DHS giving ‘active defense’ cyber tools to private sector, secretary says

DHS giving ‘active defense’ cyber tools to private sector, secretary says
© Greg Nash

The Department of Homeland Security is providing tools and resources to private companies to engage in “active defense” against cyber threats, its secretary said Tuesday, a practice that has drawn scrutiny from some legal and cybersecurity experts.

Homeland Security Secretary Kirstjen NielsenKirstjen Michele NielsenCybersecurity: Cause for optimism, need for continued vigilance The Hill's Morning Report — Dems split on key issues but united against Trump Hillicon Valley: Trump revokes Brennan's security clearance | Twitter cracks down on InfoWars | AT&T hit with crypto lawsuit | DHS hosts election security exercise MORE told a Senate panel that “active defense” is part of the department’s engagement with the private sector. 

“There is wide disagreement with respect to what it means,” Nielsen said during a Senate Judiciary Committee hearing. “What it means is, we want to provide the tools and resources to the private sector to protect their systems.” 

“So, if we can anticipate or we are aware of a given threat — and as you know, we’ve gone to great lengths this year to work with the [intelligence] community to also include otherwise classified information with respect to malware, botnets, other types of infections — we want to give that to the private sector so that they can proactively defend themselves before they are in fact attacked,” Nielsen explained. 

Active defense measures, which fall on the spectrum between passive defense and offensive actions, can involve companies going outside their networks to disrupt attacks, identify attackers or retrieve stolen data. Companies might also use beacon technology to determine the physical location of an attacker if files are stolen. 

Nielsen did not go into detail about the active defense measures that the Homeland Security Department is supporting in the private sector. 

A House bill introduced by Reps. Tom GravesJohn (Tom) Thomas GravesHouse completes first half of 2019 spending bills House committee approves spending bill that would boost IRS funding House panel advances financial services spending bill MORE (R-Ga.) and Kyrsten Sinema (D-Ariz.) that would allow companies to engage in a range of active defense measures has attracted bipartisan support and triggered debate about the advantages and pitfalls of letting companies retaliate against hackers. 

Some critics say that active defense measures would amount to “hacking back” and come with a host of legal and security risks. Proponents, meanwhile, say they would better allow companies to monitor and stop attacks.

"The status quo is not acceptable anymore," Graves told The Hill in November. 

Nielsen was responding to questions during the hearing from Sen. Orrin HatchOrrin Grant HatchSentencing reform deal heats up, pitting Trump against reliable allies Dem lawmaker calls Trump racist in response to 'dog' comment PETA calls out Trump for attacking Omarosa as a 'dog' MORE (R-Utah), who said that characterizations of active defense as “hacking back” are “inaccurate.”

Hatch asked the Homeland Security secretary whether current law imposes any unnecessary restrictions on private companies’ ability to deploy active defense tools. Nielsen signaled that the department is examining whether there are any legal barriers hindering efforts by companies to protect their data and consumers. 

“It’s rather complicated,” Nielsen said. “There are some limitations with respect to liability, there are other questions with respect to insurance, and we do need to continue to work with the private sector to understand if there are any barriers that could prevent them from taking measures to protect themselves and the American people.”

As part of its broad mission, Homeland Security is responsible for engaging with the private sector and critical infrastructure owners on cybersecurity threats.