Sens. Sheldon Whitehouse, D-R.I., and Steve Daines, R-Mont., have introduced a bill that would direct the Department of Homeland Security (DHS) to study the risks and benefits of allowing private organizations to respond in kind to cyberattacks.
Current law only allows the Federal government to conduct offensive cyber operations, while unauthorized private entities are limited to defensive operations.
“The Colonial Pipeline ransomware attack shows why we should explore a regulated process for companies to respond when they’re targets,” Whitehouse said in a release. “This bill will help us determine whether that process could deter and respond to future attacks, and what guidelines American businesses should follow.”
At a Senate hearing on the Colonial Pipeline attack, Charles Carmakal, Chief Technology Officer at FireEye Mandiant, testified that while he agreed private companies should not be responsible for offensive cyber operations, the nation needs to have some offensive program with clear guidelines on how that will work.
“We need to make it more difficult for the actor to conduct their operations,” Carmakal said at the hearing. “There’s been a number of successes [in the nation’s response to cyberattacks] but I think there’s a lot of opportunity for us to go to do more to go more offensive. But I think we need to define what the rules of engagement are and what’s accepted, and what’s acceptable.”
The “Study on Cyber Response Options Act” would give DHS 180 days from enactment to conduct the study and submit a report to Congress complete with recommendations and an assessment of any impact on national security and foreign affairs.
“The United States is home to some of the best and brightest technological minds in the world – we should be doing all we can to support them, not hold them back,” Sen. Daines said. “The federal government should do more to empower the private sector to directly counter cyber threats from across the globe rather than tie their hands.”