Utility Official: DoD, Cyber Command Should Handle ‘Hack-Backs’

Thomas Fanning, chief executive officer of Atlanta-based electric utility holding company Southern Co. and a key player in developing private-sector cybersecurity policy, said today at a Senate subcommittee hearing that he has begun to have interactions with senior Federal government military leaders about capabilities to “hack back” at cyber attackers, but emphasized he believes that those types of retaliatory capabilities need to remain in the hands of the military rather than become a corporate function.

The CEO’s comments came during a during a hearing this afternoon of the Senate Judiciary Committee’s subcommittee on crime and terrorism, at which several senators made clear that the U.S. needs to do much more to deter cyber attacks, especially those aimed at U.S. critical infrastructure and purported to emanate from Russia and other nation-state adversaries.

Sen. Sheldon Whitehouse, D-R.I., in particular, offered an aggressive lineup of policy steps that should be considered to boost U.S. defenses and deter adversaries.

Among those was a proposal to “stress test” what has become one of most reliable Federal policy standards for promoting better cybersecurity–the National Institute of Standards and Technology’s (NIST) voluntary cybersecurity framework for critical infrastructure sectors.

“We don’t know how well the NIST framework is helping to improve cybersecurity outcomes,” the senator said, adding that if the framework is not improving outcomes then “we need to get to work on something that will.”

Sen. Whitehouse also complained that cybersecurity responsibility in the Federal government is “spread across 73 different inspectors general,” and suggested that Congress take action to create “the equivalent of a roving Inspector General” for cybersecurity who can conduct tests and audits of agency security.

He, along with several other senators at today’s hearing, made an impassioned plea for the U.S. and the international community to take steps to create better deterrence measures to keep potential attackers in check.

In line with his discussion about deterrence, Sen. Whitehouse broached the hack-back issue, including the thorny question about which entities should be able to undertake such attacks.

“We need to think hard about how, when, and whether to allow hack-back authority” so that “responsible actors” can take retaliatory action in a bid to deter further attacks from adversaries, he said.

“I can’t say what the answer would be to that” question, the senator said, while posing possible outcomes to such a discussion: “It could be open season” on adversaries, he said, adding, “I doubt that”; “it could be” that some companies could be licensed to take hack-back actions; and “it could be nothing at all.”

“But we should be having the conversation” about hack-back authorities, Whitehouse emphasized.

Later in the hearing, Fanning offered his witness testimony including a description of his role as one of three co-chairs of the Electricity Subsector Coordinating Council, which includes the CEOs of 22 electric companies and ten industry groups, and which is the principal liaison between the electric sector and the Federal government for coordinating efforts to prepare for and respond to cybersecurity threats, physical terrorism, and natural disasters that threaten critical infrastructure.

Among other things, Fanning said he also worked closely with similar cybersecurity-related coordinating councils representing the finance and communications sectors, and that the group of three sectors was working on security frameworks that would help support the entire group.

Sen. Whitehouse queried Fanning on whether he knew which government agency or official he could go to in order to discuss a hack-back at an adversary, asking, “What door do you knock on?”

Fanning did not answer that question directly, but responded, “I think we are developing that,” and added that the idea “is something I just started talking about.”

Fanning indicated that he has worked with senior Federal military and civilian leadership to be able to better identify problematic internet traffic and malware in order to get a “more fulsome idea” of threats and attack surfaces.

He said he is “now working” with Gen. Paul Nakasone, head of U.S. Cyber Command, and James Mattis, Secretary of Defense, on ways to make threat data and analysis more actionable.

At the end of his somewhat opaque explanation of how he has worked with senior U.S. leaders, however, Fanning said he believes that “fireback capability” at cyber adversaries should be the province of DoD and Cyber Command. “That’s their responsibility, not ours,” he said.

He added, “There is a lot of interesting things that are developing, and I think will develop over time.”

Recent