The Intelligence and National Security Alliance is proposing steps to improve the private sector’s ability to assist in offensive cyber operations, including through creation of a cyber national guard and reserve force, but cautioning against encouraging companies to “hack back” against cyber attackers.
Suzanne Wilson Heckenberg, INSA president
“Developed by INSA's Cyber Council, the paper finds that the private sector is often subject to the same cyber exploitations as government agencies, and as such, they hold the expertise and technical background to preempt and orchestrate offensive retaliatory measures to cyber threat actors,” according to an INSA press release.
“This type of collaboration can be seen most demonstrably in Ukraine’s response to Russian offensive cyber operations at the start of the Russo-Ukrainian war in 2022,” INSA said. “The commercial sector’s role in keeping critical civilian infrastructure resilient against cyber operations from the Kremlin proved to be a bellwether of Ukraine’s durability throughout the war.”
The new INSA paper, “Industry Contributions to U.S. Government Offensive Cyber Operations,” was issued last week and includes five recommendations.
The paper says, “While the cyber community has extensively debated the wisdom of, and options for, industry involvement in offensive cyber operations against cyber actors, clear options have not (yet) materialized. INSA recommends several options for industry engagement, principally through public-private collaborative efforts led by multiple government agencies.”
The group recommends:
- Establishing a Cyber National Guard, to defend targets at the federal, state, and local levels.
- Creating a DOD National Digital Reserve Corps as proposed by legislation in the House of Representatives
- Developing a Corporate Cyber Reserve to allow the private sector to contribute cyber capabilities to government entities.
- Formulating a private sector advisory committee to U.S. Cyber Command
- Organizing a whole-of-nation “Cyber Manhattan Project” designed to harness the expertise of not just the commercial and technology sectors but academia and human capital, as well.
But the paper warns against promoting a “hack-back” approach, saying, “Some companies advocate ‘hacking back’ against attackers -- either to retaliate or to reclaim the data that was stolen -- but such steps are unlikely to achieve their goals and are, under current law, illegal.”
“Most companies would be averse to hack into the networks of likely perpetrators for fear of retribution and concerns about both civil and criminal liability,” it notes.
Instead, the paper says, “In many ways, the best way for the private sector to contribute to cyber offense is to contribute to defensive measures like enhanced cyber resiliency and robust incident response capabilities. Such steps would help free up federal government resources for other initiatives (including offensive operations).”
“Furthermore,” it says, “enhanced capabilities to restore critical infrastructure services could deter attacks on U.S. infrastructure by reducing the impact -- and thus the value -- of disruptive attacks.”
“Under certain configurations,” it says, “private sector cyber experts could also assist offensive cyber operations, defensive cybersecurity, and incident response as needed. Just as citizen-soldiers in the National Guard contribute, under different circumstances, to civil support missions at the state level and combat operations at the federal-level, cyber experts could similarly be mobilized by different levels of government for different missions, depending on the need.”
The paper cites the potential role of the defense industrial base saying, “Given their significant cyber workforce, DIB companies and other commercial corporations are well positioned to assist the government in executing offensive operations, implementing retaliatory cyber actions, or facilitating information-sharing with public and private organizations.”
It says, “Providing such assistance to the government could help prevent attacks on their own networks and enhance government’s ability to recover stolen data, mitigate damage, and restore critical services in the wake of an attack.”
The paper also suggests, “To apply infrastructure expertise to offensive goals, U.S. Cyber Command (CYBERCOM) should expand its ‘Under Advisement’ program, in which members of the Command’s Cyber National Mission Force (CNMF) share threat information with companies, from a purely defensive focus to one that uses U.S. companies’ experiences to identify vulnerabilities and points of failure in foreign countries’ critical infrastructure.”
It says, “While it is unlikely CYBERCOM would target a foreign country’s agricultural or healthcare sectors to advance national security goals, critical infrastructure that supports an adversary’s military capabilities -- such as energy or transportation -- could be legitimate targets in a conflict. Participating companies would require legal indemnification for their support -- both from the risk of lost business if a company’s ties to CYBERCOM were to be revealed and from the risk that a U.S. company could be sued for damages caused by U.S. military actors who benefited from the company’s assistance.” -- Charlie Mitchell (cmitchell@iwpnews.com)