President Obama just signed a new executive order that authorized the US to use financial sanctions against malicious overseas hackers and companies that knowingly benefit from the fruits of cyberespionage. While this sounds like a reasonable approach to getting tough with hackers outside the US, the execution of it may be more complicated.
Below are comments from Tripwire’s Ken Westin, Security Analyst, Lane Thames, software development engineer and security researcher and Tim Erlin, director of IT security and risk strategy:
Ken Westin, Security Analyst for Tripwire says: “The primary objective of the order is to place sanctions on criminal hackers targeting American infrastructure and businesses from outside the U.S. The order gives authority to freeze assets and more power to block potential threats from the U.S.. The order not only covers the harming of U.S. Infrastructure, but also covers the stealing of intellectual property from American companies, as well as committing fraud against citizens, all of which hurt the U.S. Economy A while back with the plague of retail breaches that have hit US retailers I felt we should look at this not just as individual breaches, but as a wholesale attack against our financial system. Many of those involved in these activities are overseas and are able to operate with impunity within borders of countries who shield them from US prosecution and many of these actors also work within these governments.
We have seen robocallers from outside the US defraud people claiming to be from the IRS, successfully scaring people particularly senior citizens into giving them credit card number, using VOIP networks. The perpetrators of these acts have been able to get away with it due to available technologies that make it easy to evade detection.
I believe it is the goal of the Obama administration with this order to give the US government more power to go after criminal syndicates and fraudsters overseas. The challenge however will still be attribution, you may be able to identify from what country an attack is routed through, but identifying who is behind the keyboard or phone is a different story altogether. One of the reason cyber attacks and technology enabled fraud have been so prevalent is due to the ease of evading detection and relative anonymity that a number of tools available provide. It will be interesting to see how the Obama administration looks to enforce this act and what resources will be applied to implement it.” --Ken Westin, Security Analyst at Tripwire
Lane Thames, software development engineer and security researcher writes: “This is an interesting order, and at this time I’m not quite sure how I feel about it because execution of this order will be very challenging. In many cases, correct execution of the order might be impossible. Why? As Tim and Ken have stated, the problem will be with attribution. In cybersecurity, attack attribution is an unsolved and very challenging research problem.
When it comes to war (think cyberwar, cyberwarfare), one must have precise attribution for the source of an attacker when countermeasures or counterattacks are put in place. Otherwise, collateral damage occurs and innocent people and/or systems are harmed. In this case, countermeasures/counterattacks could be the seizure of personal property and other financial assets for innocent people who are not involved.
One big problem thing that comes to my mind is botnets. Botnets control countless personal computers and laptops that belong to users who have previously been infected with malware. If these machines are used, via botnet infrastructures, to attack, say, some critical cyber infrastructure, who will be to blame? It is similar to asking if a car maker should be blamed when someone else has an auto accident. This scenario will get worse as the Internet of Things continues to expand, with many countless devices connecting to the Internet. Should the government seize my bank account because my smart TV was involved in some widespread botnet-based cyber-attack because the TV manufacturer failed to provide a product with secure technology? This could quickly turn into rabbit hole.”---Lane Thames, Software development engineer and security researcher
Tim Erlin director of IT security and risk strategywrites observes: “Economic sanctions and seizures are one of the most common and effective tools the US government has to combat many types of crime originating outside the United States. This order formalizes the administration’s ability to use these tools, as the US has done in the past with other types of criminal activity. On its face, this shouldn’t be a surprising move, and it expands the options for response to a cyberattack beyond ‘do nothing,’ retaliate in kind, and military force.
Of course, pulling the sabre from the sheath and waving it about isn’t the same as actually striking. If the administration actually exercises these economic options, we’ll experience previously unknown political friction between major countries. The most obvious targets of concern are Russia and China, but the world is economically and technologically interconnected in complex ways that make the consequences hard to predict. Spheres of economic influence are broader than geographic borders.
Changes in how we respond as a country to cyberattack will push the difficulties in accurate attribution to the forefront. The US will have to be very, very sure of the perpetrator before pulling the economic trigger. No doubt, any recipient of financial seizure is likely to protest that they’re being incorrectly targeted.” –Tim Erlin, director of IT security and risk strategy