US push to counter hackers draws industry deeper into offensive cyber debate

The U.S. government has an offensive cyber wish list, and the private sector is already bidding. Many federal contractors back the effort, though they still have deeper questions about semantics and where offense ends and defense begins.

Terms like “disruption,” “cyber effects” and “defensive operations” were flung around in discussions at the RSAC Conference in San Francisco last month, one of the largest cybersecurity gatherings in the world. In discussions during and after the conference, Nextgov/FCW sought to learn how industry players perceive the vision under President Donald Trump to punch back harder against cyber adversaries, and how those industry leaders might contribute to the cause.

For the past year, industry executives and U.S. officials in closed-door meetings have weighed the concept of enlisting private sector cyber titans to hack for the government, inspired by the centuries-old practice of letters of marque and reprisal that made waves in the old days of naval warfare. But last month, National Cyber Director Sean Cairncross appeared to pour cold water on the concept.

He told audience members at an event that there’s “an enormous amount of capability on the private sector side,” but that he’s “not talking about private sector, industry or companies engaged in a cyber offensive campaign.”

Cairncross said he wants to use the “ability of our private sector … to inform and share information so that the [U.S. government] can respond” either defensively or in a more agile way to enemy hackers. His remarks came after the release of Trump’s national cyber strategy, whose first pillar focuses on ways to create obstacles for foreign state cyber operatives and criminal hackers.

But nearly a dozen interviews with industry stakeholders and former officials indicate that it remains an open question where companies draw the line on cyber offense and where the government does. The boundaries around offensive cyber are often blurred, and the private sector is still trying to learn its place. That uncertainty leaves more questions than answers about how offensive cyber operations should be structured, regulated and integrated into a broader U.S. national security strategy.

New market force

There’s consensus among security leaders that the private sector doesn’t want to be deployed for offensive hacking, said Adam Marrè, chief information security officer at Arctic Wolf. The talk of “hacking back” comes up every five to ten years, he said, but those talks break down every time for a number of reasons, mainly because of legal and ethical concerns.

Still, there’s no indication that the global cybersecurity environment is calming. Foreign adversaries would “absolutely” want access to powerful exploits that can steal information or wreak havoc on systems, Marrè said. 

“[Adversaries] are mainly worried about what’s effective. So if it works, and if it ain’t broke, don’t fix it,” he said. “But if I can find a more exotic exploit that is going to allow me to have more access or access without being detected, or be able to get to somewhere I haven’t been able to get before, 100% they’re going to be looking for that."

Governments across the world are hankering for the latest and greatest hacking tools, said Elad Schulman, CEO of Lasso Security. 

“If we are not developing capabilities, our enemies are developing those capabilities,” he said. “That is why we need to assume that, at any point in time, someone will find and use exploits against us.”

For years, companies have helped develop special technologies for the U.S. government’s secret cyber missions. But the new White House cyber strategy’s offensive focus sets a tone for companies and their investors, said Rob Joyce, the NSA’s former cybersecurity director. 

“There’s been companies that are defense industrial base firms that know how to sell to the government, and there’s been some very boutique cyber companies that sell into the military cyber and intel community,” he said. “But this has the whole community and people out here in Silicon Valley who are not government-adjacent talking about ideas that they can help with in offensive cyber. I think it changes that ecosystem a little bit.”

Joyce is now a venture partner at DataTribe, which invests in early-stage cybersecurity companies often led by people who worked in the intelligence community. He said the government is in the market for an array of cyber capabilities, including vulnerability scanning, exploit development, tooling to analyze cyber threat data and digital infrastructure to obscure the origin of covert cyber operations.

This week, the cybersecurity world was sent into shock when Anthropic revealed it was holding back a powerful frontier AI model that could find previously undiscovered vulnerabilities at mass scale. The intelligence community is already eyeing its capabilities, Nextgov/FCW reported.

Still operating defensively

Many practitioners are advising the cyber ecosystem to invest in defensive measures, regardless of the White House’s more offensive posture.

“Being a defender, an ounce of prevention is worth a pound of cure,” said Ryan Anschutz, the incident response lead at IBM’s X-Force threat intelligence arm and a former FBI official. “A defensive prevention perspective, I think, would have more of an impact … than offensive capabilities, which, quite frankly, some arms of the federal government — their offensive capabilities far surpass the private sector.”

Even among companies that simulate adversary cyberattacks to improve network defenses, known formally as red-teaming, the definition of “offensive hacking” can get fuzzy.

“Would you classify offensive hacking as going out and fingerprinting the threat that was attacking you to gain the threat intelligence?” Anschutz said. “Is that offensive? Where does that change? Where’s the line drawn between what is offensive and what’s not offensive?”

The answer depends on who you ask. 

Hacking back, in the sense of breaking into adversaries’ computer systems for data and geopolitical intelligence, takes a level of access that only belongs in the government space, said another industry executive that works closely with the intelligence community on cyber matters.

Google’s threat intelligence arm recently came out swinging with discussions of its new disruption unit, though executives soon quashed the notion that the unit is “offensive” in any way, arguing that removing infrastructure that hackers sit on is a defensive move that impedes their forward operations onto U.S. and allied systems.

Some companies are building out advanced defensive cyber solutions at as rapid a pace as the offensive market, a sign that a more capable offense is driving equally urgent demand for stronger digital shielding.

“We had just seen too many examples over and over again of how burned out these poor kids in these security operations centers are, how just overwhelmed at the enormity of all the alerts, all the boxes always flashing red,” said Bill MacMillan, a former CIA official and now the chief product officer at security operations center solutions provider Andesite.

“We have to transform. We have to adopt this technology because this is the threat environment and the resource environment that we’re operating in,” he said.

Considering new frameworks

The offensive philosophy in Washington, D.C., has made some cyber experts weigh the pros and cons of the current legal environment that facilitates hacking activities.

The NSA, Cyber Command and others are permitted to take more aggressive cyber actions to stop foreign adversaries and criminal hacker gangs. This week, the FBI said it covertly sent shutdown commands to kick Russian state-backed hackers out of thousands of routers housed in organizations around the world.

The move, like many FBI takedowns of digital infrastructure, required court authorization. More broadly, some of the most sensitive intelligence operations do not rely on a standard U.S. court warrant at all.

Even so, private companies lack those authorities. They may build the capabilities used in cyber operations, but — like a defense contractor manufacturing a missile — the decision to deploy them and the consequences that follow rest with the government, not the company.

But what happens if a firm is hacked and wants to take action? There’s room to discuss “stand-your-ground” laws that could permit companies to respond to intrusions, at least to a certain degree, said Philip George, executive technical strategist at Merlin Cyber.

“Obviously, there are some authority issues and some rules of engagement concerns, and we don’t necessarily want everyone returning fire or preemptively thwarting an attack,” he said. But if attacked in cyberspace, “what’s the extent that I can return fire, to at least take down infrastructure that may be targeting me?”

Asked if such a legal authority constitutes a counter-attack, he clarified it as a “counter-action” or “counter-response” because the former term carries “a lot of weight.”

Some serious conversations will need to be had about the future of legal measures under this offensive posture, said John Fokker, head of threat intelligence at Trellix and a former official in the Dutch National Police’s High-Tech Crime Unit.

“If authorities are operating in the grey area with certain private sector entities, I’d much rather define and start talking about that grey area,” he said.

Information-sharing between the public and private sectors — a cornerstone of modern efforts to stop cyberattacks — should also continue, he said, though he argued the process should be streamlined given the number of existing groups.

But one executive said they expect the U.S. government will ultimately find ways to involve private contractors in offensive cyber operations, even as the administration publicly draws limits.

“I believe that the government will contract for cyber operations under carefully crafted contracts,” said Kevin Spease, president at ISSE Services. “It simply depends on how you define it.”

He pointed to past U.S. conflicts where private firms supported offensive missions, arguing cyber operations could follow a similar path.

The rationale, Spease added, comes down to capability. The government, in both civilian and defense agencies, already predominantly relies on technology made by the private sector for day-to-day operations.

“The private companies have far better expertise,” he said. “Sometimes it’s easier to have a contractor do it.”