The recent rash of cyberattacks on major U.S. companies has highlighted the scant options available to the victims, who often can do little more than hunker down, endure the bad publicity and harden their defenses in hopes of thwarting the next assault.
But behind the scenes, talk among company officials increasingly turns to an idea once considered so reckless that few would admit to even considering it: Going on the offensive. Or, in the parlance of cybersecurity consultants, â€œhacking back.â€
The mere mention of it within cybersecurity circles can prompt a lecture about the many risks, starting with the fact that most forms of hacking back are illegal and ending with warnings that retaliating could spark full-scale cyberwar, with collateral damage across the Internet.
Yet the idea of hacking back â€” some prefer the more genteel-sounding â€œactive defenseâ€ â€” has gradually gained currency as frustration grows about the inability of the government to stem lawlessness in cyberspace, experts say. The list of possible countermeasures also has grown more refined, less about punishing attackers than keeping them from profiting from their crimes.
â€œActive defense is happening. Itâ€™s not mainstream. Itâ€™s very selective,â€ said Tom Kellerman, chief cybersecurity officer for Trend Micro and a former member of President Obamaâ€™s commission on cybersecurity. Then Kellerman added, as if by reflex, that he and his company would never do it: â€œFor you to hack back, you actually put at risk innocents.â€
One vocal advocate of some limited forms of hacking back, former National Security Agency general counsel Stewart Baker, said even some government officials are warming to the idea. Officials, he said, are more likely to consider assisting frustrated companies than threaten prosecution when they talk about going on the offensive.
â€œThe government is giving ground silently and bit by bit on this by being more open,â€ said Baker, now a partner at Steptoe & Johnson. â€œI have a strong sense from everything Iâ€™ve heard.?.?. that theyâ€™re much more willing to help companies that want to do this.â€
A popular metaphor in these discussions is the exploding dye pack that bank tellers sometimes slip into bags of cash during old-fashioned bank robberies. The cyberspace equivalent, called a â€œbeacon,â€ potentially could be attached to sensitive data, making it easier to both spot the stolen loot and determine who spirited it away across the Internet.
Other ideas include tricking hackers into stealing a fake set of sensitive data, then tracking its movements across cyberspace. Some experts also suggest taking advantage of the way hackers often operate, moving files in stages from a victimâ€™s network to a remote server before collecting them hours later; the lag potentially gives companies time to spot the stolen files and destroy them before hackers can complete the theft.
â€œI think youâ€™re looking at a possible future of private little cyber-wars because itâ€™s an ungoverned space,â€ said Shane Harris, author of the forthcoming â€œ@War: The Rise of the Military-Internet Complexâ€ and a senior writer for Foreign Policy. â€œThe military is only going to respond if they see that natonal security is at risk.â€
Hacking back is a staple of conversations at cybersecurity conferences worldwide and also in private consultations between companies and their security consultants. At the Black Hat USA security conference in 2012, 36Â percent of respondents said they had engaged in â€œretaliatory hackingâ€ on at least one occasion, according to cybersecurity company nCircle, which conducted the survey of 181 conference attendees.
Financial industry security experts have had discussions behind closed doors about the possibility of retaliatory cyberattacks but concluded that the legal risks were too great to pursue the idea, according to people familiar with the discussions who were not authorized to speak publicly.
A Wisconsin cybersecurity firm uncovered the theft of more than 1.2 billion usernames and passwords by Russian hackers. (Reuters)
â€œMost of the offensive talk is from the private sector, saying, â€˜Iâ€™ve had enough and Iâ€™m going to go do something about it,â€™ â€ said Rep. Mike Rogers (R-Mich.), chairman of the House Intelligence Committee, at a cybersecurity summit at The Washington Post last week. Yet Rogers, like many other government officials, has publicly warned about the dangers of hacking back.
Entering another personâ€™s or companyâ€™s network without permission violates the Computer Fraud and Abuse Act, officials say, even if the intrusion happens in the course of attempting to identify hackers or destroy data they have stolen.
Michael Sussmann, a partner at Perkins Coie and a former federal cybercrime prosecutor, said, â€œItâ€™s not uncommon to be called in after an intrusion and come across the well-intentioned system administrator or investigator who, without realizing it, violated the law in trying to protect their systems.â€
Any resulting consequences â€” even unintended ones, such as accidentally damaging an innocent companyâ€™s network â€” could cause significant legal liability. Plus, itâ€™s notoriously difficult to correctly identify who is behind a cyberattack.
â€œAttribution is very difficult to do,â€ said White House cybersecurity coordinator Michael Daniel. â€œThe bad guys donâ€™t tend to use things labeled â€˜bad guy server.â€™ They tend to corrupt and use innocent third-party infrastructure. So we have always said you need to be really cautious about taking activities that are â€˜hacking backâ€™ or even what some people try to call â€˜active defense.â€™ â€
Officials within the financial industry, the most recent target of headline-grabbing attacks, echo Danielâ€™s concerns. â€œHacking is illegal. Attribution is difficult. And the liability for doing it wrong is such that no responsible enterprise, banking or otherwise, is going to engage in that,â€ said Greg Garcia, executive director of Financial Services Sector Coordinating Council, an industry group.
Yet even detractors have little trouble seeing the appeal. Recent intrusions into JPMorgan Chase, Home Depot, Target and others caused massive headaches for the companies and their customers. The attack against JPMorgan and other financial firms caused particular alarm â€” up through the highest levels of the U.S. government â€” because of the companiesâ€™ critical role in the economy.
That prompted aggressive action by the FBI and Secret Service, but U.S. law enforcement agencies often struggle to solve crimes emanating from foreign countries. U.S. officials could apply diplomatic pressure on countries that support cyberattacks or even fail to police them aggressively, but other priorities tend to prevail in foreign policy debates, said James A. Lewis, a cybersecurity expert at the Center for Strategic and International Studies.
â€œThereâ€™s an unwillingness to admit to the scope of the problem because we donâ€™t have the tools to deal with it,â€ Lewis said. â€œDespite all the noise, cybersecurity is still a secondary concern.â€
That leaves many companies feeling left on their own.
Former federal officials said they knew of cases when companies have reached beyond their own computer networks to find the source of an intrusion or to delete stolen data. These officials said they have also noticed a quiet acceptance on the part of federal agents.
â€œThere are companies that have certain measures in place for determining where the source of a hack is coming from and for [deleting] the data, and that could technically violate the law,â€ said another former federal prosecutor, who spoke on the condition of anonymity. â€œAnd when the agents are called in and they understand what tools the company is using, they may not report them or shut them down for using those tools.â€