If there is significant malicious activity occurring on private networks, does the government have an obligation to intervene?
Sort by:
I believe yes, but it is definitely a 'slippery slope'.
We have a shared responsibility to keep critical infrastructure safe and if an individual party does not step up to that responsibility then the government should be able to step in. Having said that, there has to be a really dire need.
I would compare it to being in my house, and what I do there is not the business of the government, but if there are really strong indicators that something bad is happening then intervention may be warranted.
It would have been within the purview of the government and the telecommunications companies to say, “We see these systems doing something bad so we're going to drop them from the internet and not allow them to connect until they're clean.” To literally hack a private entity's system and take files from it that support an investigation is very different.
The government didn't try to take action this way during NotPetya. This action wasn't about compromised exchange servers being used as launch off points. The FBI operation targeted vulnerable exchange servers and hacked them to make changes. These were risks resident to the entity that was then revictimized by the US government.
I wonder if there was some potential sealed component to the subpoena which disclosed that the vulnerabilities were actually causing harm. They may not have wanted to expose that for national security reasons.<br><br>Think back to the San Bernardino shooting several years ago and the iPhone issue with the FBI. I think Apple handled it the right way and the FBI fumbled that ball. It makes you wonder if there's a precedent-setting calculus for them to be able to either take action independently or compel a company to act.
The government has a role in public safety. If somebody's doing something that could harm the public safety of others, beyond their own entity, then I think the government has some obligation to act. If I was doing something in my neighborhood that was not in the public interest the police would show up. If I didn't correct it they would force a correction to the situation. It's a leap, but I'm making the presumption that the FBI action was proportional to a real risk issue.
When it comes to public safety, the government has an obligation to act but through policy and law. If the FBI action was proportional to the risk involved, we would have heard about it through the National Cyber-Forensics and Training Alliance (NCFTA). As an industry, we have cybersecurity professionals with clearances on the operations floor. And there wasn't a peep from our industry.
Not intervene, but they should help to support private industry in their efforts. Partnering with Law Enforcement is key