Cybersecurity

US Needs Bounty Hunters For Cyber: Ex-DoD Officials Say

Cyber bounty hunters waging “active defense” of critical infrastructure (CI) is only one among a number of explosive ideas in a new Atlantic Council study by two former DoD officials.

Because the US government does not have enough capacity to defend the nation’s networks — despite recent efforts to beef up the authorities and capabilities of the military’s Cyber Command — the study proposes the deputization of private sector “actors” (read: hackers) as “certified active defenders.” These would be “private-sector entities with high cyber capabilities who will work under government direction and control,” the study explains.

A loose analogy is privateers in the age of sail: “The Constitution provides for ‘letters of marque,’ and certified active defenders … would be a modern version,” the study says, except with a “focus on defense and resilience” and, unlike privateers, under government control.

The concept is only one among many contained in the new report by Frank Kramer, assistant secretary for international security affairs in the Clinton administration, and Bob Butler, deputy assistant secretary for space and cyber under Obama. The authors are advocating for a new framework for US cybersecurity based heavily on DoD’s 2018 Cyber Strategy — only expanded to include the Department of Homeland Security (DHS), the Treasury, the FBI, the Intelligence Community and the State Department. That includes bringing the “defend forward” and “attack support” concepts to the protection of civil CI in certain key sectors. This more aggressive US government-led approach is needed, they argue, because the main threat to CI today are adversary nation-states, not criminals — that the private sector cannot be expected to defense against on their own.