An announcement by UK government in late 2016 placed some legitimacy on using offensive tactics in security actions. Dan Raywood looks at the details of a groundbreaking strategy, what precedent there is and how “hacking back” can be used
Recall the scene from 1987’s The Untouchables. Eliot Ness and Officer Malone discuss the only way to overcome the adversary of Al Capone with the memorable line: “They pull a knife, you pull a gun. He sends one of yours to the hospital, you send one of his to the morgue.”
If you’re prepared to attack back, you need to be able to hit the other side harder than they hit you, and you always have to be ready to be hit with the best you have got. Transfer this away from Chicago crime bosses and the law and into the world of cybersecurity, and you have a case of attackers and defenders. Yet there are rare examples of those being attacked actually taking the fight back to the attacker.
When to Fight Back
While there are likely individuals who would fight back, it can take an extreme circumstance for a private sector company or even a government to take retaliatory action. However, in November 2016, the UK government announced the launch of the second National Cyber Security Strategy which took a stance upon offensive security with an official line on “hacking back”.
The first strategy to be launched under Prime Minister Theresa May and second overall by the UK government, Chancellor Philip Hammond says that it “will offer a dedicated and outward-facing authority on cybersecurity issues”.
He adds: “If we do not have the ability to respond in cyberspace to an attack which takes down our power network – leaving us in darkness or hits our air traffic control system grounding our planes – we would be left with the impossible choice of turning the other cheek, ignoring the devastating consequences, or resorting to a military response.”
Hammond, who is also a member of the National Security Council, says that even though David Cameron’s government invested £860 million over five years to significantly enhance government networks, improve incident response and tackle cybercrime, it would continue to invest in “our offensive cyber capabilities, because the ability to detect, trace and retaliate in kind is likely to be the best deterrent”.
He says: “We need to develop a fully functioning and operational cyber counter-attack capability. There is no doubt in my mind that the precursor to any future state-on-state conflict would be a campaign of escalating cyber-attacks, to break down our defenses and test our resolve before the first shot is fired. Kinetic attacks carry huge risk of retaliation and may breach international law.
“But in cyber-space those who want to harm us appear to think they can act both scalably and deniably. It is our duty to demonstrate that they cannot act with impunity. So we will not only defend ourselves in cyberspace; we will strike back in kind when we are attacked.”
This is particularly interesting, as it is a rare instance of a government stating that it will take action to “strike back”. Dave Willson is an attorney and risk and security consultant at Titan Info Security, and he argues that striking back is “not something that most companies can do on their own”; it’s something that requires a team of experts, and an attorney who understands these types of issues, laws and technologies, as well as someone who can analyze the malware.
“You need someone who understands the trace back and the anonymizers, and a team with very specific skills, that can do different pieces of this,” he explains. “My approach would be an incremental one where we evaluate the scenario and ask why the company feels the need to hack back. Granted in most cases, their attitude is going to be because they want retribution and that is not lawful: there has to be a persistent attack.”
A Sea Change
David Venable, an ex-NSA intelligence officer and VP cybersecurity at Masergy, says that an attack back would be more of a military operation, but this is where defense is going in the next few years. He believes that this is a very different stance than some western countries have previously had, and countries reserve the right to respond via different means, but after John Kerry (former Secretary of State) spoke about hacking back, we are seeing a sea change.
In the UK cybersecurity strategy itself, the mentions of offensive capabilities were not prominent, probably because “offensive cyber capabilities involve deliberate intrusions into opponents’ systems or networks, with the intention of causing damage, disruption or destruction”.
The intention of the UK government is to “have at our disposal appropriate offensive cyber capabilities that can be deployed at a time and place of our choosing, for both deterrence and operational purposes, in accordance with national and international law”.
The news was welcomed by some. Bharat Mistry, cybersecurity consultant at Trend Micro, says the UK needs to shore up its cyber defense capability and move to an offensive position. “This will not only send a clear message that the UK is not to be messed with, especially in the light of Brexit, it will also protect the UK’s reputation as the biggest technology Hub in Europe for innovation and technology for new start-ups.”
The statement on its use at the choosing of government had a certain ambiguity to it, and in a statement issued to Infosecurity, a spokesman for the National Cyber Security Centre (NCSC) points out that “while we do not routinely comment on specific details of offensive cyber operations, these offensive cyber capabilities will be deployed in accordance with domestic and international law”.
Although it is no surprise that law is being abided by, it is important to know what the government determines to be an ‘offensive cyber capability’.
Following the Footsteps of Others
The UK is far from the first government to take offensive action in cyber-space: in April 2016 The Register reported that Australia was running an offensive cyber-operations team. Prime Minister Malcolm Turnbull said that Australia's offensive security capabilities are a much-needed deterrent to those who would attack the nation adding it is deployed under stringent oversight.
In Australia’s case, Turnbull said that “an offensive cybersecurity capability housed in the Australian Signals Directorate provides another option for governments to respond”, and again clarified that “the use of such a capability is subject to stringent legal oversight and is consistent with our support for the international rules-based order, and our obligations under international law”.
Turnbull also claimed that the “offensive capability adds a level of deterrence, it adds to our credibility as we promote norms of good behavior on the international stage”. Investment in the UK National Offensive Cyber Programme (NOCP), a partnership between the Ministry of Defence and GCHQ will harness the skills and talents of both entities to deliver tools and techniques, and develop offensive capabilities both by government and by the armed forces.
The spokesman for the NCSC says that the “counter-Daesh campaign was the first campaign in which the Armed Forces had used offensive cyber capabilities”, and while The Ministry of Defence did not respond to a comment request on how and when offensive capabilities will be used, the NCSC did confirm that the MoD’s Cyber Security Operations Centre (CSOC) will be a dedicated facility staffed by experts that utilizes state-of-the-art defensive cyber capabilities to protect the MOD’s cyberspace from malicious actors.
It’s not About Retribution
The capability to strike back is all very well, but the particular problem in “cyber space” is that knowing who is responsible and who deserves the virtual attack back cannot be done incorrectly. Willson says that “you have to be very careful to be sure you’ve done all of your homework and done all of your investigative work” in such an operation, and he said that the final decision is one done by leadership who determines the way forward.
“That is the way you run a military operation as then the commander says you need more intelligence to move forward, and move along that path incrementally and develop tools to orchestrate whatever it is you’re going to do.”
However, he is keen to point out that it is not about retribution, but it is about stopping the attack. He says that in a scenario where the attacks may escalate, you do not want to do something to anger the attacker, so it is not about attacking the network and frying their machine as that doesn’t help you in that regard, and that is why attribution is not that important.
“If I am the company owner and my goal ‘is we’re being damaged, we’re losing money, we need to make this stop’, you trace back as far as you can and identify the server being used to attack you and identify the owner, you tell them and if they tell you to go away, then you hit them back. But the likelihood is it is not just attacking you but 100 other companies too, and you tell them how much damage you’re causing everyone.”
Willson says that if you cannot identify who owns the server then, in his opinion, you have a right to go ahead and block the attack and look to disable whatever it is that is being used on the server to attack you.
He adds: “It could be considered a potential violation of the CFAA if you gained unlawful access to the server, but that is a decision leadership needs to make based on the justification of the attacks.
“You have to be very careful to be sure you’ve done all of your homework and done all of your investigative work so that is why in this process, it is a leadership decisions and go to them with information and how do we move forward? That is the way you run a military operation, and when the commander says you need more intelligence or move forward, you move along that path incrementally and develop tools to orchestrate whatever it is you’re going to do.”
Stewart A Baker is a partner at Steptoe & Johnson LLP and a former first Assistant Secretary for Policy at the Department of Homeland Security. He argues that instances like hacking back were “increasingly common” and he was not surprised that the UK government was taking this stance, as attacks are hitting networks and “the only thing to do is threaten attacks in kind”.
Baker comments that attribution “is the bug bear of people” as it suggests that the people attacking back are no better than the attackers, but also that Governments cannot resist the pressure to respond to these types of attacks as they become more common.
The Final Option?
Is hacking back the final option in a dispute? Baker believes there are three possibilities: that you could surrender, but surrendering to a relative third rate power is deeply unattractive as everyone has some capability; or to let people launch their own attacks when they are under attack and if their government “abandoned them”. The last possibility is when a government, through democratic pressure, is persuaded that it cannot tolerate attacks and has to exercise some option to stop the attack, and doesn’t have any other option but to attack back.
“So my guess is Governments are simply not able to resist pressure to respond to these types of attacks as they become more common, and they become more common because they work,” Baker says.
Baker, who describes this as “a 21st century diplomatic problem that we will be struggling with for years”, believes that the problem is not with the knowledge or tools, but in the will to do it as there is a reluctance to acknowledge how bad things are. He refers to Stanley Baldwin’s 1932 speech to the UK Parliament, which claimed that “the bomber will always get through” and “the only defense is in offence”. Baker adds that now we know where offense beats defense every day and in that instance, “it all came from an effort to prevent an exchange of ever more punitive uses of offensive weaponry and the complete failure of that model from the point of view of those on the receiving end”.
He says: “We know this is not a situation where there is massive disparity with offense and defense, and it doesn’t usually end well. Everyone does what is logical and sooner or later there is an escalation that makes everybody miserable, even if it doesn’t resolve the conflict.”
Asked if the escalation of attacks is a concern, Baker says that there would be “to and fro as it is an asymmetric weapon”, and it would become a contest about which country is likely to last longer.
If the capability to use an online attack is one of offense, is it the case that this is about providing deterrence by ensuring that your enemy is aware of your capability? Venable agreed, and adds that offensive cyber capabilities are as much about deterrence as direct operations.
“We are starting to see a lot of use of politically or strategically-driven information and offensive cyber, especially with the Democratic National Committee hack,” he explains. “Having the capability is important, but more advanced countries have this, and it strikes me as deterrence than anything else.”
Venable also mentions that “escalation is a possibility and not that far-fetched”, leading back to the start of this article and the concept of escalating attacks in the case of hacking back.
Hammond says that any future state-on-state conflict would be a campaign of escalating cyber-attacks “to break down our defenses and test our resolve before the first shot is fired.” If state-on-state attacks are the way forward of military operations, it does seem to be on particularly dodgy ground regarding the level of intelligence required for attribution, and on dealing with escalating hack backs.
The UK government’s efforts were certainly eye-opening, but with the move of CERT-UK into the National Cyber Security Centre, it seems that it was prepared for questions about the new capability.