Sen. Whitehouse Pushes for Dialogue on Controversial Hack-Back for Industry
The private sector might benefit from hack-back authority, a controversial concept exempting the private sector from cyber prosecution when it acts in self-defense, said Sen. Sheldon Whitehouse, D-R.I. Tuesday. His comments came the day after Microsoft announced action taken against Russia-linked hackers attempting to exploit visitors to websites of the Senate and conservative think tanks.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Speaking at a Senate Crime and Terrorism Subcommittee hearing, Whitehouse conceded he’s not sure hacking back is a good idea but said it might not be a bad idea, given the default right now is to “do nothing.” The House’s Active Cyber Defense Certainty Act (HR-4036) would allow private companies to hack back. Southern Company CEO Thomas Fanning, who testified, told Whitehouse if the federal government supports the concept, the onus should be on the DOD, not industry.
Sen. Richard Blumenthal, D-Conn., who testified on a separate panel, told us: “Our public authorities, particularly [U.S.] Cyber Command, need to strike back, and we need to use all the tools we have under Cyber Command, which is the reason why we established it in the National Defense Authorization Act. I think hacking back has to be really thought through before it’s really considered. It has a lot of disadvantages as well as potential advantages.”
Subcommittee Chairman Lindsey Graham, R-S.C., said Microsoft’s announcement is clear evidence Republicans are making a mistake if they don’t think they’re targets of Russian adversaries. Russians are trying to undermine democratic systems of government, Graham said. Sen. Amy Klobuchar, D-Minn., agreed, saying the threat isn't about one party over another.
Sen. James Lankford, R-Okla., who testified with Blumenthal, said the threat isn't isolated to Russia, citing examples of Iran, North Korea and China demonstrating effective infrastructure attacks, plus various international and domestic actors working independently. Hackers can be hired at will on the dark web, he said, arguing the U.S. desperately needs a fresh look at cyber policies.
Blumenthal urged “sanctions from hell,” so Russian actors face real deterrents. The cyberattacks like those Microsoft addressed are acts of war, he said, and the U.S. needs to fight “fire with fire.” He backed more declassification of information so the public and industry have a better understanding of the threat.
Three officials testifying together -- Associate Deputy Attorney General Sujit Raman; Office of the Director of National Intelligence Cyber Threat Intelligence Integration Center Deputy Director Michael Moss; and Department of Homeland Security National Protection and Programs Directorate National Risk Management Center Director Robert Kolasky -- agreed declassifying more information could be beneficial. DHS is working to get people more access to classified information through the Private Sector Clearance Program for Critical Infrastructure, Kolasky said. Moss said he agreed “completely” with Kolasky, and Raman “concurred.”