US companies considering 'hacking back' as cyber warfare intensifies
Tiring of having little option but to tolerate cyber attacks, firms are increasingly looking at going on the offensive and 'hacking back'
PUBLISHED : Friday, 10 October, 2014, 8:42pm
UPDATED : Friday, 10 October, 2014, 8:42pm
The Washington Post
Yet the idea of hacking back, some prefer the more genteel-sounding "active defence", has gained currency as frustration grows about the inability of government to stem lawlessness in cyberspace, experts say.
The recent rash of cyberattacks on leading US companies has highlighted the scant options available to the victims, who often can do little more than endure the bad publicity and harden their defences in hopes of thwarting the next assault.
But behind the scenes, talk among company officials increasingly turns to an idea once considered so reckless that few would admit to even considering it, which was going on the offensive, or "hacking back".
The mere mention of it within cybersecurity circles can prompt a lecture about the many risks, starting with the fact that most forms of hacking back are illegal and ending with warnings that retaliating could spark full-scale cyberwar, with collateral damage across the internet.
Yet the idea of hacking back, some prefer the more genteel-sounding "active defence", has gained currency as frustration grows about the inability of government to stem lawlessness in cyberspace, experts say.
The list of possible counter measures also has grown more refined, less about punishing attackers than keeping them from profiting from their crimes.
"Active defence is happening. It's not mainstream. It's very selective," said Tom Kellermann, chief cybersecurity officer for Trend Micro and a former member of President Barack Obama's commission on cybersecurity.
He added that he and his company would never do it: "For you to hack back, you actually put at risk innocents."
One vocal advocate of some limited forms of hacking back, former National Security Agency lawyer Stewart Baker, said even some government officials were warming to the idea.
He said officials were more likely to consider assisting frustrated companies than threaten prosecution when they talked about going on the offensive.
"The government is giving ground silently and bit by bit on this by being more open," said Baker, now a partner at Steptoe & Johnson. "I have a strong sense from everything I've heard … that they're much more willing to help companies that want to do this."
A popular metaphor in these discussions has been the exploding dye pack that bank tellers sometimes slip into bags of cash during old-fashioned bank robberies.
The cyberspace equivalent, called a "beacon", potentially could be attached to sensitive data, making it easier to spot both the stolen loot and determine who spirited it away across the internet.
Other ideas include tricking hackers into stealing a fake set of sensitive data, then tracking its movements across cyberspace.
Some experts also suggest taking advantage of the way hackers often operate, moving files in stages from a victim's network to a remote server before collecting them hours later.
The time lag potentially gives companies time to spot the stolen files and destroy them before hackers can complete the theft.
Hacking back is a staple of conversations at cybersecurity conferences.
At the Black Hat USA security conference in 2012, 36 per cent of respondents said they had engaged in "retaliatory hacking" on at least one occasion, according to cybersecurity company nCircle, which conducted the survey of 181 conference attendees.
Financial industry security experts have had private discussions about the possibility of retaliatory cyberattacks but concluded the legal risks were too great to pursue the idea, according to technology sources who were not authorised to speak publicly.
"Most of the offensive talk is from the private sector, saying, 'I've had enough and I'm going to go do something about it'," said Republican congressman Mike Rogers, chairman of the House intelligence committee, at a cybersecurity summit at The Washing ton Post last week.
Yet Rogers, like many other government officials, has publicly warned about the dangers of hacking back.
Entering another person or company's network without permission violates the Computer Fraud and Abuse Act, officials say, even if the intrusion happens in the course of attempting to identify hackers or destroy data they have stolen.
Any resulting consequences, even unintended ones, such as accidentally damaging an innocent company's network, could cause significant legal liability. Plus, it's notoriously difficult to correctly identify who is behind a cyberattack.
"Attribution is very difficult to do," said White House cybersecurity coordinator Michael Daniel. "The bad guys don't tend to use things labelled 'bad guy server'.
They tend to corrupt and use innocent third-party infrastructure. So we have always said you need to be really cautious about taking activities that are ' hacking back' or even what some people try to call 'active defence'."
