Not long before Tom Bossert was pushed out of his role last year as the White House's top cybersecurity official, a public remark he made at the World Economic Forum in Davos, Switzerland, raised eyebrows. Bossert wanted, he said, to introduce policies that would let the US government "get our hands around the necks" of the enemy hackers who cost the US billions of dollars every year. Reporters, and some fellow officials, took the comment a little too literally; after the talk, Bossert found himself explaining that he didn't mean actual, physical violence.
Today, however, Bossert is in business for himself, pitching an approach that's almost as aggressive, if somewhat more subtle: getting his hands around the network communications of enemy hackers, and using that choke point to inflict confusion, cost, and (figurative) pain.
After a year largely out of public view, Bossert today revealed his role as cofounder of a startup called Trinity, along with CEO Steve Ryan, a former deputy director of the NSA's Threat Operations Center, and Marie "Neill" Sciarrone, a former BAE Systems exec who served as a cybersecurity adviser to George W. Bush. Backed by $23 million in investment led by Intel Capital, Trinity offers what Bossert describes as a "third way" between traditional cyberdefense and private sectors "hacking back" to play offense.
Instead, Trinity will offer its customers a service that Bossert describes as "active threat interference." It will, essentially, place itself between a company's network and the hackers targeting it, monitoring all incoming and outgoing traffic for signs of foul play. When it finds malicious activity, Trinity promises not merely to alert the customer to the attempted intrusion or block it, but instead to alter it, messing with the hackers' tools—and their minds.
The result, Bossert says, will give hackers a taste of the frustrations and uncertainties that have long plagued defenders. "If we don’t change the equation to something that actually stops and prevents and imposes cost on the adversary, we’re not going to get in front of the problem," says Bossert. "It’s flat-out, I’m-pissed-off time to do it."
Hacking Hacks, Not Hacking Back
Trinity's tricks, the founders claim, include meddling with the authentication between a hacker's command-and-control server and his or her malware, so that the malicious code mysteriously breaks. They can swap the data a hacker steals on its way out of the network, so that it appears valid but can't be read or executed. They can intercept a command sent to a malware implant and replace it with one that tells the malware to uninstall itself, or swap a response back from the malware to the server with one that tricks the server into beaconing out its location and revealing itself. All of this is intended to foil hackers without ever giving them clear feedback about why they're failing, turning even a simple operation into a drain on time and resources.
"If you’ve got a remote control that doesn’t work, you tap it, then you replace the batteries, then you bang it, then you turn the TV off and on. But you never stop to believe there's an adversary outside the window interfering with the beam between the remote and TV," says Ryan, who left the NSA two years ago to start work on Trinity before recruiting Bossert six months ago. "If you understand the methods and what makes them successful, you can quite literally reach in and make it not only unsuccessful, but make it even advantage the security team."
That sort of deception and manipulation, the Trinity founders argue, is an opportunity to upend the economics of both criminal and state-sponsored hacking: Intruders can simply try one intrusion method after another until they find one that works, with little penalty for those that don't. But if every intrusion attempt ends in frustration, the offensive advantage in cybersecurity might be blunted, says Trinity president Sciarrone. "When you turn the problem around and focus on the adversaries instead of all the points in your network, the math works for you a little better," she says.
As aggressive as Trinity's tactics might sound, its founders take pains to argue it's not the sort of "active defense" long associated with the even more hawkish practice of hacking back, widely considered too reckless for private sector companies. If you counter-attack a hacker's infrastructure to send a message, or to delete a copy of your stolen data, you may well incur a more focused retaliatory attack—not to mention charges under the Computer Fraud and Abuse Act. Even as Congress has reintroduced a bill that would legalize hacking back, cybersecurity experts have warned that it would have disastrous consequences, including collateral damage and a cycle of escalation that costs companies at least as much as the hackers they battle.
Bossert frames Trinity's approach not as counter-attacking, but as running stealthy deception and sabotage operations against intruders on the victim's turf. "We don’t need to hack back," says Bossert. "We don’t need to hack the attacker. We need to hack their hack."
An Invisible Hand
Even so, Trinity's tactics are sure to invite criticism—starting with questions of whether it can live up to its founders' claims. Cleverly interfering with one hacker group's operation represents a very different technical challenge from performing that same interference automatically for thousands of attacks a day across a massive enterprise network. In many cases, hackers' command-and-control communications are end-to-end encrypted, which would likely stymie at least some of Trinity's tricks. And in others, hackers may shrug off their frustration or adapt, particularly if they're going after a high-value target. "My sense is that it’s harder to do than you think. The adversaries are always going to be learning. We can engage them and try to disrupt them, but they work around the damage," says Jay Healey, a senior research scholar at Columbia University's School for International and Public Affairs focused on cyberconflict.
Even worse, Healey warns, would be if the enemy hackers were to detect Trinity's active threat interference, which could lead to the same sort of escalation as hacking back would have. "If you disrupt back, as a company, can you disrupt back enough that you’re too hard a target and the attackers go somewhere else? Or do they decide this is a fight they want to engage in?" Healey asks. "You can get emotions going. It's a status challenge, it’s anger, and it might be seen as escalatory."
For that reason, Trinity's Ryan argues, the company will take pains to do its work invisibly. It will never reveal its customers or the exact details of its capabilities, he says. And its operations will be carefully designed to hide their interference from the hackers it targets. "We’re never going to send a message back that says, 'Fuck you, try again,'" says Ryan. "In the best case, you want to shape things enough where the real server is responding back with a real answer that the adversary interprets as 'Shit, it didn’t work.’”
Trinity's cofounders refused to describe some details of the company's technical setup, but they hint that it will avoid detection in part by keeping its hardware entirely off the customer's network, so that even an intruder who breaches a victim network won't be able to find evidence of Trinity's interference or worse, compromise Trinity's machines themselves. Instead, the company will proxy all of the customer's traffic through an external data center—a rare move among security services, and one that will require its customers to put significant trust in the company as it essentially inspects all of their communications.
Bossert admits that Trinity's services require a degree of interception that most companies would never accept from a government agency. "In the American set of values, the government should not do this," Bossert says. "This needed to be a commercial entity."
But Trinity also hints that the service it's selling has been used by the federal government for years in some form, though only to protect Department of Defense computers. Ryan's bio on the Trinity website credits him as having "invented Proactive Threat Interference®, the approach used to reduce the risk of cyber threats to the nation’s military networks." (Whatever form this took, of course, it doesn't seem to have prevented the Pentagon from suffering periodic significant data breaches.) Ryan declined to offer more details, but Bossert adds elliptically, "We’re going to make this better and commercially available for the first time."
A Middle Path
When Trump appointed Bossert as homeland security adviser in early 2017, former White House security officials from previous administrations described him as "level-headed" and "reasoned", an outlier in an administration populated with extremists, former lobbyists, and neophytes. And Trinity in some sense represents an extension of Bossert's approach in the White House: a focus on punishing adversaries rather than merely defending victims.
Bossert led efforts, for instance, to call out the North Korean government hackers responsible for unleashing the WannaCry ransomware worm in May of 2017 and the Russian military hackers who released the destructive NotPetya worm a month later. The White House imposed new sanctions on Russia in response to the NotPetya attack as well as intrusions into the US electrical grid, and the Department of Justice eventually charged one North Korean hacker with criminal hacking related to WannaCry.
"My premise coming in, which I maintained through my entire time there, was to be aggressive, active about attribution," Bossert says of his tenure in the executive branch. "It isn’t for the sake of knowledge alone. It’s for the sake of punitive action when you’ve determined a culprit."
When John Bolton took over as national security adviser in April 2018, another round in the Trump administration's ongoing game of musical chairs, Bossert resigned after a little over a year on the job. Despite his punitive focus on adversaries, he's since criticized national security adviser John Bolton's apparent appetite for more aggressive cyberoffense. With Trinity, Bossert says he sees an opportunity to continue what he describes as a middle path that threads between passive defense and bellicose retaliation. He also just might get rich in the process.
"I didn’t leave the White House mad, but I left before I was able to fulfill the mission I wanted to fulfill," Bossert says. "There’s no reason why, in this great country, I can’t go out and do it the old fashioned way: for profit."