American Hackers-for-Hire Proposal Sparks Heavy Criticism | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker


Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
,
Governance & Risk Management

US Senate Committee Approves Private Sector Hacking Pilot

Image: Shutterstock/ISMG

The United States could get its own hack-for-hire network of contractors deputized by the federal government to penetrate foreign adversaries under a provision approved by the Senate Committee on Armed Services in its version of an annual defense authorization bill.

See Also: Debunking the Myth: Securing OT Is Possible

Language in the committee’s fiscal 2027 national defense authorization act – currently awaiting amendments and a vote before the full Senate – would authorize Defense Secretary Pete Hegseth to set up a pilot project “under the operational authority” of U.S. Cyber Command, “to assess the feasibility and advisability of conducting cyber operations … through contractor-owned, contractor-operated means.”

Critics are unhappy. Should the language become law, it would cross an important line, said Nick Leiserson, who served in the White House Office of the National Cyber Director during the Biden administration and before that for a dozen years as a House staffer, poring over legislation very similar to this year’s NDAA language.

“The monopoly on force is given to the government,” Leiserson, now at the Institute for Security and Technology, told ISMG.

Involving contractors in offensive operations “contributes to global cyber instability,” Leiserson said, pointing out that the U.S. has sanctioned Chinese military and intelligence contractors for involvement in Chinese cyber ops precisely because of the risk it presented to global cybersecurity. In addition to approval by the full Senate, the program would also need approval from the House of Representatives to become law.

It’s not clear what problem an authorization for private-sector hacking would solve, Leiserson said. Lawmakers have complained about a lack of U.S. capacity to disrupt the infrastructure and operations of adversary threat group. “But if that’s the problem, then just take the money you were going to spend on this and fund some more cyber national mission teams,” to do those counter-cyber missions, he said.

The provision’s authors jumped straight to a private-sector solution without considering adjusting policy and funding at Cyber Command, Leiserson said.

“There are definitely interim steps that you could take,” before jumping to the NDAA language, agreed Mike Daniels, who served as a White House cyber policy lead during the Obama administration and is now president of the Cyber Threat Alliance. “If your contention is that we need more people, and the way that we’re going to get them is to contract with industry, well, then fine. Bring them into Cyber Command facilities and integrate them with the military personnel and have them work side by side with them in those facilities and have them conduct their activities under direct government oversight.”

“That’s a well-trod model,” Daniels said.

Leiserson said the only advantage the NDAA language offered was if using the private sector was a way to get around the “red tape” created by the U.S. military’s careful adherence to the Laws of War.

“It only makes sense … if part of the reason you go to the contractor community is that it relaxes some of the bureaucracy,” Leiserson said. “If you’re using the same playbook, consulting the same lawyers, following the same interpretation of the Law of Armed Conflict, we’re really not changing our risk tolerance, our risk threshold at all.”

In that case, “You should really be talking about increasing the size of the force,” Leiserson said.

Industry advocates and lobbyists have for several years now promoted legislation on Capitol Hill to allow contractors to join the cyber fight. Most recently, bills introduced in the House and Senate last year would have given President Trump the power to issue “letters of marque and reprisal” – a form of maritime deputization last deployed by the U.S. against Great Britain during the War of 1812. Such an authorization gave license to private ship owners, “privateers,” to violently seize and legally keep the property of pirates and other enemies of the state. The bills would have empowered security contractors to seize cryptocurrency wallets used in foreign-based fraud against Americans. They did not come to a vote in either chamber.

The need to use private-sector capability is driven by capacity gaps in military and other government agencies, said Chris Cleary, a former Navy principle cyber adviser.

“People have advocated this for a long time. Using industry people, industry infrastructure, their capabilities, to maintain access to a target that we [the government] chose,” Cleary told ISMG.

More money for Cyber Command wouldn’t necessarily solve the problem, Cleary said, characterizing it as bogged down in training bottlenecks and retention challenges. “The reality is the government just does not have the capacity to do all the work they need to do right now in cyber, and they’re never going to have it. You have to figure out how to leverage industry for this,” he said.

Cleary said that he isn’t prepared to endorse the exact language in the Senate committee NDAA, but that he welcomed the debate it had set off. “This is a conversation that needs to happen.”

The pilot project, to be launched not later than March 1 next year, would limit private-sector operations to “access generation and maintenance.”

But that’s a very broad canvas, former senior cyber officials and other experts said.

“The entire SolarWinds operation was pretty much all access generation,” said Jason Kitka, a 20-year Marine Corps veteran who helped stand up Cyber Command’s Cyber National Mission Force. The SolarWinds operation, for which the government sanctioned Russian intelligence officials and technology contractors, exfiltrated data from a small number of the targets it had compromised. But like most cyber operations, “95 percent of it can be in that first [access generation and maintenance] segment,” Kitka said on an Institute for Security and Technology webcast.

Volt Typhoon, the Chinese military-linked threat actor which has attempted to pre-position itself on the networks of water and power providers in the U.S., is doing access development and maintenance, Leiserson said. “They have not shut the water off, shut the power off, impeded military mobilization … the goal of [their operations] is to have access, so that you have options in a time of a contingency, in a time of crisis or conflict, to have the effects of your choice.”

But because the adversary can’t always be exactly sure what those effects might be, broad access development and maintenance operations like Volt Typhoon are destabilizing and potentially escalatory, said Alex Orleans, a threat intelligence veteran who has worked for CrowdStrike, Cisco and Splunk.

And it’s doubly so, when it might make targets of U.S. contractors, Orleans cautioned on the IST webcast.

U.S. operations have “burned” – i.e. destroyed – the infrastructure of contractors and cybercrime proxies of adversaries like Russia and China, Orleans said. All to the good – but the bill would place the U.S. in the uncomfortable position of asserting that its contractors be treated differently. “Those adversaries are going to be hearing us say ‘Our contractors are special, don’t touch them.’ But then ‘We’re going to sanction [and burn] your contractors.'”

For one thing, going after a nation-state contractor in China or Iran is relatively easy. Their infrastructure is often built on disposable networks hammered out of infected home devices. “You can burn down an Iranian contractor relatively easily, and they can absorb that. You can’t burn down Booz Allen or invite the burning down of Booz Allen by someone in retaliation without having ripple effects,” Orleans said.

Thinking it was a good idea to use the private sector to scale access generation relied on a twisted version of reality, Orleans said. “This is your brain on American exceptionalism.”

Cleary floated a possible intermediate step of allowing contractors to “start getting a little more aggressive, and they start establishing access to a bunch of targets, maybe even targets you [the government] didn’t ask me to, because you probably don’t know what you don’t know, and provide this access back to you.”

But Leiserson said that would effectively create a Department of Defense analog of the ransomware cybercrime ecosystem, with initial access brokers attacking a wide range of essentially unidentified targets and figuring out later who they were and how much they’d be worth.

“This starts to look a lot like what Russia and China do with their proxies,” Daniels said. “Do we really want to be playing that game? I’m not sure that the benefits are worth the downside, especially when I don’t have indications that we’ve tried other things and they haven’t worked.”

Handing off hacking duties to contractors risks letting events spiral out of control, Kitka said, the Marine veteran of Cyber Command operations. He pointed to Chinese hacking contractor exploitation of the Hafnium Zero Day Microsoft vulnerability. Initially, the Chinese Ministry of State Security kept tight control over its use. “But when the patch came out” – meaning the zero-day had been discovered and fixed by Microsoft – “It was open season.”

Defenders would routinely find more than a dozen webshells, the hacker presence that Hafnium enabled, on a single enterprise server, Kitka said, suggesting it had been attacked by 13 or more different groups, or in some cases, 13 times by the same group.

“They were probably getting paid by the target or something,” Kitka speculated.

Cleary played down such fears. The private sector was full of people who had conducted or worked on operations at Fort Meade, for the NSA or Cyber command, he said. “This can be done in a responsible way, given the right people.” And the pilot would have to be done just right. “You can’t afford to [mess] up the first time you do this,” he said.

That statement at least brought agreement from Kitka.

“If this gets approved, the pilot program will be as smooth as butter,” Kitka said. That good experience will lead to a more permanent authorization and a bigger program. “It’ll start to scale, and that’s where it’ll go to hell in a hand basket,” he said.



Click Here For The Original Source.

——————————————————–

..........

.

.

National Cyber Security

FREE
VIEW