Return to sender: military will send malware right back to you

Planning to weaponize malware against the US? The US military will grab it, reprogram it and send it right back to you, warned lieutenant-general Vincent Stewart of the US Defense Intelligence Agency last week.

Once we’ve isolated malware, I want to reengineer it and prep to use it against the same adversary who sought to use against us. We must disrupt to exist.

Stewart was speaking at the Department of Defense Intelligence Information System Worldwide Conference, which includes commanders from American, Canadian and British military intelligence.

Attendees included the FBI, the CIA, the National Security Agency, the National Geospatial-Intelligence Agency and the Office of the Director of National Intelligence, along with organizations such as Microsoft, Xerox, the NFL, FireEye, and DataRobot.

The meeting focused on the growing and international nature of cyberattacks. Commander William Marks of the US Navy explained why discussing cybersecurity is important for them:

Threats are no longer constrained by international borders, economics or military might; they have no borders, age limits or language barriers, or identity. The threat could be a large nation-state or a 12-year-old hacking our network from a small, isolated country.

Janice Glover-Jones, chief information officer of the DIA, added:

In the past, we have looked inward, focusing on improving our internal processes, business practices and integration. Today we are looking outward, directly at the threat. The adversary is moving at a faster pace than ever before, and we must continue to stay one step ahead.

There are concerns about the DIA’s strategy of retooling malware and sending it back like a boomerang to attackers. Sophisticated attacks make it even more difficult to determine an origin and specific attacker – what if the malware the DIA sends attacks a teenage script kiddie? What if the DIA ends up attacking people who are unaware that their computers are part of a botnet? There’s also the concern of the DIA’s counter-attacks damaging innocent bystanders such as ISPs and web hosts.

Is this a good tactic? What do you think?