With ransomware from Russia threatening U.S. critical infrastructure the question heard more and more is should the U.S. Cyber Command shoot back? Jason Healey says yes, but only under certain, carefully defined conditions. He is a senior research scholar at Columbia University’s School for International and Public Affairs, and he spoke to Federal Drive with Tom Temin for more insight.
Insight by Cloudera: Learn about what a few federal agencies are doing to tackle data security challenges and improve their cyber data posture in this exclusive e-book.
Tom Temin: Mr. Healey, good to have you on.
Jason Healey: Hey, thanks, Tom.
Tom Temin: Now, you have written, first of all, your article in Lawfare, which is how we found you on this topic, mentions that Trickbot is back, and that what happened last fall involved both Cyber Command and the commercial sector responding to the same thing. Review for us what happened and why that’s kind of the dilemma that country faces.
Jason Healey: Right. So Trickbot was a reasonably prevalent bit of software. And what Cyber Command said was, hey, we’re coming up on the U.S. elections, and the Trickbot operators are associated with Russia, and we don’t want anything happening over the 2020 elections. So, in October, September, October, they said, we’ll do a disruption, we’ll use our military cyber power, for the federal listeners to your show, right, using title 10, military authorities, to go out and disrupt what’s basically a purely criminal operation. And they were doing that at the same time, actually just delivered after, Microsoft was themselves going after Trickbot. And so what I was trying to do in the piece was setting up, alright, seems like it’s a good idea, I think we can get behind that. But, do we really need the military, using military power, to go after the same targets that are already being taken down by others?
Tom Temin: And what is the methodology that Microsoft uses? Because they do this regularly, and they have a program of taking down some of these botnets. But they don’t…well, what do they do?
Jason Healey: [Laughing] Right. They use the courts to a substantial degree. I mean, at the end, it’s technology, right? They’re going in, and they’re taking over domains and things like that. But they do it through the courts, and going in and saying, hey, these operators are misusing Microsoft brands and technologies. And they get the courts to nod to that, and often, if not, usually with the Department of Justice involved. And they’ve been at this for a decade. So this is the main way that you see these botnet takedowns, not always with Microsoft, but in this way, with the private sector in the lead and going through the courts. That’s obviously very different from Cyber Command, which is going in and using technical tools, and not using the courts at all.
Tom Temin: So Microsoft then doesn’t zap them with a counter attack and actually do cyber damage as the Cyber Command is capable of doing.
Jason Healey: Absolutely not, it’s not hack-back, right? In the way that we might think about. It’s active defense, it’s persistent engagement, to use the military term, it’s just going about it in a different way.
Tom Temin: And so if you look at some of the more recent attacks, and we’ll use the famous case of the pipeline, which the pipeline wasn’t bombed, but the cyber system of the operator was bombed, which scared them into thinking that they could take down the pipeline, and therefore they shut down the pipeline before that could happen, paid the ransomware. The result was some short lived, but pretty tough economic dislocation for parts of the country. Does that elevate it to something that would require a military response, do you think? I guess I could make the imperfect analogy, suppose a nation cut the pipeline and did some kind of physical harm in that manner.
Jason Healey: Yeah, it’s a great example, because it started as a purely criminal enterprise, but it had clear national security implications. And we can’t always know beforehand which ransomware attacks are going to lead to those high end national security implications where you now say, alright, maybe we would need the military to do so. Now that’s not our fault, right? That’s on behalf of the adversaries. So the issue comes down to is, okay, we can’t have the military, or we don’t think, especially in a democracy like ours, that we want the military to be getting involved in everything, especially criminal things that are homeland security, right? If we’re always turning to the military, they’re never going to be resourced for it. And we have these constitutional issues about it, right? I mean, we’re about a year from when we had the 82nd Airborne almost on the streets of Washington, D.C., right? We as an Americans say, no, the military should only be reserved for some things. So our issue is okay, well, then, under what circumstances? What are the criteria that it is smartest for us to reserve the military for those situations?
Tom Temin: We’re speaking with Jason Healey, senior research scholar at Columbia University’s School for International and Public Affairs. And if you were to shoot back in the case of the pipeline, you would still have the issue, yes, this could be a critical danger to society, but you’re shooting, in a cyber sense, not at another military, but at some group that’s operating out of a country, which we can’t attribute to the Russian government. So, I imagine that’s another kind of offset issue to deal with.
Jason Healey: Absolutely. It bothers me a little bit less, because I don’t care as much about attribution, which implies, who are the people involved, what’s the group involved, versus national responsibility? There’s no doubt that Putin is responsible for this, right? It might not be people that are getting a Russian government paycheck, or have a Russian government ID that are doing this, but we have no doubt that they’ve had sanctuary in the ability to do this. So I’ve got no problem in saying we’re going to hold the Russian government and Vladimir Putin responsible for this, and just proceed from that point.
Tom Temin: Alright, so you have laid out a set of criteria under which Cyber Command should counter hack and tell us what those are?
Jason Healey: Yeah. So I said, boy, it needs to be imminent, right? Something important has to be coming up. In the case of Trickbot, that was the U.S. elections, where they said, ah ha, boy, we need to act quickly to make sure. It could also be for example, if we have intelligence that the malicious software, as a group, is about to shift into doing something more dangerous. Severity. We shouldn’t be doing this for something minor, we should only be doing it for something major. Trickbot was relatively large in this. Obviously it should have an overseas focus, right? If it’s in the United States, then that’s not something that we should really be thinking about the United States. Adversary. I said, look, for the military to be getting involved, it should be a criminal group or malware that’s tied to China, Russia, North Korea or Iran, right? Using the military for a criminal group or malware that’s from Brazil, strikes me as a mismatch of what we’re trying to get done here. And last, the military as a last-ish resort, right? We shouldn’t leave it for the last resort, because by then it might be too late. We don’t want to game this too much. But if someone’s already doing, it in the case of Microsoft, then maybe we don’t need the military to be getting involved against a criminal group. Now, and I’ll just say there’s a strong and a weak version of this. The strong is, these are all legal tests, and you need all of them. The weak is, well, these are the kinds of things that it should be involved with, and as long as it’s along these lines, that’s probably okay.
Tom Temin: And who would make the decision here? Because you’ve got a chain of command, and when there was the taking out of bin Laden, that went all the way to the Oval Office, that decision. In this case, these are words that make sense for criteria. But the devil is in the details, imminent, five minutes from now, an hour from now, severity, a million people affected, and so on, you get my point.
Jason Healey: Yeah, absolutely. Ideally, this would be the NSC through a modification of the documents, which say how we’re going to do these. Under Obama it had been PPD 20, under Trump it had been a document called NSPM 13. I don’t know if the Biden White House is updating that document with new guidance. But these kind of things could be built in there. Also, it could just be used locally within U.S Cyber Command and their intra-agency discussions with Justice and DHS on who’s going to do what.
Tom Temin: Alright, so to summarize, this should be something that is embodied in a policy. So that it would seem incumbent upon the Biden White House at this point, if they agree, is to have a PPD 20 or an NSPM 13. My hunch is they’ll resurrect PPD 20, [laughing] from the Obama administration, but there needs to be some document that controls all of this.
Jason Healey: Right. And we might dance around this. It strikes me like the drug war, right? Where we decided that, in the ’80s, where the military was going to get involved because there was clear and present danger. And we might say, alright, we’ll have a joint FBI – U.S. Cyber Command unit that’s going to bring you the authorities and the capabilities of both. You might even add private sector, right? Maybe even Microsoft and others that have been involved in these takedowns have a seat at that table. And all three of them say, what are we going to do about this and who’s got the best capabilities and authorities? That kind of thing seems like a better way of doing this than Cyber Command off on its own.
Tom Temin: Jason Healey is senior research scholar at Columbia University’s School for International and Public Affairs, and also past president of the Cyber Conflict Studies Association. Thanks so much for joining me.
Jason Healey: Thanks Tom.