Cybersecurity experts raise doubts whether the National Security Agency has successfully deployed an automated hack-back system known as MonsterMind, as revealed by former NSA contractor Edward Snowden in an interview with Wired.

MonsterMind, according to the article, would automate the process of identifying a foreign cyberattack by constantly looking out for traffic patterns indicating known or suspected attacks. When it detects an attack, MonsterMind would automatically block it from entering the country. What differentiates MonsterMind from similar software is its ability to launch an automated counterattack without human intervention.

"We don't believe it's feasible to build this kind of program with current technology," says Allan Friedman, research scientist at the Cybersecurity Policy Research Institute at George Washington University's School of Engineering and Applied Science.

British cybersecurity expert Peter Sommer also raises doubts about the ability for someone to create cyberweaponary that can perform the way MonsterMind is described. "One of the real problems about any attack tool is to make sure it is limited to what you actually want it to do," says Sommer, a fellow at the London think tank British Computer Society. "This is not like the movies where you do a couple of key strokes and everything works outs properly."

The NSA did not respond to a request to comment on MonsterMind.

Einstein 3 Accelerated

Friedman gives several reasons why he's skeptical about MonsterMind. He points out that the intrusion prevention system safeguarding the U.S. federal government's .gov domain - known as Einstein 3 Accelerated, or E3A - isn't fully implemented.

"The Einstein program has involved several growing pains, and as we move toward the future of Einstein 3, there have been a number of computer scientists who have speculated that it's simply impossible to do with current technology," Friedman says.

The Department of Homeland Security began to roll out E3A a year go but, as of July, DHS is providing E3A services to only eight federal civilian agencies, protecting about one-quarter of federal users. DHS Deputy Undersecretary for Cybersecurity Phyllis Schneck told Congress in May that E3A's full operational capability is still two years off.

Friedman asks rhetorically: If the government can't fully implement E3A, which is limited to the federal government's civilian network, how could it deploy a full-scaled, integrated intrusion detection system that covers every network in the nation?

Lack of Documentation

Another cause for skepticism is that Snowden didn't provide any documentation to support his claim about MonsterMind that could be vetted by outside experts, unlike he did in past disclosures. Also, Friedman points out, other Snowden revelations dealt with targeted and mass surveillance and not America's cyber-offense capabilities. "It was long speculated that Snowden didn't have direct access to things that are related to cyber offense or information operations because he didn't release any documents about them," Friedman says.

What makes MonsterMind seem unworkable is its inability to attribute the attacker because intrusions often are routed through computers in innocent third countries, a point made by Snowden to Wired. "These attacks can be spoofed," Snowden says. "You could have someone sitting in China, for example, making it appear that one of these attacks is originating in Russia. And then we end up shooting back at a Russian hospital. What happens next?"

The inability to properly identify the attacker and cause harm to an innocent third party are reasons some experts don't believe the NSA has implemented a system like MonsterMind. "Being a recipient of an attack, you may be able to backtrack a little bit, you may be able to use other forms of intelligence, and have a reasonably good idea or hypothesis of who is attacking you, but that will take time," Sommer says. "That rather militates against the automated system, which by definition isn't going to do any of those things, it seems to me."

Forensics Exams Need Time