SAN FRANCISCO–The growing stream of attacks in recent years against government agencies, critical infrastructure, utilities and other vital networks has led to an increasingly heated debate around the concept of active defense and targeting the people and groups behind those attacks. That debate has been going on behind closed doors in Washington for years, but it spilled out into the public during a forum on the ethics and legality of active defense at the RSA Conference here Tuesday.
The idea of either retaliating against groups that target government or other sensitive systems is essentially as old as the concepts of network security and defense themselves. It’s often discussed in the context of whether governments have the right to go after the perpetrators of such attacks, whether they be individuals, groups or even other governments. But there are a number of subtleties and conditions that play into the equation, and each incident is unique.
The question of whether the government should be using active defense never has been discussed much publicly in the United States, but the time for that discussion is now, a panel of former intelligence officials, scholars and technologists said.
“Anyone who claims to know what we should do next probably hasn’t studied the problem enough. Anything we do in active defense will automatically legitimize that technique for other regimes,” said Michael Hayden, a former director of the National Security Agency. “To prevent an overreaction, we really do have to have the discussion. It’s hard, because we haven’t had a national discussion on what our consensus is because the data on which this discussion needs to be based isn’t readily available. In my former world, we kept it overclassified. And the private industry also keeps the ball hidden.”
Several of the panelists, who also included Jim Dempsey of the Center for Democracy and Technology, Ron Deibert of the Canada Centre for Global Security Studies, James Lewis of the Center for Strategic and International Studies and Kenneth Minihan, a former director of the NSA, said that any discussion of the concept of active defense needs to take into account the differences between simply retaliating against a known attacker on the one hand and using offensive techniques to deter a potential attacker or disrupt a foreign government’s operations on the other hand.
The two may use the same techniques, but they are not the same in terms of their legal and operational considerations. One big consideration in either scenario is the question of sovereignty, Hayden said, and that question is not yet settled in the intelligence and foreign policy communities. Another problem is attribution. Using any sort of offensive technique against an actual or potential attacker depends on knowing who that attacker is, and that’s rarely a simple thing to figure out.
Deibert, who helped lead the investigation into the notorious GhostNet attacks a few years ago, used the example of the DDoS attacks against some Georgian government sites several years ago that were, at the time, attributed to the Russian government or attackers working on their behalf. Proof of such responsibility is hard to come by, and Deibert said that after the attacks, he and other researchers were able to register one of the domains formerly used by one of the botnets in the attacks. What they found was that many of the machines used in the attacks were located in Germany and the U.S.
Hayden, who was director of the NSA during the early 2000s and later the director of national intelligence, said that his former agency possesses unique capabilities that shouldn’t be kept idle due to a lack of political will or unease with the concept of attacking back.
“My instinct is that the NSA represents too much capacity to be on the sidelines of the issue with not even their helmets on,” Hayden said. “I’m comfortable with a dialogue that says, how do we want to get this team on the field.”
Minihan, Hayden’s predecessor at NSA, agreed.
“I’m not as patient as some people. We need to get this done,” Minihan said.
Dempsey of the CDT said that some of the discussion about active defense and attacking back is moot, given the fact that this activity is already happening, and has been for years.
“The fact is, industry is doing active defense and has been for years,” he said. “They’ve been steadily increasing the scope and nature of it. The military has a role to play, but it’s not in supplanting what industry does.”
