The Department of Homeland Security is providing tools and resources to private companies to engage in “active defense” against cyber threats, its secretary said Tuesday, a practice that has drawn scrutiny from some legal and cybersecurity experts.
Homeland Security Secretary Kirstjen NielsenKirstjen Michele NielsenFar-left bullies resort to harassing, shaming Kyrsten Sinema — it won't work Ex-Trump official: 'No. 1 national security threat I've ever seen' is GOP Left-leaning group to track which companies hire former top Trump aides MORE told a Senate panel that “active defense” is part of the department’s engagement with the private sector.
“There is wide disagreement with respect to what it means,” Nielsen said during a Senate Judiciary Committee hearing. “What it means is, we want to provide the tools and resources to the private sector to protect their systems.”
“So, if we can anticipate or we are aware of a given threat — and as you know, we’ve gone to great lengths this year to work with the [intelligence] community to also include otherwise classified information with respect to malware, botnets, other types of infections — we want to give that to the private sector so that they can proactively defend themselves before they are in fact attacked,” Nielsen explained.
Active defense measures, which fall on the spectrum between passive defense and offensive actions, can involve companies going outside their networks to disrupt attacks, identify attackers or retrieve stolen data. Companies might also use beacon technology to determine the physical location of an attacker if files are stolen.
Nielsen did not go into detail about the active defense measures that the Homeland Security Department is supporting in the private sector.
A House bill introduced by Reps. Tom GravesJohn (Tom) Thomas GravesGeorgia businesswoman launches primary challenge against Greene Lobbying world Greene's future on House committees in limbo after GOP meeting MORE (R-Ga.) and Kyrsten Sinema (D-Ariz.) that would allow companies to engage in a range of active defense measures has attracted bipartisan support and triggered debate about the advantages and pitfalls of letting companies retaliate against hackers.
Some critics say that active defense measures would amount to “hacking back” and come with a host of legal and security risks. Proponents, meanwhile, say they would better allow companies to monitor and stop attacks.
"The status quo is not acceptable anymore," Graves told The Hill in November.
Nielsen was responding to questions during the hearing from Sen. Orrin HatchOrrin Grant HatchLobbying world Congress, stop holding 'Dreamers' hostage Drug prices are declining amid inflation fears MORE (R-Utah), who said that characterizations of active defense as “hacking back” are “inaccurate.”
Hatch asked the Homeland Security secretary whether current law imposes any unnecessary restrictions on private companies’ ability to deploy active defense tools. Nielsen signaled that the department is examining whether there are any legal barriers hindering efforts by companies to protect their data and consumers.
“It’s rather complicated,” Nielsen said. “There are some limitations with respect to liability, there are other questions with respect to insurance, and we do need to continue to work with the private sector to understand if there are any barriers that could prevent them from taking measures to protect themselves and the American people.”
As part of its broad mission, Homeland Security is responsible for engaging with the private sector and critical infrastructure owners on cybersecurity threats.