Have you heard of the MonsterMind project? The allegations from NSA whistleblower Edward Snowden are that the spy agency is developing a system that would effectively be able to neutralise and even launch counter-strikes against a target if it was found to be attacking US organisations.
The concept isn't particularly new of course – the information security industry has been debating the pros and cons of launching counter attacks at the hackers for years now. But it's the first time a nation state has been revealed as considering such a strategy. It may only be hearsay at the moment, but I see several major problems with it, which should convince most CIOs that MonsterMind is definitely a bad idea.
The first comes down to privacy. For MonsterMind to work as intended, the NSA would effectively have to access and monitor all traffic flows coming into the US from outside. Only then would it be able to detect what's malicious and what isn't. Snowden himself said in the interview that this would violate the Fourth Amendment. There's certainly nothing about the NSA revelations so far that would convince many people that protecting the privacy of citizens and corporates is top of the agency's list of priorities.
My second concern with MonsterMind is that there are no parameters yet about what constitutes an attack big enough to warrant a counter-strike – a strike which could lead to fully fledged cyber war. Exactly who decides on where this arbitrary line in the sand is drawn? Will the NSA consult industry experts for their opinion? I fear not.
The other main issue is collateral damage. Today, most state sponsored operatives use collections of compromised machines known as botnets – often outside their own borders – to launch attacks. It neatly disguises the origin of attacks and provides free computing resources to manipulate at will. Strike back at the "source" of the attack and you could be hitting innocent citizens and organisations, maybe even in your own country. I fear that the capabilities to detect the true origin of such attacks are not yet advanced enough to make MonsterMind's counter-strike capabilities a viable option. If the US – or one of its allies like the UK – was 100% certain that its CNI was hit by a cyber attack from North Korea, for example, the best course of action would not be to fire back via an automatic, autonomous system like MonsterMind, potentially incurring vast collateral damage. It would be to stop, consider the options and then if it was decided the attacker definitely was North Korea, to declare cyber war and launch a tit-for-tat strike on its CNI systems.
In any case, the problem here is that there are no internationally defined rules on what even constitutes cyber warfare. Does loss of life have to occur first? In the absence of any legal framework for cyber war or "hacking back" at an attacker, the US and its allies risk losing massive face on the international stage. One thing's for certain, as the debate continues it'll certainly keep the lawyers busy - and wealthy.
A final concern of mine with MonsterMind is that a strategy based around launching automatic counter strikes at targets thought to have attacked the US could actually destroy precisely the evidence which could help with attribution. Microsoft's Digital Crimes Unit has rightly been accused of doing this in the past. In fact, Microsoft's take-down of the Citadel botnet last year did just this, destroying sinkholes that other security researchers had actually installed to try and find out more about the ringleaders behind the bot. If you're gunning for the drug lords, don't go around taking the dealers off the streets. You have to accept there'll be more drugs on the streets for a while until you can trace and implicate those at the top.
MonsterMind still has potential. If it's created from scratch with a privacy-by-design mantra, analysing traffic for potential cyber attacks is a good idea, as long as the NSA in combination with ISPs agrees to merely block those malicious packets and do no more. This is self defence and is an entirely acceptable way to protect CNI and other organisations from harm. But talk to anyone in the infosecurity industry and "hacking back" is widely derided as a bad idea. It's the equivalent of hearing a rifle shot outside and opening the door with all guns blazing. A lot of people are going to get hurt and usually not the right ones.
Raimund Genes is CTO of Trend Micro