Security officials these days are anything but shy when they describe the dangers facing the United States in cyberspace.
“We’re in the midst, I think we all know, of a global cyber pandemic,” the National Security Agency’s top lawyer warned at a conference last week.
And NSA General Counsel Glenn Gerstell did not stop there.
“I think it’s probably fair to say it’s going to get worse before it gets better,” he added. “The opportunities for cyber mischief are increasing at a great rate… The opportunities for our ability to defend against it are not increasing at the same rate.”
The costs are significant.
The Federal Bureau of Investigation’s Internet Crime Complaint Center took in more than 351,000 complaints in 2018, the last full year for which data is available, with losses to companies and individuals topping $2.7 billion.
And officials are quick to point out, those are only the cases they know about. Many go unreported. And the potential impact is not insignificant.
U.S. officials have described the country’s economy as a “cross-cutting” of various systems that have been integrated into a “common fabric.” But they say U.S. adversaries, like China, see a web of interconnected targets, much of which is not within the purview of U.S. government agencies.
“Much of what we care about in the U.S. is in private hands,” said Tonya Ugoretz, the deputy assistant director for cyber, at the Federal Bureau of Investigation.
“There’s no shortage of vulnerabilities and opportunities for malicious actors,” she added, speaking this past week at a security conference. “We see that landscape only growing in complexity.”
Smart devices vulnerabilities
A chief concern is what is often referred to as the Internet of Things (IoT), which include a whole host of so-called smart devices, from mobile phones to refrigerators to teddy bears, that are connected to the internet.
While being able to use a smart phone to talk to a refrigerator to figure out what to pick up at the grocery store may be convenient, it can also be risky. A criminal who can hack into the home network and the refrigerator could theoretically use that opening to access a bank account or other sensitive material.
When experts add in the impact of new and growing technologies, like artificial intelligence or 5G wireless networks, many see danger.
“It’s increasing the opportunities or the attack surfaces, as military folks like to call it, for mischief,” according to the NSA’s Gerstell. “That’s increasing at an extraordinary, breathtaking rate.”
Defending the growing target list for cyberattacks is difficult, as is undoing the damage.
While the U.S. has had some success in recovering lost or stolen funds — the FBI reported a recovery rate of about 75% in 2018 — the damage from stolen data or trade secrets can linger.
At the same time, there is a growing frustration especially among private sector companies that the U.S. government is holding them back from taking more aggressive, and perhaps more effective, action.
“What they are facing is not just routine criminal activity but it's often blended, that the criminals are linked to nation states and that nation states are increasingly conducting criminal activities,” said John Carlin, a former assistant attorney general with the U.S. Department of Justice, who now represents companies that have been victimized by cyberattacks.
“They are neither permitted because of the national security implications to take steps on their own to disrupt attacks that are occurring or to take acts to collect information outside of their networks,” he said. “Nor are they getting additional actionable intelligence on the front end of the threat so that they can take precautionary steps to protect themselves.”
As a result, there has been persistent talk that companies should be allowed to “hack back,” to track and retaliate against cyber actors who have targeted them.
There are already indications that companies are going after their attackers.
“There are signs it is going on in an international sort of emerging market for what you might call defense services,” according to Wyatt Hoffman with the Carnegie Endowment for International Peace’s Cyber Policy Initiative.
“Much of the evidence is anecdotal,” he said. “But there is evidence that, for instance, in the financial sector in different parts of the world, there are banks that will hire firms to do kind of server take down services where if they're if they're suffering from a [denial of service] attack or a persistent threat, they'll hire a firm in a jurisdiction where it's a little more permissive.”
For now, such “hack backs” are not legal in the U.S. and attempts by lawmakers to make it legal have not gained sufficient traction in Congress.
U.S. government officials also continue to request that any companies that suspect they have been hacked contact law enforcement.
“Most of the studies I've seen suggest that the average time it takes to discover a data breach is about six months, certainly months,” Deputy Assistant Attorney General Adam Hickey said during a recent panel discussion on hacking back.
“The odds that the hackers will have transferred it [the data] only once to an identified IP address and left it there without copying it or removing it from the United States in that time strikes me as very, very unlikely,” he added.
Some software providers agree, and have joined with government officials to warn companies against taking matters into their own hands.
“It just doesn’t work,” said Rich Boscovich with Microsoft’s, Digital Crime Unit, warning of unintended consequences. “The liability there is enormous. So, hacking back is not something that you want to do."