Experts Raise Doubts About MonsterMind

Examining Snowden's Claims About NSA Hack-Back System
Experts Raise Doubts About MonsterMind

Cybersecurity experts raise doubts whether the National Security Agency has successfully deployed an automated hack-back system known as MonsterMind, as revealed by former NSA contractor Edward Snowden in an interview with Wired.

See Also: 2016 Annual Worldwide Infrastructure Security Update

MonsterMind, according to the article, would automate the process of identifying a foreign cyberattack by constantly looking out for traffic patterns indicating known or suspected attacks. When it detects an attack, MonsterMind would automatically block it from entering the country. What differentiates MonsterMind from similar software is its ability to launch an automated counterattack without human intervention.

"We don't believe it's feasible to build this kind of program with current technology," says Allan Friedman, research scientist at the Cybersecurity Policy Research Institute at George Washington University's School of Engineering and Applied Science.

British cybersecurity expert Peter Sommer also raises doubts about the ability for someone to create cyberweaponary that can perform the way MonsterMind is described. "One of the real problems about any attack tool is to make sure it is limited to what you actually want it to do," says Sommer, a fellow at the London think tank British Computer Society. "This is not like the movies where you do a couple of key strokes and everything works outs properly."

The NSA did not respond to a request to comment on MonsterMind.

Einstein 3 Accelerated

Friedman gives several reasons why he's skeptical about MonsterMind. He points out that the intrusion prevention system safeguarding the U.S. federal government's .gov domain - known as Einstein 3 Accelerated, or E3A - isn't fully implemented.

"The Einstein program has involved several growing pains, and as we move toward the future of Einstein 3, there have been a number of computer scientists who have speculated that it's simply impossible to do with current technology," Friedman says.

The Department of Homeland Security began to roll out E3A a year go but, as of July, DHS is providing E3A services to only eight federal civilian agencies, protecting about one-quarter of federal users. DHS Deputy Undersecretary for Cybersecurity Phyllis Schneck told Congress in May that E3A's full operational capability is still two years off.

Friedman asks rhetorically: If the government can't fully implement E3A, which is limited to the federal government's civilian network, how could it deploy a full-scaled, integrated intrusion detection system that covers every network in the nation?

Lack of Documentation

Another cause for skepticism is that Snowden didn't provide any documentation to support his claim about MonsterMind that could be vetted by outside experts, unlike he did in past disclosures. Also, Friedman points out, other Snowden revelations dealt with targeted and mass surveillance and not America's cyber-offense capabilities. "It was long speculated that Snowden didn't have direct access to things that are related to cyber offense or information operations because he didn't release any documents about them," Friedman says.

What makes MonsterMind seem unworkable is its inability to attribute the attacker because intrusions often are routed through computers in innocent third countries, a point made by Snowden to Wired. "These attacks can be spoofed," Snowden says. "You could have someone sitting in China, for example, making it appear that one of these attacks is originating in Russia. And then we end up shooting back at a Russian hospital. What happens next?"

The inability to properly identify the attacker and cause harm to an innocent third party are reasons some experts don't believe the NSA has implemented a system like MonsterMind. "Being a recipient of an attack, you may be able to backtrack a little bit, you may be able to use other forms of intelligence, and have a reasonably good idea or hypothesis of who is attacking you, but that will take time," Sommer says. "That rather militates against the automated system, which by definition isn't going to do any of those things, it seems to me."

Forensics Exams Need Time

Friedman says the NSA or others could infiltrate attacking systems remotely to conduct forensic examinations that might help identify the original culprit, but that would take time and could not be done immediately as presented in the vision of MonsterMind. Findings from such investigations could help build better defenses, he says, but could not instigate an immediate retaliatory attack.

That a retaliatory launch would be automated raises further qualms about whether MonsterMind is operational. Even a nuclear attack against the United States requires human intervention, Friedman says.

Information technology lawyer David Navetta says the decision-making ability of computers, though vastly improved, remains narrow when compared with people who can decide whether an attack should be made. Computer programs can't analyze the geopolitical and diplomatic impact of launching an attack against an innocent third country that could be construed as an act of war, he says. "The decision-making process you put into a computer doesn't take into account the bigger picture, in context of what's happening," Navetta says.

Even if MonsterMind can work as described, it might not be legal. A private company hacking back - attacking the systems of an alleged hacker - violates several laws but the situation is less clear if the government does that, Navetta says.

Fuzzy International Law

"Here, we're talking about a bigger stage; international law and the law of war is a lot more fuzzy because there is no step of international established statutes," says Navetta, a founding partner of the Information Law Group. "The legality of it hasn't been fully thought of and vetted, so it's another issue you have to think about when you go into this."

Because such matters are often classified and kept secret, it's unknown whether the NSA has been given blanket authority to conduct an operation such as MonsterMind, which could launch an attack against a foreign nation. "If you're even going to commit a covert act of war, you need some sort of authority for doing it," Sommer says. "Is it the case the NSA has a blanket authority from your president to go ahead and do this sort of thing? Despite all the wild speculation about what the Snowden revelations mean, I somehow doubt that."


About the Author

Eric Chabrow

Eric Chabrow

Host & Producer, ISMG Security Report; Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow hosts and produces the semi-weekly podcast ISMG Security Report and oversees ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network