Cyber Command Takes Gloves Off on Ransomware


By: Andrew Braunberg

The New York Times reported this weekend that the U.S. Cyber Command, the unified combatant command responsible for military cyberspace operations, has reassessed its long-held view that responding to ransomware attacks is solely the responsibility of law enforcement.

According to the article, the head of U.S. Cyber Command, General Paul Nakasone, indicated that he views the attacks this year on Colonial Pipeline and JBS beef plants as “impacting our critical infrastructure” and has changed his thinking on the appropriateness of a Cyber Command response.

Quoting the article:

“In response, the government is taking a more aggressive, better coordinated approach against this threat, abandoning its previous hands-off stance. Cyber Command, the N.S.A., and other agencies have poured resources into gathering intelligence on the ransomware groups and sharing that better understanding across the government and with international partners.”

Nakasone did not provide details but used the military’s generic term for employing cyber operations and noted that the U.S. government had “imposed costs” on ransomware groups.

Private Sector Calls for "Hackbacks"

That Cyber Command has moved in this direction likely does not surprise anyone, but the timing is interesting. To say the level of private sector concerns with ransomware is high would not do current frustrations justice.

The lack of an aggressive “active” response to cyberattacks by government has led to further frustration in some camps. This has renewed calls to allow private entities to “hackback” against attackers. A hackback, also known as active defense, is generally understood to involve a private-sector entity launching a counterattack designed to disable an attacker or enable the collection of evidence against that attacker. Such action by the private sector is currently illegal in the United States because of the Computer Fraud and Abuse Act of 1986.

A hackback bill, the Active Cyber Defense Certainty Act, was introduced in the U.S. Congress in 2017 and then again in 2019. And in June 2021, Senators Steve Daines and Sheldon Whitehouse introduced a bill in the Senate that would require the Department of Homeland Security to “conduct a study on the benefits and risks of allowing private entities to take actions to protect their operations in response to cyber-attacks.”

The act specifically calls for the Secretary of Homeland Security to “study the potential consequences and benefits of amending the Computer Fraud and Abuse Act to allow private companies to take proportional actions in response to network breach.” Any action by a private entity would be “subject to oversight and regulation by a designated Federal agency.”

Hackback Legislation May Stall

The hackback idea is not without its critics, however. There are several good summaries outlining concerns with the tactic. Primary concerns include the difficulty of attribution, the likelihood of collateral damage, the difficulty of oversight, and liability issues.

Which gets us back to Cyber Command. Surely, if anyone should be punching back against ransomware groups, it’s them. By making it clear that Cyber Command is both ready and willing to engage these gangs, General Nakasone has likely, if inadvertently, reduced the appetite in the Senate to consider hackback legislation. Politicians, for the most part, just need to demonstrate that someone is working on the problem. Everyone should recognize, however, that many of the concerns associated with hackback apply to military cyber operations as well.