FBI Director Comey Speaking at Georgetown University |
At the Georgetown Cyber Policy Conference this week Cyber Letters of Marque and “active defense” came back into the conversation at nearly every panel discussion. The recent penetration into US Steel, which stole their proprietary information for the use by Chinese Steel companies to compete with them in the global market, is exactly why.
US Signals Intelligence, of which the NSA is the primary agency, is largely aimed, and should be largely aimed, at strategic needs of the US Government. And while economic competitiveness is at some level a strategic need, the particular defense of a US Company is not something the NSA can and should prioritize. The answer to this problem is allowing private companies to offer their services under strict law enforcement and intelligence community oversight to perform the actions needed, including remote intrusion, data exfiltration and analysis, that would allow US Steel and the US Government to build a rock-solid case for criminal liability and sanctions. In that sense, cyber Letters of Marque are more similar to private investigator licensing than privateer licensing.
We will have to hold these private companies to high standards. They must follow the same norms of behavior as the US Intelligence Community when penetrating a foreign company for strategic information. And they must follow evidentiary rules that prevent them from giving their information to their customers. US Steel may be paying for a private cyber investigator to penetrate Chinese Steel companies, but that doesn't mean it gets to see the information that is retrieved unless a Law Enforcement or Intelligence Community team thinks it is stolen information or the result of stolen information.
Less privateer |
More Private Eye |
Being clear about what the US-licensed teams will not do is important to avoid escalation and reprisal issues or running the risk of being hypocritical. At some level licenced private companies are using the same skillset and scoping as a normal network penetration testing team, with some additional oversight and caveats by the DHS or NSA. But obviously they must observe due care to stay within only their licensed scope and not cause damage to targeted companies.
These private investigative teams may not find smoking guns every time. They may be only able to put together the clue that a Chinese Steel company used a new manufacturing technique without ever having done research and development towards it first. That information, combined with knowing a Chinese-State actor had penetrated US Steel would be enough for a sanctions case or it may bolster a criminal case.
And if you are a Chinese Steel company, and you know that integrating any US stolen technology without doing the R&D to produce it yourself may result in sanctions, you will have to be wary of even seeing stolen information yourself. This is a powerful deterrent effect against economic espionage.
This limited, effective, and restrained use of Cyber Letters of Marque would allow industries to fund their own active defense protection and deterrence efforts, avoid escalation issues, and would scale to address a current and pressing national security need.