last week the transportation rumor mill pumped out a story that ride-hailing company Lyft is acquiring Motivate, the bikeshare operator behind New York’s Citi Bike, San Francisco’s GoBike, and Chicago’s Divvy Bike. The deal, which was first reported late last week by The Information, is said to be in the range of $250 million.

I’m not sounding the alarm over a $250-million acquisition, but it is worth examining how consolidation in the private transportation sector will affect the public. After all, monopolies in agriculture and healthcare have led to higher pricing, artificial demand, and antitrust strategies like price-fixing.

(Via Motherboard)

More important, isn’t this a variation of the plot of Who Framed Roger Rabbit?

Censorship in the Age of Large Cloud Providers:

Whatever its current frustrations, Russia might well win in the long term. By demonstrating its willingness to suffer the temporary collateral damage of blocking major cloud providers, it prompted cloud providers to block another and more effective anti-censorship tactic, or at least accelerated the process. In April, Google and Amazon banned—and technically blocked—the practice of “domain fronting,” a trick anti-censorship tools use to get around Internet censors by pretending to be other kinds of traffic. Developers would use popular websites as a proxy, routing traffic to their own servers through another website—in this case Google.com—to fool censors into believing the traffic was intended for Google.com. The anonymous web-browsing tool Tor has used domain fronting since 2014. Signal, since 2016. Eliminating the capability is a boon to censors worldwide.

Tech giants have gotten embroiled in censorship battles for years. Sometimes they fight and sometimes they fold, but until now there have always been options. What this particular fight highlights is that internet freedom is increasingly in the hands of the world’s largest internet companies. And while freedom may have its advocates—the American Civil Liberties Union has tweeted its support for those companies, and some 12,000 people in Moscow protested against the Telegram ban—actions such as disallowing domain fronting illustrate that getting the big tech companies to sacrifice their near-term commercial interests will be an uphill battle. Apple has already removed anti-censorship apps from its Chinese app store.

In 1993, John Gilmore famously said that “The Internet interprets censorship as damage and routes around it.” That was technically true when he said it but only because the routing structure of the Internet was so distributed. As centralization increases, the Internet loses that robustness, and censorship by governments and companies becomes easier.

(Via Lawfare – Hard National Security Choices)

Congress Should Oversee America’s Wars, Not Just Authorize Them:

Nearly 17 years after the 9/11 attacks, a bipartisan coalition of senators has put forward legislation that promises to overhaul the legal framework for America’s worldwide campaign against terrorism. Proponents of this measure argue the existing authorization for military force—an AUMF in wonk-speak—passed back in September 2001 has become woefully outdated. The failure to modernize it, supporters say, represents a dereliction of duty by Congress.

They have a point. The text of the 2001 AUMF no longer bears much resemblance to the wars we are fighting and that we will continue to fight for the foreseeable future. As a matter of both constitutional good practice and common sense, the case for an updated statute is clear.

The problem is that, while a new authorization is legally desirable, its real-world impact is likely to be minimal—doing little more than sanctioning military operations the executive branch is already prosecuting. Lawmakers who portray passage of an AUMF as the ultimate fulfillment of their war-powers responsibilities therefore risk elevating constitutional form over national security substance—while neglecting the far more powerful but less formal tools Congress possesses to influence America’s post-9/11 wars for the better.

That is unfortunate because the need for thoughtful, energetic congressional activism has never been greater. From Afghanistan to Syria to the Sahel, multiple complex U.S. military operations are unfolding . Members of Congress are uniquely positioned to scrutinize these efforts and the strategy underlying them, identify any flaws and failures in policy, and inject innovative or disruptive new ideas into the public debate that will make success more likely.

In the mid-2000s, for instance, it was Members of Congress from both parties who were pivotal in challenging—and eventually overhauling—the Bush administration’s strategy in Iraq.

During those years, senators like John McCain and Joseph Lieberman (for whom we worked at the time) regularly traveled to the Middle East, meeting with military commanders and frontline forces, while back in Washington, they engaged not only the administration officials responsible for Iraq, but also think tank scholars, reporters, and visiting foreign leaders.

These interactions both convinced them that White House claims about the war’s progress were mistaken and brought them into contact with dissidents, inside and outside government, who were arguing for an alternative strategy—a population-centric counterinsurgency campaign, backed by more forces. McCain, Lieberman and a few others then used the congressional bully pulpit to advocate for this approach, which the Bush Administration eventually embraced. The result was the 2007 “surge” that stabilized Iraq.

Of course not all ideas emanating from Capitol Hill are good ones, to put it mildly. Nor is it the appropriate role of Congress to micromanage the day-to-day conduct of a war through binding legislation.

Rather, the mission of Congress should be to provide smart, determined oversight—asking tough, well-informed questions, illuminating and demanding accountability for failures, and encouraging fresh thinking. To that end, members must be willing to invest the considerable time and effort to develop deep expertise in national security, especially around the conflicts we are fighting.

Congress is also unique in its authority to peer through the cloud of secrecy that otherwise necessarily cloaks much of the conduct of war. This is all the more critical given the natural tendency of the executive branch under every administration—like any bureaucracy—to convince itself that whatever it is doing is working and that patience will ultimately vindicate the existing approach.

Advocates of a new authorization for use of military force sometimes argue that the authorization process itself—including some sort of periodic renewal mechanism—is the best guarantor for this kind of congressional overwatch. Unfortunately, this is mistaken.

On the contrary, past AUMF debates are striking for their failure to have anticipated the problems that arose in the conflicts they authorized. Current congressional deliberations around a new statute also don’t inspire much confidence in this respect: Those debates have focused thus far on procedural questions while neglecting the substantive issues about the wars the resolution would endorse.

Nor should intensive congressional scrutiny take place only every few years. Rather, it is a continuous responsibility for Congress that should be pursued independent from any AUMF mechanism. Members should be traveling and investigating, talking to experts, fleshing out alternative ideas, and working with executive branch officials and military leaders to improve the conduct of operations critical to our national security.

Too little of this seems to be happening now; late last year, after the combat deaths of four servicemembers in Niger, many legislators admitted they did not know U.S. troops were deployed there.

None of this is to diminish the constitutional case for passing a new authorization for the use of military force. But lawmakers owe our warfighters and our citizens more than an updated AUMF.  It is knowledgeable, constructive oversight of today’s wars that is the most impactful contribution that Congress can make to our national security—and failure to provide it, an even more problematic abdication of responsibility.

(Via Lawfare – Hard National Security Choices)

I tried to cut this down for citation. I failed. Read it all.

An Example of Deterrence in Cyberspace:

In 2016, the US was successfully deterred from attacking Russia in cyberspace because of fears of Russian capabilities against the US.

I have two citations for this. The first is from the book Russian Roulette: The Inside Story of Putin’s War on America and the Election of Donald Trump, by Michael Isikoff and David Corn. Here’s the quote:

The principals did discuss cyber responses. The prospect of hitting back with cyber caused trepidation within the deputies and principals meetings. The United States was telling Russia this sort of meddling was unacceptable. If Washington engaged in the same type of covert combat, some of the principals believed, Washington’s demand would mean nothing, and there could be an escalation in cyber warfare. There were concerns that the United States would have more to lose in all-out cyberwar.

“If we got into a tit-for-tat on cyber with the Russians, it would not be to our advantage,” a participant later remarked. “They could do more to damage us in a cyber war or have a greater impact.” In one of the meetings, Clapper said he was worried that Russia might respond with cyberattacks against America’s critical infrastructure — and possibly shut down the electrical grid.

The second is from the book The World as It Is, by President Obama’s deputy national security advisor Ben Rhodes. Here’s the New York Times writing about the book.

Mr. Rhodes writes he did not learn about the F.B.I. investigation until after leaving office, and then from the news media. Mr. Obama did not impose sanctions on Russia in retaliation for the meddling before the election because he believed it might prompt Moscow into hacking into Election Day vote tabulations. Mr. Obama did impose sanctions after the election but Mr. Rhodes’s suggestion that the targets include President Vladimir V. Putin was rebuffed on the theory that such a move would go too far.

When people try to claim that there’s no such thing as deterrence in cyberspace, this serves as a counterexample.

Tags: , , ,

(Via Schneier on Security)

Well said and cited.

The Bleak State of Federal Government Cybersecurity | WIRED

It’s a truism by now that the federal government struggles with cybersecurity, but a report recent report by the White House’s Office of Management and Budget reinforces the dire need for change across dozens of agencies. Of the 96 federal agencies it assessed, it deemed 74 percent either “At Risk” or “High Risk,” meaning that they need crucial and immediate improvements.

While the OMB findings shouldn’t come as a complete shock, given previous bleak assessments—not to mention devastating government data breaches—the stats are jarring nonetheless. Not only are so many agencies vulnerable, but over half lack even the ability to determine what software runs on their systems. And only one in four agencies could confirm that they have the capability to detect and investigate signs of a data breach, meaning that the vast majority are essentially flying blind. “Federal agencies do not have the visibility into their networks to effectively detect data exfiltration attempts and respond to cybersecurity incidents,” the report states bluntly.

Perhaps most troubling of all: In 38 percent of government cybersecurity incidents, the relevant agency never identifies the “attack vector,” meaning it never learns how a hacker perpetrated an attack. “That’s definitely problematic,” says Chris Wysopal, CTO of the software auditing firm Veracode. “The whole key of incident response is understanding what happened. If you can’t plug the hole the attacker is just going to come back in again.”

(Via Wired)

This isn’t just my tax $ failing to protect me, it’s all Americans and residents and taxpayers whose tax money fails to protect them as well.

Makes one think more critically about the Executive Branch deciding that there is no need for key CyberSecurity jobs including the Coordinator position. It also makes one wonder if the States, like California, New York, and Texas, can together force better Federal cybersecurity through legal action.

Cyber security: We need a better plan to deter hacker attacks says US:

The US needs to fundamentally rethink its strategies for stopping cyber attacks and should develop a tailored approach to deterring each of its key adversaries, according to a new government report.

The report published by the US State Department — like a recent paper on botnets — comes in response to an executive order signed by President Donald Trump last year, which called for a report “on the nation’s strategic options for deterring adversaries and better protecting the American people from cyber threats.”

The report said that while the US has become dependent upon sophisticated networked information systems, its rivals have been learning to exploit that dependence to “steal from Americans, disrupt their lives, and create insecurity domestically and instability internationally.”

The cyber threat posed by rival states — and by Russia, China, Iran and North Korea in particular — is often alluded to by intelligence agencies, but the US and its allies have struggled to find a way to deter these cyber intrusions.

The unclassified cyber-deterrence overview published by the State Department doesn’t mention particular countries, but said that strategies for deterring malicious cyber activities “require a fundamental rethinking”. The report said that the US has made efforts to promote a framework for “responsible state behaviour in cyberspace”, but noted that this has not stopped state-sponsored cyber incidents.

 

“The United States and its likeminded partners must be able to deter destabilizing state conduct in cyberspace,” the State Department warned.

Of course, the US has plenty of military muscle should it come to full-on cyberwarfare, but it’s much harder to tackle cyber attacks that don’t necessarily deserve an armed response — which make up the majority of attacks.

 

The report said the US should develop a broader menu of consequences that it can impose following a significant cyber incident. The US should also take steps to make it easier to prove who is behind cyber attacks, it said.

Another big problem is the poor state of cyber security. “Efforts to deter state and non-state actors alike are also hindered by the fact that, despite significant public and private investments in cybersecurity, finding and exploiting cyber vulnerabilities remains relatively easy,” the report said.

“Credibly demonstrating that the United States is capable of imposing significant costs on those who carry out such activities is indispensable to maintaining and strengthening deterrence,” the report added.

According to the State Department, the three key elements of cyber deterrence should include:

  • Creating a policy for when the United States will impose consequences: The policy should provide criteria for the types of malicious cyber activities that the US government will seek to deter. The outlines of this policy must be communicated publicly and privately in order for it to have a deterrent effect.
  • Developing a range of consequences: There should be “swift, costly, and transparent consequences” that the US can impose in response to attacks below the threshold of the use of force.
  • Building partnerships: Other states should work in partnership with the US through intelligence sharing or supporting claims of attribution.

(Via Latest Topic for ZDNet in security)

Curious what your take is on this, Dear Friends.

I’m not sure how the State Department, the U.S. government’s diplomats, think that this kind of response is workable diplomatically. Maybe it is in the report, which I have yet to read. But who needs context to respond?

Both the US’s Cloud Act and Europe’s GDPR Move Far Beyond Geography, but Will Not Solve Transatlantic Jurisdictional Conflicts:

It is obvious that not only is “extraterritoriality not a bad word”, but that it is the necessary and realistic answer to the problems that characterize a world that is increasingly globally connected. But that means that just as European users should have the right to enjoy European privacy standards when they use one of the many websites operated from the U.S., so should the U.S. government have the right to access data in the control of a U.S. company regarding a U.S. resident who is suspected of committing a crime within the U.S., as was the issue in the Microsoft – Ireland case. Due to the GDPR and the Cloud Act, both forms of extraterritorial jurisdiction are, at the moment, legal reality. It makes little sense to vilify the Cloud Act while glorifying GDPR.

However, it is also obvious that both regulatory frameworks are determined by political interests, which works against their de facto reciprocity. On the one hand, the data controller argument employed in the Cloud Act comes especially handy to the US, which is the country where most Internet-based platforms headquarter. One might even argue that the data controller argument employed by the nation that hosts Silicon Valley actually might bring about de facto global enforcement jurisdiction. On the other hand, the approach of objective territory that is pursued by the EU regarding article 48 of the GDPR might be outdated and not make much sense, but it is aligned with the EU’s economic interest to become a data safe haven.

These conflicts of interest and corresponding jurisdictional conflicts will inevitably be the source of tensions between the EU and the US. Surely, the best solution would be to formulate coherent and unequivocal principles of extraterritorial jurisdictions that are developed not unilaterally, but in transnational collaboration. Such a formulation must not rely on notions relating to geography alone, but also more subtle categories, such as the nature of the data requested, respectively protected data, the nature of the crimes committed, the strength of interest that a nation might have in regulating or accessing data, and the consideration of different degrees of regulation in different countries.

(Via Just Security)

24 Million Americans Don’t Have Access to Broadband—Why Isn’t It an Election Issue? – Motherboard

Yet few candidates, from local mayoral races all the way up to the Senate, provide lip service to the fact that millions of Americans still lack access to broadband, and even fewer flesh out a robust policy to address it. At a time when politics is more divisive than ever, basic issues such as access to the internet are being overshadowed by the massive ideological clashes happening across the country.

“If you were to ask people what issues they’re voting on, first and foremost they would say ‘pro-Trump or anti-Trump,’” said Susan Boser, the Democratic candidate seeking to replace Republican House Member Glenn Thompson in Pennsylvania. “Next would be guns and abortion, then the needs of the area, which are jobs and the opioid epidemic.”

Boser told me a lack of access to broadband is a huge problem in her district, which is a large, predominantly rural swath along the northwestern edge of the state; its largest town, Indiana, has a population of less than 15,000.

(Via Motherboard)

This is not an insignificant number of people even as a percentage of the population. And this issue has the added advantages of:

  • No political polarization
  • No impact on either moral, ethical, or religious issues

  • Good for the economy

  • Relatively easy to address and can be done relatively quickly, if the community will is there

And yet …

In Tennessee, broadband access has faced progress and setbacks. Chattanooga found economic revival after building city-owned gigabit internet, but was quickly prohibited from expanding the network to surrounding communities because of a Telecom-backed state law. Efforts to fight those limits have failed, making it difficult for municipal internet providers to expand and offer services to smaller communities.

A Tennessee Democratic Party spokesperson told me the broadband battle is being drowned out by more contentious rhetoric.

“We’ve got a governor race with a highly contested Republican primary, so you’ve got all those candidates out there with television ads focused on immigration and other issues,” he told me over the phone. “That’s where voter attention is at the moment.”

So many people get wrapped up in causes they can’t hope to impact to the exclusion of local issue they can impact.

BTW, I’ve used the Chattanooga broadband many times. It is awesome and puts Comcast’s bizarrely named product to shame. The cynic in me sees why Telecom companies fear such implementations and thus oppose them.

Free eBook site Project Gutenberg Blocks German Visitors over Court Ruling:

Offering translations of your site in other languages may be risky

As a web site owner, an interesting point to take away from this lawsuit is that offering your site in other languages than your primary one could cause you to fall under other country’s jurisdiction.  While Project Gutenberg offered other languages as a convenience to non-USA visitors, the German court’s ruling clearly shows that having a German translation led them to feel that the site was targeting German citizens.

With scripts available that automatically translate a site into another language, many web site owners have used them as a convenience to their visitors. While these translations were often confusing and potentially not accurate, web site owners found them to still be useful for visitors from other countries.

With rulings like this one, web site owners may start to think differently about offering their site in other languages for fear of falling under another country’s legal system.

(Via Latest news and stories from BleepingComputer.com)

This whole story is absurd. Do read the article. There is so much to unpack in this dispute. Sadly, Project Gutenberg’s approach of going dark in Germany, while somewhat passive aggressive, might be the first example of the most effective way to get serious comprehensive reform where citizen users make the change happen.

Before U.S. citizens get too “holier than thou”, remember that Congress keeps pushing out when certain properties become public domain.