Chair of the House Permanent Select Committee on Intelligence, Rep. Mike Rogers (R-MI), today warned private businesses not to go on the offensive as part of their defense against cyber attackers.
"It's best not to go punch your neighbor in the face before you hit the weight room," said Rogers, in a warning to both public and private sector actors that are considering offensive actions to defend their networks under the growing trend of "active defense."
Government organizations and businesses are still figuring out the best way to defend themselves from advanced cyber threats. But, said Rogers, "until we have figured out how we will defend ourselves and our networks, I would be very, very, very cautious about using an offensive capability."
The lawmaker, speaking at an event at The George Washington University, added: "Now, you can't do a good defense if you don't develop the capability for offense...so I completely agree with [building offensive power]. I'm just very concerned about engaging [in offense] before we have the ability to defend ourselves because, guess what, something's coming back" to hit us.
Rogers' comments echo those of experts who are concerned that, by unleashing advanced cyber weapons such as Stuxnet, the United States and its allies are opening themselves up to similar treatment by rogue nations or terrorist groups. (Click here to read about the threat of weapons like Stuxnet being cloned.)
"If we start using those sort of [cyber weapons], it doesn't take much to turn them against us, and we are tremendously vulnerable," said Howard Schmidt, who stepped down as White House cyber security coordinator in May 2012, speaking at the same event. "Which is why, when you look at active defense, we need to focus on reducing our vulnerabilities" against the most sophisticated cyber actors before firing back.
Rogers is particularly concerned about private businesses "hacking back" against enemies that have covered their tracks well, increasing the potential for misdirected retaliation.
"You have to be incredibly accurate and careful. You don't want to attack the wrong place or disrupt the wrong place for somebody who didn't perpetrate a crime," said Rogers.
"On the private sector, this concerns me more, because you've got a multitude of players in this space, you'll have different levels of capability in determining who perpetrated the event, and I will guarantee you there will be lots of mistakes made given the sophistication of nation-states in hiding their hand in activities," said Rogers. "It's the same way how in America you don't want vigilante justice."
Killer Apps has been at numerous conferences where private businesses have endorsed the notion of hacking back. Some industry representatives have gone so far as to suggest that businesses look at which nations legally allow return cyber fire or preemptive cyber strikes in order to avoid legal troubles.
Rogers said he was particularly concerned about preemptive strikes against potential cyber enemies: "[What's] concerning in the private sector is, they're saying, ‘I know they have the capability to do something, I think I'm going go over there and attack them first before they ever get the notion to attack me.' That's where I get very concerned about how we define active defense."
The congressman added that businesses and government agencies should be able to conduct forensic research on cyber attackers, striking only when they know for sure they are being attacked and who is behind it. However, such techniques should only be employed when ‘active defenders' know exactly who is about to strike them.
Active defenses should be "an act of last resort" that are precisely targeted with strict rules of engagement, said Schmidt.
"I don't know if we would like other countries saying, ‘Well, it's in our national interest [to attack] because there's something [malicious] coming from a server in Kansas City and we're going to go take that down' which also happens to be a medical facility," said Schmidt. "We have to be very, very cautious about this."