State and local governments are being bombarded with cyber attacks in 2024 at an alarming rate. Whether the motives are purely criminal, espionage, or hacktivism, we have seen numerous accounts of data being encrypted, water and power plants infiltrated, and disruption of other essential services. Every report I have seen from the Cybersecurity and Infrastructure Security Agency (CISA) or other federal entities goes through the same litany of defensive mechanisms and security postures. Lessons learned and future guidance includes changing default passwords, more phishing training, multi-factor authentication, and updated software. While these are all critically important and will help slow down the number of successful attacks, the question that no one seems to want to really touch in detail is should there be another option afforded to local and state agencies to form defense and deterrence, in the form of wider latitude of counter offensive permissions and targeted preemptive strikes?
Deep Dive into the Offensive Cyber Debate
This is a complicated question on multiple levels. Identifying who the attackers are and who they are associated with is often intelligence that is either fuzzy or not shared by those who may know. Hacktivism, in light of recent conflicts, has grown in popularity amongst arms of nation states, as has espionage activity. If it is an act attributed to a nation-state that meets the traditional warfare rules and treaties, then logically the federal government, specifically the DoD, should dictate the response. If the attack targets local and state agencies, however, is there a mechanism in place in which offensive cyber experts from those jurisdictions can be deployed to participate with valid targets, similar to what the federal government has done on a limited basis in the past when they used the private tech industry for part of the operation?
Another scenario where the response to an attack is convoluted is when the hacker’s motives are purely organic and rooted in organized crime (if there is such a dividing line), what role can local law enforcement take in suppression and elimination of the threat? If the answer is zero, then how can that be changed with modifications in the law and some federal agency oversight?
Risks Vs. REward for Deterrance Decisions
While dissenters point out the possibility of dual use networks being corrupted, disrupted, or irreparably damaged if offensive attacks are readily allowed, is the risk of that happening outweighed by the need for deterrence, through counter offensive and preemptive operations? Without federal government guidance, are there limited counter offensive operations that either could be performed solely by local and state agencies solely by either local and state agencies through their own talent or contracted agencies? How could the law be written to allow that and could states write their own laws allowing it if the federal law changed to give them some latitude? Is there even enough offensive talent available to hire or contract with to execute such authority?
The above doesn’t even discuss private companies rights or legal authorities to engage in such actions, something that Israel and Australia have started to not only allow but encourage. That produces an entire new set of legal and ethical issues that one could write a book on.
One of my favorite movies is the Cold War satire Dr. Strangelove in which the former Nazi-turned-good guy said “Deterrence is the art of producing in the mind of the enemy the fear of attack”. While he was talking about nuclear weapons, isn’t that quote applicable to other instruments of power as well?
