National cyber director doesn’t envision industry doing offensive hacking

Sean Cairncross, then-CEO of the Millenium Challenge Corporation, speaks onstage during the 2019 Concordia Annual Summit on September 24, 2019 in New York City.

Sean Cairncross, then-CEO of the Millenium Challenge Corporation, speaks onstage during the 2019 Concordia Annual Summit on September 24, 2019 in New York City. Riccardo Savi/Getty Images for Concordia Summit

Featured eBooks
Health Tech
Read Now

CDM

Read Now

Future-Ready Workforce

Read Now
Insights & Reports
The Great Crypto Migration: Preparing Your Organization for a Multiyear Post-Quantum Cryptography Transition
Presented By Carahsoft
Download Now
Quantum-Ready Security: A Phased Path Toward Key Distribution Resilience
Presented By Carahsoft
Download Now
David DiMolfetta By David DiMolfetta,
Cybersecurity Reporter, Nextgov/FCW

By David DiMolfetta

|

Sean Cairncross wants the private sector to use its technical prowess to inform U.S. government offensive and defensive decisions.

National Cyber Director Sean Cairncross said Monday that he does not intend for the private sector to fully engage in offensive cyber operations on behalf of the U.S. government.

“There’s an enormous amount of capability on the private sector side,” he said. “I’m not talking about private sector, industry or companies engaged in a cyber offensive campaign.”

The statement, made during a fireside chat at a McCrary Institute event, pushes back on speculation that private industry would be tasked in hacking campaigns authorized by government officials, a concept that surfaced in discussions leading up to the release of the Trump National Cyber Strategy earlier this month.

Cairncross said he wants to use the “ability of our private sector … to inform and share information so that the [U.S. government] can respond” defensively or in a more agile way. 

Private-sector cyber firms provide myriad services like threat intelligence, defensive products and specialized hacking toolkits that are relied on heavily by U.S. government operators and analysts. But the government has not directed the private sector to directly carry out cyber intrusions or “hack backs” against adversaries on its behalf.

The private sector engagement hits on one of the cyber strategy’s key pillars, which is focused on reshaping the behavior of foreign adversaries to disincentivize hacking. Cairncross said he wants various U.S. agencies — including non-cyber offices like the Departments of State and Commerce — to contribute to that goal.

American cyber and intelligence giants like the NSA, CIA, FBI, Cyber Command and others already have legal authorities to offensively target foreign adversaries using their own hacking capabilities. 

The cyber strategy’s other pillars include promoting common-sense regulation; modernizing and securing federal government networks; securing critical infrastructure; sustaining superiority in critical and emerging technologies; and building cyber talent and capacity. 

NEXT STORY: Stryker hack could set stage for more pro-Iran cyber sabotage