It is becoming increasingly evident from the recent US Government commentary that the US Cyber Command is considering "hunt-forward" missions to visit a host country while looking for cyber adversaries. But what does it really mean?
A dangerous precedent
To start off, such “hunt-forward” sets a dangerous precedent. In particular, legitimate researchers and vendors can easily become victims of targeted CNE (Computer Network Exploitation) attack campaigns.
Furthermore, the ongoing "hunt-forward" methodology could position threat actors as victims of targeted lawful surveillance and wiretapping to have the US Cyber Command look for cyber adversaries using local networks.
The ultimate goal here would be to look for adversaries and cyber-attack incidents within the host country's Internet-connected infrastructure for launching and orchestrating cyber attacks.
What should be considered?
Before inviting the US Government to its network, every host country should consider that it must legally comply with existing technical collection and legal jurisdiction-aware agreements. Such countries should also consider the benefits of having a sophisticated network operator looking for cyber adversaries using their own unique methodology. This would prove to be an invaluable source of information into the whereabouts of local cybercriminals and their adversaries.
However, what local users and organizations should also bear in mind before entering into such an agreement is whether or not it will violate the currently existing Internet privacy laws. In case it does, it would be essential to outsource the threat hunting process to local experts and organizations under a government-signed contract.
Legal agreements should be revised
Current and future legal agreements on sharing sensitive information on cyber attack adversaries obtained using the technical collection and virtual SIGINT should implement data and information-sharing agreements between the US Government and the US Cyber Command.
By allowing the US Government and the US Cyber Command to look for cybercriminals on the local infrastructure, countries will profile and detect threat actors on the local network. The ultimate goal would be to share the cyber attack and cyber incident information found with the local host country's network operators, including the US Intelligence Community.