US focus on naming foreign hackers gets criticized

Is Washington spending too much of its time trying to call out countries that carry out cyberattacks?

That’s what one top industry official argued Wednesday at a conference hosted by the Atlantic Council.

ADVERTISEMENT

Dmitri Alperovitch, chief technology officer of Crowdstrike, which is accredited by the National Security Agency (NSA) to respond to cyberattacks, said Congress should put more of its focus on punishing foreign entities that carry out attacks, even if the government can’t pinpoint exactly who ordered the attack.

“I get really tired of policymakers talking about the difficulties of attributions,” he said. “In terms of knowing where it came from and what they wanted, we’re actually very, very good at it.”

Congress is considering a slate of cyber bills to ease information sharing about cyber threats between industry, the Department of Homeland Security and the NSA.

Alperovitch argued while those bills could be useful, the government and private sector already know many attacks are backed by Russia, China and Iran.

Publicly calling them out has almost no effect, he said, because those governments don’t believe it is a real punishment.

“The only people that still care about attribution are the West. I believe that the Russians and Chinese no longer care about being attributed,” he said.

Even after the U.S. publicly outed the origins of cyberattacks in Russia and China, both countries plowed ahead, using the exact same infrastructure, Alperovitch said.

“The value of what they can steal is enormous. Is there really a downside to being attributed?”

Step up indictments, he said. Name state-owned enterprises, not just individuals.

Alperovitch allowed such an indictment would mark “a significant escalation,” creating “significant blowback” on U.S. industry.

The U.S. in May filed a first-of-its-kind indictment against five Chinese soldiers, not state-owned companies, alleging hacking and economic espionage.