[Evaluating CISA’s Federal Civilian Executive Branch Cybersecurity Programs] - https://www.youtube.com/watch?v=A6zLiYzrqw4
Gimenes: Sir, I, I, I was listening to your, your testimony and and it struck me, were you saying basically that the United States cyber security efforts are mainly not exclusively defensive in nature?
Head: I would say that we're reactive defensive and that we're not taking actions to stop it before it happens, you know, and I think there's obviously there's difference between the offensive side and the defensive side. So the military guys have offensive capabilities that they hold in reserve. And that, that, that'll work independently. But my comment was more on the side of, don't just wait till something happens and, and develop a process to know about it and report it sooner, work on the technologies that stopped the attack in the first place.
Gimenez: But you also, I think you, you heard, you also said that the, the, cyber security threats that they can't operate with impunity, they know that nothing's ever gonna happen to them, which means they're, that they're not a afraid, afraid of any offensive capability that their target and they possess.
Head: That's correct.
Gimenez: Is that because is it illegal for the, for for us to, or a company to conduct offensive or retaliatory, operations against somebody who just attacked their network, et cetera or, or, or what, what is that?
Head: I think there's many levels to that. I've been asked several times about, should we take off the gloves and let people that are, that are hit, hit back. And I'm not a big fan of that approach because you could end up starting a nuclear war just by, you know, doing something crazy. So II I don't think we wanna go vigilante, but I do think we need better clarity.
When I first started looking at this a decade ago, we had a guy that had a bunch of, of documents stolen and he put scripts in his documents so that when they got to wherever they were going to, they would call him and let him know where they ended up. They arrested him for operating shell scripts on a, on a computer without permission.
Gimenez: That's crazy. You know, so being able to trace that we could, we need to clarify.
Gimenez: Was that, was that illegal?
Head: Yes, he didn't have permission from the guy that attacked him to run scripts on the attacker's computer. And so he included executable files in what was stolen and he was arrested for that. So there's, there's a little bit of crack smoking that goes on in the, the legal world that we need to fix, right?
Gimenez: So somebody attacked him and he put something in there to make sure that he could find out who was, that attacked him. And then the person that attacked him said, hey, you couldn't do that to me even though I attacked you first. And therefore the guy that was attacked was the one. Ultimately.
Head:Yes. It sounds a lot for comedy in, in the cyber space. But I'm just saying, you know, you guys are really good about, a lot of us that have been in the defensive world forever. We, we, we, we try to figure out how to operate within the laws and make it better and it just, the reason I'm here is, is it suddenly dawned on me a year or so? Just change the law. Let's, let's get rid of the crazy.