♪ This program is brought to you by the members of WCNY.

Thank you.

♪ ♪ KATKO: Welcome, America to "Balancing Act," the show that aims to tame the political circus of two party politics.

I'm John Katko.

This week, the cybersecurity threat to our country and to ourselves.

In the center ring, we'll speak with Frank Cilluffo, director of the McCrary Institute for Cyber and Critical Infrastructure Security at Auburn University.

On the trapeze, cybersecurity expert Herbert Lin and Orin Kerr debate whether the private sector ought to be able to hack back on bad actors.

Plus, I'll give you my take.

But first, let's walk the tightrope.

♪ Cybersecurity is the art and science of protecting our systems, networks, and programs from digital attacks.

If you've been frustrated by having to create a 14-character password, or had to wait for a text code just to log into your bank account, that's cybersecurity in action.

And it's now the foundation of our national sovereignty.

It's the invisible shield protecting our power grid, our clean water, and the very integrity of our elections to name a few.

It's become central to the United States because we've digitized our entire way of life, turning every smartphone and server into a potential target in a global conflict.

During my time in Congress, it became clear that cybersecurity is the most pressing threat to America.

U.S.

intelligence agencies say China in particular, is a top cyber threat to the United States followed closely by Iran, Russia, and North Korea.

I passed legislation to ensure U.S.

agencies can identify threats to their operational technology behind critical infrastructures such as banks, utilities, and water systems.

And I supported federal cybersecurity grants to help states and localities strengthen defenses, because even a small town attack can have big consequences.

Now, a point of personal transparency.

Since retiring from Congress, I've remained deeply involved in this field as a senior advisor and board member within the private sector.

I represent clients in the cybersecurity industry, and that professional perspective informs the insights that I bring to this conversation today.

So, how did we get here?

The early internet was built for connection, not security.

One of the earliest wakeup calls came in 1988 with the Morris worm.

It was not intended to be destructive, but it spread so rapidly that it overwhelmed computers across the early internet.

The FBI estimates that within 24 hours, about 6,000 of the 60,000 connected computers at the time, about 10%, were hit.

The lesson stuck.

When everything is connected, a single weakness can multiply quickly.

Over time, cybersecurity became something that government had to organize, not just encourage.

That led to the creation of CISA, the Cybersecurity and Infrastructure Security Agency.

A clear example why CISA matters came on May 7, 2021, with the ransomware attack on the Colonial Pipeline that affected 17 states.

The impact was immediate and visible: long lines at gas stations, panic buying, and families worried they couldn't get to work, or get their kids to school.

Reuters reported 88% of gas stations in Washington, D.C., were out of gas on that day.

That's when cybersecurity became real for everyday Americans.

Gas is one thing, water and electricity are another.

Add in telecommunications, internet activity, hospitals, and emergency services, and the stakes become even higher.

It's a form of warfare, a foreign adversary could carry out without firing a single bullet, and without stepping one foot on American soil.

And in this conflict, all of us are on the front lines.

So just how big is the cyber threat today, and is America prepared to respond?

Let's ask our expert in the center ring.

♪ Joining me is Frank Cilluffo, director of the McCrary Institute for Cyber and Critical Infrastructure Security at Auburn University.

An organization where I serve as a senior fellow.

Welcome, Frank, and right off the bat, tell us a little bit about what the mission of the McCrary Institute is.

CILLUFFO: Well, thank you, John, and great to join you.

So your voice, dare I say, is really missed in D.C.

these days and not meant to butter you up, but it's true.

So in terms of the Institute itself, we're devoted and dedicated to powering the systems that keep our national security, economic security, way of life and our communities, up and running.

So it's all the hidden ins and outs, like our grid, like our water systems, like our banks, all of which are increasingly dependent upon information technology, some of it secure, others not so secure.

So all things said and done, we try to make sure we can advance that ball.

KATKO: Now, I would often say with respect to cybersecurity, it's not tactile.

You can't touch it, you can't feel it, you can't really see it, but it is a threat.

And I'm not sure Americans really understand the nature and quality of the threat, so could you spend a few minutes kind of setting the table in that regard?

CILLUFFO: Yeah, you bet.

So the threat comes in various shapes, sizes, and forms, not all hacks are the same, not all hackers are the same.

Intentions vary, capabilities vary.

The tools, tactics, techniques, and procedures they use vary.

But if you were to look at it through a full threat spectrum at the very top of the list are nation states.

Think China, think Russia, think Iran, think North Korea.

All of whom are using cyber to achieve their political and military objectives, sometimes their economic objectives.

Just underneath nation states, you've got criminal enterprises that 10 years ago, the capabilities you're seeing utilized by organized crime today were only in the hands of very few nations.

And then anyone else with an ax to grind has a cyber capability, just given our dependency upon technology.

So it comes in various shapes, sizes and forms and increasingly, and I think this is important to recognize, almost all modern conflict is going to have a cyber dimension to it.

The nature of warfare is changing and it's changing quickly, and I would argue we need to move from a reactive posture to a more proactive posture.

All things said and done, we often blame the victims.

We need to shift that equation where we can start imposing some cost and consequence on bad cyber behavior, which is happening every minute, every day.

So all things said and done, not all nations are equal, obviously, China and Russia are incredibly sophisticated, China being the existential threat.

But countries like North Korea and Iran, what they lack in capability, they unfortunately more than make up for with intent.

And they are very active and increasingly turning to cyber to achieve their objectives.

So lots to unpack there, but the bottom line is and I think you teed it up perfectly: Everyone has a role in securing our cyberspace and from nations to industry to average citizens and Americans.

KATKO: Yeah, I want to talk about that role for a second.

You mentioned the reactive and the proactive.

On the reactive side, what are we doing to combat the cyber threats and are we doing enough?

And then we can talk about the proactive in a moment.

CILLUFFO: Great.

So I mean, clearly, a number of agencies in the alphabet soup of DC have a role in defending cyberspace.

You mentioned the Cybersecurity and Infrastructure Security Agency, CISA.

They are, in essence, the belly button for our nation's defense.

You also have the Federal Bureau of Investigation, or FBI, that plays a very significant role in countering cybercrime, as well as foreign counterintelligence.

But all things said and done, industry is on the front lines of this war, and they have to be.

Not only do they need a seat at the table, they need a front row seat at the table.

I think we've been long on nouns and a little short on verbs, a lot of talk, a lot of recognition, a lot of admiring the problem.

What I'd like to see is a little more of them playing a proactive and significant role in defending our critical infrastructure.

Who owns and operates this critical infrastructure?

It's industry.

KATKO: Yeah, so, you know, stick with the reactive just for a few more minutes, or a few more seconds, rather.

The reactive side is hardening your systems, trying to prevent the attack from happening.

And are we doing all we can in that regard?

CILLUFFO: We're doing a lot.

I don't know how much is enough, but we're not doing enough.

All things said and done.

We have to invest, and we have to continue to invest in not only making sure that we can respond effectively, but that our systems themselves are secure.

There are a lot of concepts like secure by design or cyber informed engineering, where we need to bake security at the front end of our systems.

All too often it becomes sort of a Lego afterthought in terms of putting some of these systems together.

So there is a lot of activity.

I'm not sure we'll ever be in a place, though, where we can firewall or defend our way out of this problem.

KATKO: So I often say from my time as a prosecutor, and even when I was at Homeland Security that bad guys only understand strength.

And if we're stuck in reactive mode and just trying to guard our system from the inevitable attacks, there's not much deterrence to them to take a shot at trying to hack our system.

So on the proactive side, is there any rules of engagement?

Is there prohibitions we can't do right now, that should be changed, or what do you see?

CILLUFFO: Yeah, those are great questions, and I think you're starting to see the United States lean forward, which we do need to recalibrate our approaches here.

So if you look at recent operations and public discussion around that from General Dan Kane and Secretary of War, Pete Hegseth and others, in terms of Operation Midnight Hammer and in terms of Absolute Resolve, Midnight Hammer being in Iran, Absolute Resolve being in Venezuela, you are starting to see cyber integrated into our overall war fighting strategy and doctrine.

Other nations have been doing this for a long time.

I'm happy to see we're starting to lean forward.

Because, I mean, if you think about it, we can't just blame the victim.

A hack occurs, who do you blame?

You blame the company that didn't do enough.

Yes, they should do more, they must do more.

But at the same time, we need to impose some cost and consequence and induce change in behavior.

Otherwise, as the old Einstein quote goes, we'll continue to see the same over and over and over and there'll never be a different outcome.

So at the end of the day, there is someone behind the clickety clack of the keyboard, and you want to be able to get to the point where you can impose some of the cost and know that if they do certain things, it's unacceptable.

And we're starting to see some of that, but I think we need to update and modernize some of our war fighting strategy and then make sure that the rules of engagement are all in place to be able to actually bring the fight to the adversary.

KATKO: We have about 30 seconds left, quick question for you.

You talk about the role of the government, the military.

What about the private sector?

Is there rules of engagement?

Can the private sector hack back after they've been hacked to try and act as a deterrent?

CILLUFFO: That's a great question, and one that's hard to cover in 30 seconds, but I've been arguing we need to move beyond information sharing toward operational collaboration, where industry needs to not only have the information, but sometimes they're best positioned and situated to be able to respond.

I think they should do that in conjunction with government.

Last thing I want is the Wild, Wild West, because that could actually escalate activity, but at the same time, they are the ones who are ultimately on the front lines here, and they need the ammunition to get the job done.

KATKO: Frank Cilluffo of the McCrary Institute, thanks for joining us, my friend.

Now, if this all seems a little scary, you can be proactive by visiting StaySafeOnline.org.

They have four actions everyone should take to stay safe online and a workbook especially made for seniors.

Again, that's StaySafeOnline.org.

Now, should the private sector be able to hack back at bad actors?

Let's discuss that as we take to the trapeze.

With us is Herb Lin, senior research scholar at the Center for International Security and Cooperation at Stanford University, and Orin Kerr, professor from Stanford Law.

Welcome, gentlemen, and I want to get right to it.

We've been talking about the nature and quality of the cyber threat that pervades in the United States and throughout the world.

And whether we just remain in reactive posture or in a proactive posture, and if we go to a proactive posture more often as a deterrent, who should be doing it?

So Orin, I'm going to start with you.

Put on your legal hat here and tell us from a proactive posture, can the private sector if they're attacked, let's say a hospital, sit there and say, well, we're going to go get the bad guys ourselves and go back at them?

KERR: The private sector can't.

The government can, is the short version.

The law actually gives an exception for the government to engage in hacking, but private parties, non government actors, victims of hacking, the law says they can't.

For them to hack back is itself an act of hacking.

So that is illegal under the law for private parties.

KATKO: Herb, do you think that that legal provision is a deterrent or is it more of an incentive for the bad guys to act with impunity?

LIN: Well, I think it does.

I mean, right now, there's no penalty for the bad guys to attack you.

And the likelihood that law enforcement will actually catch up to somebody is low, so it's going to be very hard for them to impose legal consequences.

And so the desire for hackback is entirely understandable, that you want to be able to punish somebody who has come after you and right now, the likelihood that they'll pay a penalty is very low, so you can't hold them accountable.

KATKO: So, what are your thoughts?

KERR: I think practically speaking, that's right.

The hard question is, if you change the law to allow private individuals who've been victims of hacking to hack back, how do you cabin that?

Because it's very hard to know who is hacking you.

It's hard to know what's a fair response that will deter the hacking against you.

And what you don't want is for everybody on the internet to say, oh, wait a minute, I was hacked, let me hack back at whoever hacked me because a lot of times you have no idea who it was that was hacking you.

People will hide their tracks and then you end up hacking back against someone who did not hack you, who then hacks back against you and you hack back.

And then you end up with everybody hacking back, in a way that's indiscriminate.

It's like a shootout at the OK Corral where everybody's shooting at everybody else without knowing who was shooting at them.

KATKO: So for a second, Orin, would you agree that the threat of hacking back would be somewhat of a deterrent to the bad guys?

KERR: It might be a little bit of a deterrent.

The challenge is that if you know that someone can hack back, the bad guy could route an attack through someone they want to be hacked back against.

And so then you end up sort of sending hackbacks to a victim rather than to the actual wrongdoer.

So the situation we have now is bad.

It's just it's not obvious that if we allowed hackback, it'd actually be better or if it'd be worse.

KATKO: Herb, what's your thoughts on it?

LIN: Well, I think on this point, what I described was that this is the desire.

You want to be able to hack back to impose a penalty.

That's the rationale for doing it.

But Orin is absolutely right that there are all kinds of problems with that you have to solve before you should or you really be willing to consider this.

So this business about hitting the right party back in cyberspace.

I mean, that's a hard problem.

I mean, how do you know who the right party is?

That takes a lot of energy and time and resources to do.

It's a very hard problem to solve.

So, you know, I say, we should allow hack back if we can solve certain problems.

Well, those problems are really hard to solve.

You know, I don't know that we can solve them.

But that's where I come out on it.

KATKO: So when you say the problems, in other words, making sure you're going back against the same person and it doesn't become an arms race of sorts, right?

LIN: Well, that's one thing, but here's another thing.

Who has the skills for a hackback, right?

If you attack a small company, do they have the expertise to do it properly?

Can this company now purchase the service?

Now you're going to have guns for hire.

And how do you know that the service provider actually gets the right hacker, the one that's employed by a server provider, actually does the right thing?

And who is liable for hacking the wrong person?

Let's say you hack the wrong person.

I mean, what recourse do they have against you?

And so on and so forth.

There are all sorts of issues like that that you have to be able to resolve.

What are the standards for hacking back?

Or should you be able to hack back under all circumstances?

Only a limited number of circumstances?

Who sets those standards?

What are those standards going to be?

All kinds of hard problems in this.

KATKO: Yeah, you've asked some questions.

But put on your legal hat again here, Orin, tell me, is there a legal fix to this?

Number one, and number two, is it advisable to maybe have the private sector work in conjunction with the government on these hackbacks so they can have more certainty in who the bad actors are?

I mean, if you think about it, China's doing it with impunity and especially China, but you know, they're state actors, the same with Russia.

I mean, same with Iran.

Russia is more of a private sector actors.

I mean, what if they partner up with the American government and go back at some of these people more vigorously?

KERR: Yeah, so legally, this is untested, but I think the law actually currently does allow private victims to cooperate with the government and basically get a court order to allow the hacking.

So this would be a traditional search warrant in a very untraditional context.

But the victim could go to the government, say, we want to hack back, here's what we think is appropriate.

The government could go to a court and get approval for it.

I think current law actually allows that.

It's a little bit odd, it hasn't been done as far as we know.

But I think it would be legal.

The alternative is to seek an amendment in the law trying to answer the questions that Herb pointed out.

Here are the circumstances.

Here's who should be able to hack back, when, under what circumstances, under what liability, if they get it wrong.

You know, all those questions would have to be addressed in some sort of new legislation, but at least under current law, a victim could go to the government and get the government's permission through a search warrant to basically go to a court to say this particular step is appropriate and allowed.

KATKO: And you're not sure it's been done?

LIN: I think it has been done.

Microsoft has actually taken down various criminal computers that have been conducting bad business on the internet under court order.

I think that has been done.

KERR: Yeah, so there have been a couple cases.

Herb is right involving botnets, so that's the sort of the government basically wants to put code in computers to fix or solve the botnets.

And so that is, I think, the best example of this having happened already.

KATKO: Orin, should we continue to do that?

Should we encourage more of that going on?

Or you have the same concerns?

KERR: I think if the government is involved and there's court approval, that's the best way to do it, and it's probably, if I had to guess, I would say it's probably the current approach is the best one, allowing a court to issue an order allowing some sort of hackback or some sort of intrusion.

I think trying to allow the private party to do it without the government does raise all these really hard questions and probably ends up with opening the door to too much unregulated hackback that probably hurts us rather than helps us.

But it's a hard question really for Congress to handle.

KATKO: Herb and Orin Kerr from Stanford University.

Thank you all so much.

Now it's time for my take.

♪ ♪ It's been my entire adult life working alongside truly great Americans to protect the public from bad actors.

When I went to Congress, I naturally gravitated to the Homeland Security Committee and eventually had the honor of chairing it.

At first, our focus was the very real threat of ISIS inspired terrorism here at home, but it didn't take long for another danger to rise to the top.

Crippling cyber attacks carried out by bad actors, many linked to Iran, China, North Korea and Russia.

That threat is now so pervasive that virtually every major military in the world has developed serious cyber attack capabilities, as we've seen Russia implement in its war with Ukraine.

And the question of when and how to respond to major cyber attacks is increasingly at the forefront of U.S.

foreign policy.

One thing is clear, bad actors understand strength and a credible threat of strength.

We cannot let them hit us with impunity.

We need to respond faster and more effectively and empowering the private sector to fight back is an idea whose time has come.

And that's my take.

♪ ♪ Join us now is Bloomberg U.S.

economy reporter Jarrell Dillard.

Welcome, Jarrell.

Listen, you're in all these different numbers about the job market, about the economy.

There's conflicting data.

Where are we at and what's coming up on the horizon that we can look to to get some answers to this?

DILLARD: So we actually, this week got a surprising jobs report, 130,000 jobs above what economists expected.

And, you know, we saw that slowdown in job growth last year, and you know, it's important to see where we go from here, because economists weren't really expecting a large pickup in job growth this year.

They were expecting the labor market to stay fairly stagnant with hiring remaining slow, driven mostly by the health care industry.

So it'll be important looking forward in terms of what we see.

Now, in terms of the unemployment rate, we did see that tick down from 4.4% to 4.3%, which is a positive.

You know, economists were also expecting that to kind of hold steady.

So that was a positive in the report as well.

And in terms of layoffs in the labor market, we haven't seen employers pick up on layoffs and they've been historically low, and we continue to see that in these reports.

But it'll be important to watch that going forward if the hiring environment stays slow because any significant uptick in layoffs could be an uptick in unemployment.

KATKO: Seems to be a lot of conflicting data on U.S.

sentiment as well.

Can you enlighten us?

DILLARD: So consumer sentiment has risen within the last few readings since December, but it still remains near historic lows, and that is because concerns about the labor market and concerns about inflation and its impact on personal finances are continuing to weigh on consumers, as we've seen for much of last year.

Now, interestingly, in the early February report, we did see that consumer sentiment ticked up, but it was driven mostly by higher earners, those who hold stocks.

And so they're benefiting from the strength of the stock market.

And we're seeing kind of this in the survey, we're seeing play to that kind of K shaped economy that economists have been talking about in terms of where lower earners are probably struggling more in terms of inflation and higher earners are benefiting and doing well.

And so consumer sentiment will be another one to continue to follow in the months ahead, and we will actually get the final reading for February next Friday.

KATKO: Jarrell Dillard, Bloomberg's U.S.

economy reporter.

Thank you so much.

That's all for this week, folks.

To send in your comments for the show, or to see Balancing Act extras and exclusives, follow us on social media or go to BalancingActWithJohnKatko.com.

Thank you for joining us.

Remember, in the circus that is politics, there's always a balancing act.

I'm John Katko.

We'll see you next week, America.

♪ ♪ ♪