Senate Bill 315 has just passed following House Bill 1158 earlier this week.
DHS Cyber Hunt and Incident Response Teams Act of 2019
Already it has Senator Schumer of New York literally screaming that he is…
AIMED AT PROTECTING UPSTATE NEW YORK SCHOOLS FROM MALICIOUS RANSOMWARE.
The SB315 list of authorized tasks for a DHS hunt and response team is as follows:
“(A) assistance to asset owners and operators in restoring services following a cyber incident;
“(B) identification and analysis of cybersecurity risk and unauthorized cyber activity;
“(C) mitigation strategies to prevent, deter, and protect against cybersecurity risks;
“(D) recommendations to asset owners and operators for improving overall network and control systems security to lower cybersecurity risks, and other recommendations, as appropriate; and
“(E) such other capabilities as the Secretary determines appropriate.
Call me pedantic but using the word hunt in the title (as in kill, typically in reference to the 2011 Lockheed Martin militaristic model for response) seems a bit over the top.
In the 1990s the USAF used to talk openly about their kill chain and the role of hunt. Here’s an example from 1994 Theater Missile Defense (TMD) appropriations transcripts (p 251):
The key functions of the TMD kill chain are to detect, track, target, engage, and assess…
Ten years later the U.S. government was working on what it called a hunter-killer program to fly into remote territory and destroy sources of threat.
The U.S. Air Force is probing the aerospace industry for its concepts for a new class of armed, long-endurance unmanned aircraft, called Hunter-Killer
By 2011 (remember that Lockheed Martin paper publication date?) the U.S. government was claiming hunter-killer programs using kill-chain were a huge success:
…special operations forces have honed their ability to conduct manhunts, adopting a new targeting system known as “find, fix, finish, exploit, analyze, and disseminate.” They have adopted a flatter organizational structure and collaborated more closely with intelligence agencies, allowing special operations to move at “the speed of war”…
The hunt model was lauded as a form of authorization, streamlining towards smaller secretive teams trusted with quick and lethal capabilities “over the fence” as Harvard lawyers infamously had envisioned decades ago.
And thus the information security industry naturally became susceptible to this military mindset, adopting hunt language not least of all because USAF veterans were landing jobs in civilian security firms and bringing a killer vocabulary along.
As ominous as the militant “kill” steps sound to unleash upon an upstate New York school, in computer software terms they remain basically incident response activities. Probably they could have fit easily under a public-private Computer Emergency Readiness Team (CERT) expansion without invoking “hunt” authorization.
It does seem possible “E” leaves the door open for much broader remit including active defense and hack back for hunt teams to go after attackers, though, at “the speed of” cyberwar.
Another Echo company (Army 160th) already has kind of established that reputation.
So maybe I’m underestimating what is going to be done by DHS here, and hunt will become an operative word for kill chains even inside schools where kids are meant to be learning and experimenting.