The U.S. military has a simple message for cybersecurity companies that want to fight against the hackers pummeling the U.S.: Back off.
“That’s something you want your government doing,” Rob Joyce, the director of cybersecurity at the National Security Agency, said on Wednesday at the Aspen Cyber Summit in New York, offering the government’s latest rebuke to a controversial proposal that has sparked an enduring debate.
As the number and severity of cyberattacks on U.S. businesses increases, some cybersecurity executives have argued that the government is missing an opportunity by barring most private companies from entering the fray against ransomware gangs and foreign adversaries. Under current law, only military service members and a few designated contractors such as Raytheon and Lockheed Martin can perform federally sanctioned hacks, which are governed by strict laws to prevent dangerous blowback.
Already, some firms that help victims recover from cyberattacks have waded into a gray area, engaging in activities that have been dubbed “hacking back” — like corrupting hackers’ computer servers to erase victims’ stolen data. But some companies want legal permission to take those aggressive operations a step further, initiating attacks on foreign governments and businesses to steal information and shut down infrastructure to support the U.S. government’s agenda.
But national security officials dread that idea. They argue that companies aren’t in a position to understand all of the potential ripple effects of their actions. “We see all the time that there are unwitting victims who are used in these attacks,” Joyce said, referring to the owners of computer servers that hackers commandeer. He said it would be very dangerous for the U.S. to let private companies attack and potentially damage those servers.
“I really believe it’s an inherently governmental activity. … That’s why we haven’t seen a policy willingness to bring the private sector into that space,” said Joyce, one of the government’s most experienced cyber officials after stints leading the NSA’s top hacking unit and overseeing cyber policy in the Trump administration.
Many cybersecurity experts have panned the idea of companies launching cyberattacks, saying it would essentially turn cyberspace into the Wild West, inviting retaliation against U.S. businesses and dramatically increasing the chances of conflicts escalating uncontrollably. Nevertheless, some companies are still pushing to authorize these operations, and they win occasional support from lawmakers who are deeply frustrated with the government’s failure to stem the tide of attacks and the U.S.’ preference for a primarily defensive strategy.
On Wednesday, Joyce defended that position, noting that America’s formidable arsenal of offensive technology hasn’t done much to dissuade adversaries like Russia and China. They “know that we have some of, if not the most, capable cyber [tools] on the globe,” Joyce said, “and it doesn’t stop them from doing these acts.