The Biden administration is warning private digital defenders not to hack back against cyberattackers, amid a crush of breaches hammering American businesses and citizens.
Ambassador Nathaniel C. Fick told The Washington Times that neither a Wall Street bank nor a large defense contractor spending $1 billion yearly on cybersecurity can successfully fight the military and intelligence services of China, Russia, and other state-sponsored attackers.
At a Hudson Institute event on Wednesday, the inaugural leader of the State Department’s cyberspace bureau urged private cybersecurity professionals not to try fighting hostile nations.
“We really need companies not to pick fights that only the government can then finish,” Mr. Fick told The Times on Wednesday. “That’s where I draw the bright red line.”
Hostile foreign adversaries have continued to put Americans and civilian networks in their cyber crosshairs.
For example, high-level current and former U.S. intelligence officials, media executives and national security scholars were targeted by North Korean hackers in a malicious cyber campaign unearthed by The Times earlier this month.
The State Department also partnered with the FBI, National Security Agency, and South Korean government agencies to publish an advisory warning of social engineering and hacking threats posed by North Korean hackers this month.
Mr. Fick said there needs to be a red line between government and corporate activity in cyberspace.
Asked by The Times whether hacking back is on the menu of appropriate responses to such malicious cyber campaigns, Mr. Fick said offensive cyber activity is a tool of national power available to the government similar to other military, intelligence, economic, diplomatic and informational tools.
“There needs to be robust democratic oversight within the context of the rule of law but these are legitimate operations that can absolutely advance our national interests and they’re one of many tools at our policymakers’ disposal,” Mr. Fick said.
Mr. Fick said the U.S. government must have monopoly power on the legitimate use of force in American society, otherwise the digital world will descend into vigilantism.
Policymakers around the world are working to define where a cyber red line should be drawn. The German government’s new National Security Strategy adopted this month said it fundamentally rejected using hack-backs for cyber defense.
In the aftermath of the Russia-linked DarkSide ransomware gang’s attack on major U.S. fuel supplier Colonial Pipeline in 2021, President Biden sought to draw red lines around American networks to deter Russian attackers. But hacks and breaches emanating from hackers linked to Russia have continued.
Congress also has considered whether to erase cyber red lines. Two senators proposed directing the Department of Homeland Security in 2021 to study the benefits and risks of letting private companies hack back against cyberattackers.
The bill from Sens. Sheldon Whitehouse, Rhode Island Democrat, and Steve Daines, Montana Republican, stalled. But foreign cyberattacks did not.
• Ryan Lovelace can be reached at rlovelace@washingtontimes.com.
Please read our comment policy before commenting.