Anti-Hacker Executive Order: 5 ConcernsSecurity Experts Sound Attribution, Retribution Warnings
President Barack Obama says the ongoing increase in hack attacks against U.S. businesses, government agencies and critical infrastructure represents a "national emergency." As a result, he signed an executive order authorizing the U.S. government to block or seize the assets of anyone - foreign or domestic - who launches or supports "significant" hack attacks (see Will Executive Order Impact Cybercrime?).
Numerous information security and legal experts agree that not only are hack attacks damaging the U.S. economy, but they're harder than ever to battle. "Coordinated government action, both nationally and internationally, is urgently needed to attack those elements of the global cybercrime infrastructure that only persist due to the complicity of corrupt officials and unscrupulous businesses that turn a blind eye to cybercrime," says Stephen Cobb, a senior security researcher at Slovakia-based information security vendor ESET.
But when it comes to how the new executive order will be used to battle cybercrime and online espionage, many security experts say the moves leave many unanswered questions. Here are five of their chief concerns:
1. Evidentiary Requirements
White House Cybersecurity Coordinator Michael Daniel, in an April 1 press call, said the executive order is meant to expand the "spectrum of tools" the government can use to battle cyber-attacks, by supplementing current diplomatic, economic, intelligence, law enforcement and military options. "What we're trying to do is enable us to have a new way of deterring and imposing costs on malicious cyber actors, wherever they might be," he said.
The executive order, reportedly two years in the making, sees the government continuing to take a more aggressive stance against hack attacks, for example by indicting in May 2014 five Chinese military officers for stealing U.S. intellectual property via hacking (see U.S. Charges 5 Chinese with Hacking).
But the order will now allow federal prosecutors - working with the Department of the Treasury and the Secretary of State - to seize individual's assets without due process. "It allows the government to bypass due process and seize the assets of anybody suspected of hacking," says Robert David Graham, head of offensive security research firm Errata Security, in a blog post. "The federal government already widely abuses 'asset forfeiture' laws, seizing a billion dollars annually," he says. "This executive order expands such activities - although freezing isn't quite the same as forfeiture."
In response to related questions, Daniel noted that before imposing anti-hacker sanctions, U.S. officials must satisfy the evidence-gathering rules of the Administrative Procedure Act, which governs the internal procedures of the U.S. government's administrative agencies. Those stipulate that the administration must satisfy "reasonable cause" evidence requirements.
2. First Targets?
Daniel declined to say if the White House had already drawn up a target list for anti-hacking sanctions. But many security experts suspect such sanctions would begin with China. "Presumably, in the next few weeks, we'll see announcements from the [Treasury] Department seizing assets from Chinese companies known to have stolen intellectual property via hacking," Graham says.
But then again, the administration has remained silent over the recent distributed denial-of-service attack against GitHub, which is based in San Francisco. Graham - after tracing back the attack packets - reports that "the man-in-the-middle machine attacking GitHub is located on or near the Great Firewall of China," meaning the disruption was apparently launched using Chinese government infrastructure.
3. Attribution: Private Sector Cautions
Daniel says that whenever anti-hacking sanctions get imposed, "unclassified aspects of the case" will always be published. But one unanswered question is exactly what types of information the U.S. government will rely on when attributing U.S.-targeting hack attacks. "Changes in how we respond as a country to cyber-attacks will push the difficulties in accurate attribution to the forefront," says Tim Erlin, director of security and risk at security firm Tripwire. "The U.S. will have to be very, very sure of the perpetrator before pulling the economic trigger. No doubt, any [target] of financial seizure is likely to protest that they're being incorrectly targeted."
But attribution remains incredibly difficult, as demonstrated by many information security experts continuing to question the FBI's attempt to attribute the Sony Pictures hack to North Korea. "You may be able to identify from what country an attack is routed through, but identifying who is behind the keyboard or phone is a different story altogether," says Ken Westin, a senior security analyst at Tripwire.
Furthermore, much of the government's cyber-attack intelligence comes from the private sector, warns Jeffrey Carr, CEO of counter-reconnaissance software vendor Taia Global. "Private threat intelligence companies generate intelligence as a sellable product," he says in a blog post. "For many years, blaming an attack on China was guaranteed to get them a mention in The New York Times or The Wall Street Journal, which in turn brought in new customers."
Carr cautions that the U.S. government remains too willing to take this "intelligence" at face value - rather than treating it as raw data that must be vetted - especially when it squares with White House political aims. "The U.S. government ... should never take private sector intelligence reports at face value without fully examining the evidence and watching for a plethora of cognitive biases, including the all-too-prevalent confirmation bias."
4. Smart Attackers Will React
The need to attribute attacks also begs the question of what happens if smart attackers leave false trails. "Attribution within the information security space is not nearly as easy as it sounds," says Greg Foss, a senior security engineer at security intelligence firm LogRhythm. "It is trivial for hackers to pivot through other countries and misplace blame in order to create the illusion that an attack originated from a specific location."
Such deception can be employed not just for targeted APT attacks, but also for any malware-fueled cybercrime. "Malware can - and will - be created that contains false data, to shift culpability," he says.
5. Potential for Retribution
To combat hackers, many information security experts agree that tougher measures are required. The administration has "really thought about how to make this painful to the beneficiaries" of cyber-attacks, James Lewis, a cyber expert with the Center for Strategic and International Studies, tells Associated Press. "They've gotten away with this for a long time, so making them suffer a little for stealing is a good idea."
One unanswered question about the executive order, however, is how other countries might react if their citizens or government officials are at the receiving end of U.S. sanctions. "This is essentially a cold cyberwar - we're treating cyber-attacks like any other type of attack, and reserving our right to respond with sanctions," says attorney Mark Rasch, a former U.S. Department of Justice official who created its computer crime unit. "It raises the prospect of tit-for-tat sanctions, back and forth."
That threat begs the question of who the U.S. government should - or shouldn't - try to sanction. "The most obvious targets of concern are Russia and China, but the world is economically and technologically interconnected in complex ways that make the consequences hard to predict," Tripwire's Erlin says. "Spheres of economic influence are broader than geographic borders."