In the 1700s, the British king turned to bounty hunters to rid the colonies of pirates preying upon shipping in the Atlantic. In the 1800s, Illinois’ Attorney General, Abraham Lincoln, asked Allan Pinkerton to help guard the railways being built in his frontier state. Although these acts were extraordinary, serious, ongoing threats to public safety and welfare required action. The government could not commission new naval ships or hire new sheriffs fast enough to address the problem. Unable to handle security issues in-house, the government asked the private sector to step up.
We face a similar situation today. The Ponemon Institute, which conducts independent research on privacy, data protection, and information security policy, estimates there were about 150 successful hacks of U.S. businesses per week in 2015, with an average cleanup cost of $6.5m. How many of those were fully investigated by police? How many resulted in an arrest? Even if the FBI were to go on a hiring binge and double its cyber savvy special agents, we would fall far short of the need. History shows us that the government can compensate for the lack of government capacity by deputizing members of the private sector. Even today, a federal statute authorizes railroad companies to hire private police who carry badges with all the authorities and powers of a state police officer. A similar model might work here.
The FBI already leads a National Cyber Investigative Joint Task Force that houses more than forty agencies focused on combating cyber attacks. Creating a deputy program whereby cybersecurity firms and their personnel would be evaluated and, on a case-by-case basis, granted a license to employ non-intrusive investigative tools in investigating security incidents at client sites, seems like a natural next step. Aggressive tactics, such as intercepting communications or hacking into a machine to collect evidence, would require that the licensee apply to the task force for approval. A U.S. Department of Justice lawyer representing the task force would, in turn, petition a judge for a court order allowing the licensee to act. For each and every operation, the task force would look at the proposed action, its operational risk, the infrastructure to be used, and the possible results. The task force would review not only the legalities of the request, but also the blowback risk of failure. Then, just as Justice does with FBI petitions, the task force leadership would reject high risk or otherwise flawed proposals.
The Ponemon Institute estimates there were about 150 successful hacks of U.S. businesses per week in 2015, with an average cleanup cost of $6.5m.
We already see law enforcement turning to the private sector for help with its most complex cases. The FBI received help from a number of private firms when taking down the Gameover Zeus botnet, allowing its special agents the reach and breadth of skills necessary for going after a criminal network with specialized assets spread across the globe. This proposal accelerates that process and, at the same time, puts powerful tools in the hands of private sector firms, enhancing their ability to identify the culprits behind attacks on client networks. This added operational capability should create economic value for clients while allowing the government to expand its ability to protect America’s networks. As was true for the railroad police, this proposal also puts more cops on the beat, and allows those in the private sector who would most enjoy the benefits of added security to also shoulder most of the costs.