French presidential candidate Marcon was hacked on Friday before the Sunday voting. Per the NSA Chief, U.S. Tipped Off France on the Russia hacks. The U.S. tipped off France when it saw that Russians were carrying out cyberattacks targeting French President-elect Emmanuel Macron, NSA chief Adm. Mike Rogers told a Senate panel on Tuesday. Macron’s campaign revealed it was hacked just hours before a campaigning blackout in the country ahead of the presidential election on Sunday. Macron ended up handily defeating his rival, Putin-backed Marine Le Pen. “We had become aware of Russian activity. We had talked to our French counterparts and gave them a heads-up—‘Look, we’re watching the Russians. We’re seeing them penetrate some of your infrastructure. Here’s what we’ve seen. What can we do to try to assist?’” Rogers told the Senate Armed Services Committee.
*** Meanwhile….there is no strategy or policy position on U.S. cyber warfare. However…
Next Steps for U.S. Cybersecurity in the Trump Administration: Active Cyber Defense
The failure of the government to provide adequate protection has led many cybersecurity analysts, scholars, and policymakers to suggest that there is a need for private-sector self-help. If the government is unable or unwilling to take or threaten credible offensive actions to deter cyberattacks or to punish those who engage in them, it may be incumbent upon private-sector actors to take up an active defense. In other words, the private sector may wish to take actions that go beyond protective software, firewalls, and other passive screening methods—and instead actively deceive, identify, or retaliate against hackers to raise their costs for conducting cyberattacks. Taking into consideration U.S., foreign, and international law, the U.S. should expressly allow active defenses that annoy adversaries while allowing only certified actors to engage in attribution-level active defenses. More aggressive active defenses that could be considered counterattacks should be taken only by law enforcement or in close collaboration with them.
Key Takeaways
If the government is unable or unwilling to deter cyberattacks, it may be incumbent upon private-sector actors to take up an active defense.
Before the U.S. authorizes private hack back, it must consider not only U.S. laws, but also foreign and international laws governing cyberspace.
Congress should establish a new active cyber defense system that enables the private sector to identify and respond to hackers more effectively.
***
Heritage: Americans want their cyber data to be safe from prying eyes. They also want the government to be able to catch criminals. Can they have both?
It’s an especially pertinent question to ask at a time when concerns over Russian hacking are prevalent. Can we expose lawbreakers without also putting law-abiders at greater risk? After all, the same iPhone that makes life easier for ordinary Americans also makes life easier for criminals.
Manhattan District Attorney Cyrus Vance Jr. has described the operating system of the iPhone as “warrant-proof,” saying criminals are using the devices – encrypted by default – to their advantage. In one instance, he quoted an inmate who, ironically, called the iPhone a “gift from God.”
Divine involvement is a matter of debate, but there’s no question that when it comes to the choice of breaking the cybersecurity of criminals without also endangering the personal data of ordinary Americans, well, the devil is in the details.
This is especially true given the evolving nature of the threat. Even if we wanted to give the government access to all the metadata it wants (when, where, and who called), technology is moving away from phone calls to text messages and other non-telephony applications. Traditional metadata will be of limited use to law enforcement in pursuit of the savvy criminal of the future. Law enforcement needs to develop new strategies and investigative techniques without making us all prey.
It’s nearly impossible to assess the total monetary value for all successfully prosecuted cybercrimes in the U.S., let alone estimate the number of criminal cases that would have fallen apart without access to a smartphone’s data. The Department of Justice doesn’t publish such data. But, according to the 2014 Center for Strategic and International Studies report “Net Losses: Estimating the Global Cost of Cybercrime,” global cybercriminal activity is valued at $400 billion a year. Cybercrime damages trade, reduces competitiveness, and limits innovation and global growth.
The fundamental problem is that no one in the government is responsible for securing the internet for all of us. The Department of Homeland Security is responsible for safeguarding our nation’s critical infrastructure, yet the insecure internet presents cyberthreats to non-enterprise users affect individual security, safety and economic prosperity. Who is responsible for their security?
Some elements of the federal government are so focused on hunting down information against a few horrendous criminals that they don’t seem to realize they’re doing it at the expense of our right to privacy and online protection. We can appreciate their dedication in these noble causes, but the fact remains that the internet has become a host to more and more personal information ever since Steve Jobs introduced the first iPhone.
Since then, the smartphone has evolved to have much more control over our lives, homes and vehicles. There is no sign of less data being held in the cyberspace.
In attempting to square this cyber-circle, the government would be wise to take a cue from the medical profession, which uses the Hippocratic oath to dictate an underlying requirement to refrain from causing harm to patients.
There is no such oath for members of the Department of Justice. They simply affirm that they will faithfully execute their duties without affirming that they will do so without harming the citizenry as a whole.
DOJ lawyers focus on individual prosecutions. That is too narrow of a definition of success. It forces them to use all means they can muster to make their prosecutions successful with little or no consideration of the larger harm their efforts may cause to the population in general.
That is a problem today and will only be magnified in the coming years as technology advances and the gap between those advances and the DOJ’s understanding of them widens. Within this environment, where insecurity breed’s criminality and stopping individual high-value criminals can motivate the DOJ to undermine security, one can only wonder, who is responsible for our security?
The world has changed. A new paradigm is needed to ensure the safety and security of all American’s data predicated on applying airtight security to our data. There is no return to the past. Perhaps the Trump administration will make this need for security a priority in a manner the previous administration did not.
