DHS giving ‘active defense’ cyber tools to private sector, secretary says

DHS giving ‘active defense’ cyber tools to private sector, secretary says
© Greg Nash

The Department of Homeland Security is providing tools and resources to private companies to engage in “active defense” against cyber threats, its secretary said Tuesday, a practice that has drawn scrutiny from some legal and cybersecurity experts.

Homeland Security Secretary Kirstjen NielsenKirstjen Michele NielsenIngraham defends migrant kid camps: ‘Criminals are separated from their children all the time’ MSNBC reporter: Detained immigrant children 'effectively incarcerated' in Texas facility Hillicon Valley: DHS gets new cyber chief | White House warns lawmakers not to block ZTE deal | White nationalists find home on Google Plus | Comcast outbids Disney for Fox | Anticipation builds for report on FBI Clinton probe MORE told a Senate panel that “active defense” is part of the department’s engagement with the private sector. 

“There is wide disagreement with respect to what it means,” Nielsen said during a Senate Judiciary Committee hearing. “What it means is, we want to provide the tools and resources to the private sector to protect their systems.” 

“So, if we can anticipate or we are aware of a given threat — and as you know, we’ve gone to great lengths this year to work with the [intelligence] community to also include otherwise classified information with respect to malware, botnets, other types of infections — we want to give that to the private sector so that they can proactively defend themselves before they are in fact attacked,” Nielsen explained. 

Active defense measures, which fall on the spectrum between passive defense and offensive actions, can involve companies going outside their networks to disrupt attacks, identify attackers or retrieve stolen data. Companies might also use beacon technology to determine the physical location of an attacker if files are stolen. 

Nielsen did not go into detail about the active defense measures that the Homeland Security Department is supporting in the private sector. 

A House bill introduced by Reps. Tom GravesJohn (Tom) Thomas GravesHouse committee approves spending bill that would boost IRS funding House panel advances financial services spending bill Georgia governor vetoes controversial hacking legislation MORE (R-Ga.) and Kyrsten Sinema (D-Ariz.) that would allow companies to engage in a range of active defense measures has attracted bipartisan support and triggered debate about the advantages and pitfalls of letting companies retaliate against hackers. 

Some critics say that active defense measures would amount to “hacking back” and come with a host of legal and security risks. Proponents, meanwhile, say they would better allow companies to monitor and stop attacks.

"The status quo is not acceptable anymore," Graves told The Hill in November. 

Nielsen was responding to questions during the hearing from Sen. Orrin HatchOrrin Grant HatchOn The Money: Trump imposes B in tariffs on China | China blasts 'fickle' Trump, promises payback | Trump to name consumer bureau director next week Trump announces tariffs on billion in Chinese goods Dems best GOP as Scalise returns for annual charity baseball game MORE (R-Utah), who said that characterizations of active defense as “hacking back” are “inaccurate.”

Hatch asked the Homeland Security secretary whether current law imposes any unnecessary restrictions on private companies’ ability to deploy active defense tools. Nielsen signaled that the department is examining whether there are any legal barriers hindering efforts by companies to protect their data and consumers. 

“It’s rather complicated,” Nielsen said. “There are some limitations with respect to liability, there are other questions with respect to insurance, and we do need to continue to work with the private sector to understand if there are any barriers that could prevent them from taking measures to protect themselves and the American people.”

As part of its broad mission, Homeland Security is responsible for engaging with the private sector and critical infrastructure owners on cybersecurity threats.